Secrets allow your app to securely access API keys and sensitive values. Users provide their own secrets which are encrypted and injected at runtime.
Declaring Secrets
Define required secrets in inf.yml:
yaml
1secrets:2 - key: API_KEY3 description: Your API key for the external service4 optional: false5 6 - key: WEBHOOK_SECRET7 description: Optional webhook signing secret8 optional: trueProperties
| Property | Type | Description |
|---|---|---|
key | string | Environment variable name |
description | string | Shown to users |
optional | boolean | If false, app won't run without it |
Accessing Secrets
Secrets are injected as environment variables:
python
1import os2 3class App(BaseApp):4 async def setup(self, config):5 self.api_key = os.environ.get("API_KEY")6 7 # Optional secret8 self.webhook_secret = os.environ.get("WEBHOOK_SECRET")Common Patterns
External API Access
yaml
1secrets:2 - key: OPENAI_API_KEY3 description: OpenAI API key for GPT models4 optional: falsepython
1from openai import OpenAI2 3class App(BaseApp):4 async def setup(self, config):5 self.client = OpenAI(api_key=os.environ.get("OPENAI_API_KEY"))HuggingFace Token
yaml
1secrets:2 - key: HF_TOKEN3 description: HuggingFace token for gated models4 optional: falsepython
1from huggingface_hub import snapshot_download2 3self.model_path = snapshot_download(4 repo_id="meta-llama/Llama-2-7b",5 token=os.environ.get("HF_TOKEN")6)Best Practices
- Clear descriptions - help users understand what each secret is for
- Mark optional correctly - only if the app truly works without it
- Don't log secrets - never print or log secret values
- Validate early - check in
setup()and fail fast - Use specific names -
OPENAI_API_KEYis better thanAPI_KEY
Next
→ Integrations - OAuth service connections