Skip to main content
Truss manages API keys, access tokens, passwords, and other secrets so you don’t have to expose them in code.

Create a secret

To create a secret:
  1. Sign in to your workspace at app.baseten.co and go to Secrets in your workspace settings.
  2. Enter a name for the secret, for example hf_access_token.
  3. Enter the secret value.
  4. Choose Add secret.
Secrets named DOCKER_REGISTRY_<registry-host> authenticate image pulls from private registries. Their value must be the Base64 encoding of username:password; Baseten validates this when you save the secret.

Use secrets in your model

Once you’ve created a secret, declare it in your config.yaml and access it in your model code.
Never store actual secret values in config.yaml. Use null as a placeholder. The secret in your config.yaml is a reference to the key in the secret manager.
Specify the reference to the secret in config.yaml:
config.yaml
Secrets are passed as keyword arguments to the Model class. To access them, store the secrets in __init__:
model/model.py
Then use the secret in your model’s load or predict method by accessing it with the key:
model/model.py
This pattern works when your model.py downloads the weights itself. To authenticate weights loaded through the Baseten Delivery Network (the weights: config), reference the secret from the per-source auth block instead. A secrets: entry alone does not authenticate weight mirroring.

Use secrets in custom Docker images

When using custom Docker images, Truss injects secrets into your container at /secrets/{secret_name} instead of passing them through kwargs. You must specify the reference to the secret and then access it in your start_command or application code. Specify the reference to the secret in config.yaml:
config.yaml

Read secrets in your start_command

To read a secret in your start_command:
config.yaml

Read secrets in application code

To read a secret in application code:
model/model.py