Inference Logoinference.sh

Secrets

Secrets allow your app to securely access API keys and sensitive values. Users provide their own secrets which are encrypted and injected at runtime.

Declaring Secrets

Define required secrets in inf.yml:

yaml
1secrets:2  - key: API_KEY3    description: Your API key for the external service4    optional: false56  - key: WEBHOOK_SECRET7    description: Optional webhook signing secret8    optional: true

Properties

PropertyTypeDescription
keystringEnvironment variable name
descriptionstringShown to users
optionalbooleanIf false, app won't run without it

Accessing Secrets

Secrets are injected as environment variables:

1import os23class App(BaseApp):4    async def setup(self, config):5        self.api_key = os.environ.get("API_KEY")6        self.webhook_secret = os.environ.get("WEBHOOK_SECRET")

Common Patterns

External API Access

yaml
1secrets:2  - key: OPENAI_API_KEY3    description: OpenAI API key for GPT models4    optional: false
1from openai import OpenAI23class App(BaseApp):4    async def setup(self, config):5        self.client = OpenAI(api_key=os.environ.get("OPENAI_API_KEY"))

HuggingFace Token

yaml
1secrets:2  - key: HF_TOKEN3    description: HuggingFace token for gated models4    optional: false
python
1from huggingface_hub import snapshot_download23self.model_path = snapshot_download(4    repo_id="meta-llama/Llama-2-7b",5    token=os.environ.get("HF_TOKEN")6)

Managing Secrets via CLI

Users can manage their secrets using the CLI:

bash
1# List all secrets2infsh secrets list34# Set a secret (creates or updates)5infsh secrets set OPENAI_API_KEY sk-your-key-here67# Set with description8infsh secrets set OPENAI_API_KEY sk-your-key-here -d "For GPT-4 calls"910# Get a secret (shows masked value)11infsh secrets get OPENAI_API_KEY1213# Delete a secret14infsh secrets delete OPENAI_API_KEY

Best Practices

  1. Clear descriptions - help users understand what each secret is for
  2. Mark optional correctly - only if the app truly works without it
  3. Don't log secrets - never print or log secret values
  4. Validate early - check in setup() and fail fast
  5. Use specific names - OPENAI_API_KEY is better than API_KEY

Next

Integrations - OAuth service connections

previousconfigurationnextintegrations

we use cookies

we use cookies to ensure you get the best experience on our website. for more information on how we use cookies, please see our cookie policy.

by clicking "accept", you agree to our use of cookies.
learn more.