Factory credentials
Factory keeps two kinds of secrets on the agent's behalf, both held by the Factory control-plane — they are never exposed to the browser and never baked into sandbox images.
Agent credentials
Agent credentials authenticate the agent runtime itself — model provider keys and similar. Each credential has a name and a provider; the Factory settings page lists them with their creation time so you can audit what a sandbox can reach.
Source credentials
Source credentials authenticate against external git hosts for repos that mirror an upstream (for example a GitHub or Assembla origin). When a project has a source link, sessions use the matching source credential to sync with the upstream — pulls and pushes to the mirror happen inside the control-plane, not in your browser.
Provisioning
Credentials are provisioned by the Factory control-plane. The Spaces UI lists them read-only today; adding or rotating a credential happens through the control-plane, and the settings pages state that explicitly instead of offering an action that can't complete. On deployments without a configured control-plane, the credential pages report the feature as unavailable.
Scoping
A session only ever receives the credentials its project needs: the agent credential for its runtime and, if the repo mirrors an upstream, that repo's source credential. Sandboxes are torn down when the session ends; nothing persists in the image.