Use the secrets dashboard in your Baseten workspace to store sensitive data like access tokens, API keys, and passwords.

Every secret is a key-value pair with a “name” and “token.” Tokens can be multiple lines, which is useful for secrets like SSH and PGP keys. Note that for the secret “name”, all non-alphanumeric characters will be treated the same (i.e. "hf_access_token" and "hf-access-token" will map to the same underlying secret). This means that, if an existing secret with name `“hf_access_token” exists, attempting to create a secret with name “hf-access-token” will overwrite the existing key.

Adding, updating, and deleting secrets immediately affects all models that use said secrets.

Deploying models with secrets

When you deploy a model, use the --trusted flag to give it access to secrets in your Baseten workspace:

truss push --trusted

Using secrets in Truss

In your Truss, add the secret name in config.yaml but set the value to null:

config.yaml
...
secrets:
  hf_access_token: null
...

Never set the actual value of the secret in config.yaml or any other file that gets committed to your codebase.

Then, access the secret from the secrets keyword argument in your model.py initialization:

model/model.py
def __init__(self, **kwargs):
    self._secrets = kwargs["secrets"]

You can then use the self._secrets dictionary in the load and predict functions:

model/model.py
def load(self):
    self._model = pipeline(
        "fill-mask",
        model="baseten/docs-example-gated-model",
        use_auth_token=self._secrets["hf_access_token"]
    )
Best practices for API keysTracing