Last month a customer came to us confused about why their credentials kept leaking between services in their OSC stack. They had put an API key into the parameter store, wired up three service instances, and couldn't figure out why a service that had no business seeing those credentials could read them anyway. The confusion is understandable. The parameter store UI looks a lot like a .env file. But it isn't one — and that mental model leads directly to the mistake this customer made. Here's how the two secret mechanisms in OSC actually work, why they're different, and how to pick the right one. The parameter store: workspace-wide config with an encryption option The parameter store in OSC (backed by app-config-svc, which uses Valkey under the hood) is a key-value store for environment variables that get passed to your service instances and MyApp deployments. You add keys in the UI, and they show up as env vars at runtime. The critical word is shared .…