Skip to main content
A TEE contract needs one map before it can run: secrets, holding the API key. Create it with the TenantClient. The tail is the per-map local name; the host stores it as z:<tid>:<tail>. 
await tenant.maps.create({
  tail: "secrets",
  visibility: "private",
  writers: { only: [contractId] },
  readers: { only: [contractId] },  // REQUIRED — the kv-governor denies reads when omitted
});
readers must be set explicitly — the KV governor defaults to deny, so leaving it off makes the contract’s own secret read fail with AccessDenied. MapAlreadyExists is idempotent — safe to re-run when re-deploying. Map visibility quick reference:
  • "private" — only your contracts can access this map (default, use it for everything sensitive).
  • "public" — world-readable via /api/dev/public-kv/<tid>/<tail>. Map tail must start with public:. Never put PII in a public map.