> ## Documentation Index
> Fetch the complete documentation index at: https://docs.siftd.ai/llms.txt
> Use this file to discover all available pages before exploring further.

# Secrets

## Managing Secrets

Secrets are managed at the workspace level:

1. Click **Secrets** in the sidebar.
2. Click **Add Secret**.
3. Enter a descriptive name (e.g., `DATADOG_API_KEY`).
4. Select the secret storage type.
5. Enter the secret value.

## Secret Storage

By default, secrets are stored in the SPIN backend. Values are encrypted at rest, and access is controlled via RBAC.

In [the API](/api-reference/endpoint/create-secret), the default `store_type` is `spin_store`.

### Providing Secrets via Runtime Environment

Secret values can also be provided to the runtime through environment variables. This approach ensures secrets are not stored in the SPIN backend and are not accessible via the API.

```bash theme={null}
docker run -e MY_SECRET=my-secret-value ...
```

When creating secrets via [the API](/api-reference/endpoint/create-secret), set `store_type` to `runtime_env` to store the secret in the runtime environment. Provide the environment variable name in the `store_ref` field.

### Environment Files

You can also provide secrets using environment files. (Add details here if needed.)

## Using Secrets

Secrets can be accessed when executing notebook cells.

### Python

In Python, use the `SpinSecrets.get_secret` function to retrieve a secret value:

```python theme={null}
secret_value = SpinSecrets.get_secret("MY_SECRET")
```

### Template Substitution

You can use the `{{secret:<secret-name>}}` and `{{secret_var:<var_name>}}` syntax to substitute secret values in any string. This is useful for non-Python cells like Shell, REST, and tool specific cells that take text parameters.

#### Static Secret Reference

Use `{{secret:SECRET_NAME}}` when the secret name is static:

```bash theme={null}
curl -H "Authorization: Bearer {{secret:API_KEY}}" https://api.example.com/data
```

This expands to `SpinSecrets.get_secret('API_KEY')` at runtime.

#### Dynamic Secret Reference

Use `{{secret_var:variable_name}}` when the secret name is stored in a variable (e.g., selected from a form dropdown):

```bash theme={null}
curl -H "Authorization: Bearer {{secret_var:secret_name_var}}" https://api.example.com/data
```

This expands to `SpinSecrets.get_secret(secret_name_var)` at runtime, where `secret_name_var` is a Python variable containing the secret name.

#### Example: Form-Based Secret Selection

This pattern is useful when you want users to choose which credential to use at runtime.

**Cell 1 (Form):** Let user select a secret

```python theme={null}
secret_name_var = SpinForms.secrets(
    id="secret_name_var",
    label="API Key",
    description="Select which API key to use"
)
```

**Cell 2 (Shell):** Use the selected secret

```bash theme={null}
# Use secret_var because the secret name comes from a variable
curl -H "Authorization: Bearer {{secret_var:secret_name_var}}" https://api.example.com/data
```

See [Form Cells - Secrets](./notebooks/form-cells#secrets) for more information on the secrets form input.

### Connections

When creating connections, use the `{{secret:<secret-name>}}` syntax to substitute secret values in the connection configuration. Credentials in connections require you to create or select a secret.
