Fix
Fix: Cursor Cloud Agent Can't Access Secrets
Cloud agents read secrets from the Secrets tab on cursor.com, not from environment.json. When an agent can't access them, the usual causes are a stale environment VM that predates the secret, a scoping mismatch, or a Build Secret type that never reaches the running agent. Update the environment and re-run to fix it.
On this page
Why can't my cloud agent access secrets?
You added an API key on the dashboard, started a cloud agent, and the run fails anyway: the test suite wants DATABASE_URL, the agent says the variable is unset, or printenv in the shared terminal comes back empty. This is one of the most-reported cloud agent problems on Cursor's forum, and nearly every case traces to one of five causes.
- The environment VM predates the secret. Secrets added after an environment was set up don't reach existing machines until you update or recreate the environment.
- The scope doesn't cover this run. Environment-scoped secrets apply only to agents using that environment, and a secret's repository setting can exclude the repo you launched against.
- Wrong secret type. A Build Secret is only available to the Docker build; the running agent never sees it. A Runtime Secret works but shows as
[REDACTED]in the transcript, which looks like a failure and isn't. - You're checking at the wrong moment. Secrets that don't appear during the setup wizard can still be present once a real agent run starts.
- A bug window. In June 2026, automation-launched agents in multi-repo environments received no secrets at all while manual and API launches got them.
Forum threads from 2025 titled "background agents can't read secrets" describe the same surface. Background agent was the earlier name for what Cursor now calls a cloud agent, so the old threads are still useful when you're searching for your exact symptom.
This is covered hands-on in Troubleshooting and Operating Cursor Reliably — 7 short modules, free to read.
Where are cloud agent secrets configured?
All of them live in the Secrets tab of the Cloud AgentsAgents that run in a Cursor-managed virtual machine, check out the repo, do the work and open a pull request, then shut down, with no load on your laptop. Press Enter for the full definition. dashboard on cursor.com, where they're exposed to the agent as environment variables. None of them live in .cursor/environment.json: Cursor's published schema for that file has no secrets field, so a key pasted there is just a plaintext leak in your repo. The environment.json reference covers what the file actually holds.
What the agent can read depends on the type you assign each secret. Cursor documents three, and picking the wrong one is the quietest way to lose a credential.
- Type
- Environment Variable
- Who can read it
- The agent, in full. Fine for flags and public URLs.
- When it exists
- Loaded as an env var for the whole run.
- Type
- Runtime Secret
- Who can read it
- Processes can read it; the model can't. Values are replaced with
[REDACTED]in tool results, the transcript, commits and commit messages. Still visible to humans in the shared terminal. - When it exists
- Loaded as an env var for the whole run.
- Type
- Build Secret
- Who can read it
- Only the Docker build, via a secret mount. Never exposed to the running agent.
- When it exists
- Docker image build only.
| Type | Who can read it | When it exists |
|---|---|---|
| Environment Variable | The agent, in full. Fine for flags and public URLs. | Loaded as an env var for the whole run. |
| Runtime Secret | Processes can read it; the model can't. Values are replaced with [REDACTED] in tool results, the transcript, commits and commit messages. Still visible to humans in the shared terminal. | Loaded as an env var for the whole run. |
| Build Secret | Only the Docker build, via a secret mount. Never exposed to the running agent. | Docker image build only. |
All three are encrypted at rest and in transit, and are not visible to anyone other than the cloud agent user.
Scope is the second axis. The setup docs describe user secrets, team secrets and environment-scoped secrets; the kv below maps where each applies.
- User secret
- Follows your account across your agent runs.
- Team secret
- Shared with the team's cloud agents.
- Environment-scoped
- Available only to agents using that one environment; applies to every repo in it and to no other environment.
- Repository setting
- Cursor staff on the forum point to a secret's 'Apply to' repository setting when a correctly-typed secret still doesn't arrive.
When can the agent actually read a secret?
