Store sensitive credentials like API keys and passwords using the secrets dashboard.

  • Secrets are stored as key-value pairs (name → token).
  • Naming rules: Non-alphanumeric characters are treated the same (e.g., hf_access_token and hf-access-token are identical). Creating a new secret with a similar name overwrites the existing one.
  • Changes to secrets immediately affect all models using them.

Any model deployed to a workspace will have access to any secrets specified on the workspace.

Using secrets in Truss

1

Add the secret name to config.yaml, setting the value to null:

config.yaml
...
secrets:
  hf_access_token: null
...

Never set the actual value of the secret in config.yaml or any other file that gets committed to your codebase.

2

Access secrets in model.py:

model/model.py
def __init__(self, **kwargs):
    self._secrets = kwargs["secrets"]
3

Use secrets in load or predict:

model/model.py
def load(self):
    self._model = pipeline(
        "fill-mask",
        model="baseten/docs-example-gated-model",
        use_auth_token=self._secrets["hf_access_token"]
    )