Skip to main content

Managing Secrets

Secrets are managed at the workspace level:
  1. Click Secrets in the sidebar.
  2. Click Add Secret.
  3. Enter a descriptive name (e.g., DATADOG_API_KEY).
  4. Select the secret storage type.
  5. Enter the secret value.

Secret Storage

By default, secrets are stored in the SPIN backend. Values are encrypted at rest, and access is controlled via RBAC. In the API, the default store_type is spin_store.

Providing Secrets via Runtime Environment

Secret values can also be provided to the runtime through environment variables. This approach ensures secrets are not stored in the SPIN backend and are not accessible via the API. 
docker run -e MY_SECRET=my-secret-value ...
When creating secrets via the API, set store_type to runtime_env to store the secret in the runtime environment. Provide the environment variable name in the store_ref field.

Environment Files

You can also provide secrets using environment files. (Add details here if needed.)

Using Secrets

Secrets can be accessed when executing notebook cells.

Python

In Python, use the SpinSecrets.get_secret function to retrieve a secret value: 
secret_value = SpinSecrets.get_secret("MY_SECRET")

Template Substitution

You can use the {{secret:<secret-name>}} and {{secret_var:<var_name>}} syntax to substitute secret values in any string. This is useful for non-Python cells like Shell, REST, and tool specific cells that take text parameters.

Static Secret Reference

Use {{secret:SECRET_NAME}} when the secret name is static: 
curl -H "Authorization: Bearer {{secret:API_KEY}}" https://api.example.com/data
This expands to SpinSecrets.get_secret('API_KEY') at runtime.

Dynamic Secret Reference

Use {{secret_var:variable_name}} when the secret name is stored in a variable (e.g., selected from a form dropdown): 
curl -H "Authorization: Bearer {{secret_var:secret_name_var}}" https://api.example.com/data
This expands to SpinSecrets.get_secret(secret_name_var) at runtime, where secret_name_var is a Python variable containing the secret name.

Example: Form-Based Secret Selection

This pattern is useful when you want users to choose which credential to use at runtime. Cell 1 (Form): Let user select a secret 
secret_name_var = SpinForms.secrets(
    id="secret_name_var",
    label="API Key",
    description="Select which API key to use"
)
Cell 2 (Shell): Use the selected secret 
# Use secret_var because the secret name comes from a variable
curl -H "Authorization: Bearer {{secret_var:secret_name_var}}" https://api.example.com/data
See Form Cells - Secrets for more information on the secrets form input.

Connections

When creating connections, use the {{secret:<secret-name>}} syntax to substitute secret values in the connection configuration. Credentials in connections require you to create or select a secret.