Skip to main content
All API keys and secrets in MIRA are encrypted using Electron’s safeStorage API and stored in credentials.json inside MIRA’s application data directory. They are never written in plain text to mira.db or any config file. safeStorage uses OS-provided encryption under the hood (macOS Keychain Services, Windows DPAPI, Linux libsecret) but the data itself lives in credentials.json, not in the OS keychain UI apps.
All secrets are stored in your OS keychain — never on disk. MIRA uses keytar to store credentials in macOS Keychain, Windows Credential Manager, or libsecret on Linux. They are never written to mira.db, log files, or any config file. The renderer process never holds secret values after the save call completes.

How credentials are stored

Credential typeWhere configuredHow stored
AWS Access Key / Secret / Session TokenSettings → Bedrock / AWS tabEncrypted blob in credentials.json
OpenAI API key (OPENAI_API_KEY)Settings → API Tokens tabEncrypted token entry in credentials.json, injected as env var
Anthropic API key (ANTHROPIC_API_KEY)Settings → API Tokens tabEncrypted token entry in credentials.json, injected as env var
Ollama Base URL (OLLAMA_BASE_URL)Settings → API Tokens tab (optional)Encrypted token entry in credentials.json, injected as env var
MCP server environment variablesSettings → MCP Servers tabEncrypted per-token entry in credentials.json

Finding credentials.json

credentials.json lives in the Electron userData directory:
  • macOS: ~/Library/Application Support/mira/credentials.json
  • Windows: %APPDATA%\mira\credentials.json
  • Linux: ~/.config/mira/credentials.json
The file contains encrypted blobs. You cannot read secret values directly from the file — they can only be decrypted by the same OS account and machine that encrypted them.

Viewing stored API tokens

MIRA shows token labels, env var names, and when they were added in the API Tokens settings tab. Secret values are never displayed after saving.

Adding a token

  1. Press ⌘, → API Tokens tab → click Add token (or Add your first token).
  2. Fill in a Label (e.g. OpenAI API Key), Env var (e.g. OPENAI_API_KEY), and Value.
  3. Click Save. The engine picks up the new env var automatically on next start.

Rotating a token

  1. Press ⌘, → API Tokens tab.
  2. Click the trash icon next to the existing token to delete it.
  3. Click Add token and add the new value.
  4. The engine will use the new value on next restart.

Removing a token

  1. Press ⌘, → API Tokens tab.
  2. Click the trash icon next to the token. It is deleted immediately from credentials.json.

AWS credentials

AWS credentials (Access Key ID, Secret, Session Token, Region) are managed separately in the Bedrock / AWS tab — not in API Tokens. Use the Test Connection button to verify them before saving.

What MIRA does NOT store

  • Conversation content
  • Document content
  • Eval run outputs
  • Your name or email
All of the above stays in mira.db on your local machine only.

Auditing outbound network calls

MIRA makes network calls only to:
  • The LLM provider APIs you have configured (OpenAI, Anthropic, AWS Bedrock)
  • Ollama at http://localhost:11434 (local, no egress)
  • MCP SSE servers you have added
No telemetry, crash reporting, or analytics data is sent anywhere. See Privacy & Data for the full outbound call list.
Edit this page — Open a pull request