Is there any way to handle secrets in the agent code so it is not visible, f.e API keys etc…?
Not visible to who? Agent code need only be visible in impCentral to folks with login access to your Electric Imp account, including collaborators, but anything that’s baked in or injected by a tool like Builder on a local machine before being uploaded, will be visible to them in the code in impCentral.
You can try environment vars for some separation but again that’s visible to folks with access to your impCentral account, but not in the code itself. This also makes it easier to keep secrets from slipping into public repos, though, as does the Builder route.
For a production app, you might alternatively store the (encrypted) secrets in the imp Spiflash, read it back a runtime and pass it to the agent for decrypting and usage. That way they don’t have to appear in code at all, but there’s the extra set-up of course.
The agent local storage (server.save in the agent) is intended to be used for things like per-agent tokens. You can provision these via an API you offer from the agent, then use them (and refresh them, etc) as appropriate.