Timing causes more confusion here than configuration does. Cursor staff confirmed on the forum that secrets often don't appear inside the terminal during the environment setup wizard, and that this is expected: they arrive once setup finishes and a real run starts. So a bare printenv during setup proves nothing.
The lifecycle differs by type. Build Secrets exist only while the Docker image builds, then vanish. Environment Variables and Runtime Secrets are injected for the run itself, which means your install and start commands and the agent's own shell all see them. The one thing a Runtime Secret never does is appear as text in the model's context; the process reads the real value while the transcript shows the placeholder.
A long-running forum thread (February to July 2026) converged on one root cause: environments built before a secret existed keep running without it, and nothing notifies you that a refresh is needed. The fix that closed the thread was updating or recreating the environment from the dashboard so the new machine picks the secret up.
How do I fix it?
Work the ladder from cheapest to most drastic. Most cases resolve at step three, and each earlier step rules out a cause that would make the later ones pointless.
- 1Check the type. If the credential is needed at runtime, it must be an Environment Variable or Runtime Secret. A Build Secret will never reach the agent, by design.
- 2Check the scope. Confirm the secret's repository setting covers the repo you're launching against, and that an environment-scoped secret belongs to the environment this agent actually uses.
- 3Update the environment. In the Environments view, run Update with Agent or New Setup Run so a fresh VM is built with the current secrets. Machines created before the secret won't have it.
- 4Verify in a real run, not the wizard. Start an agent and have it test for the variable; wizard-phase terminals are documented as unreliable for this.
- 5If an automation launched the agent into a multi-repo environment, try the same task as a manual or API launch. That was the staff-confirmed workaround for the June 2026 injection bug, which the thread reports resolved by mid-July.
How do I verify the agent can read a secret?
Prove presence without printing the value. Ask the agent to run a shell test that reports whether the variable is set and non-empty, which works for every type the running agent can see.
test -n "$STRIPE_API_KEY" && echo "STRIPE_API_KEY: present" || echo "STRIPE_API_KEY: missing"
For a Runtime Secret, expect the transcript to show [REDACTED] anywhere the raw value would appear. That is the redaction working. If you need to eyeball the actual value, the shared terminal shows it to you, since redaction applies to the model's view, not the human one.
A February 2026 forum report showed the redaction placeholder being written back into code: when a redacted value also appeared in the repo, the agent saw [REDACTED] in file contents and committed it. Cursor shipped a fix in early March, and the guidance from the thread still holds: reserve Runtime Secret for real credentials, and keep values like AWS_DEFAULT_REGION as plain Environment Variables.
Frequently asked questions
Can I put secrets in .cursor/environment.json?
No. The file's published schema has no secrets field, and anything you paste into it is committed plaintext. Secrets belong in the Secrets tab of the Cloud Agents dashboard, which encrypts them and exposes them to agents as environment variables.
Why does my cloud agent show [REDACTED] instead of a value?
The secret is typed as a Runtime Secret. The process reads the real value, but Cursor replaces it with [REDACTED] in tool results, the transcript, commits and commit messages so the model never sees it. It is not an error.
Are secrets available during the Docker build?
Only Build Secrets are, via a Docker secret mount, and they are not exposed to the running agent afterwards. Environment Variables and Runtime Secrets are injected for the run itself, so install and start commands can read them.
I added a secret but the agent still can't see it. What's the one step people miss?
Refreshing the environment. Machines built before the secret existed keep running without it, so run Update with Agent or New Setup Run from the Environments view and then start a fresh agent.
Sources & last verified
- Cursor Docs - Cloud Agent Setup: secrets
- Cursor Docs - Security & Network: secret protection
- Cursor Docs - Cloud Agent Settings
- Cursor Forum - Env vars not available in cloud agent's terminal
- Cursor Forum - Cloud is redacting env var values found in code
- Cursor Forum - Automation-launched agents get no secrets (multi-repo)
Cursor ships frequently. Facts verified against primary sources on July 16, 2026.