This guide shows how to create, view, edit, delete, and use secrets in your Pod templates to protect sensitive data and improve security.

What are Runpod secrets

Secrets are encrypted strings that store sensitive information separately from your template configuration, providing a secure way to store and manage sensitive information such as API keys, passwords, and authentication tokens in your Pod templates. After creating a secret, you can safely reference it in your templates without exposing any sensitive data in plain text: 
{{ RUNPOD_SECRET_secret_name }}
This approach offers several advantages:
  • Security: Sensitive data is encrypted and never displayed in plain text once created, protecting against accidental exposure.
  • Reusability: The same secret can be referenced across multiple templates and Pods without duplication.
  • Access control: Secrets are tied to your account or team, ensuring only authorized users can access them.
This makes secrets particularly useful for:
  • API authentication: Store API keys for services like OpenAI, Hugging Face, or cloud providers without hardcoding them in your templates.
  • Database credentials: Securely provide database connection strings and passwords to your applications.
  • Model access tokens: Store authentication tokens required to download gated models or datasets.
  • Service integration: Keep webhook URLs, service account keys, and other integration credentials secure.

Create a secret

You can create secrets through the Runpod web interface to securely store sensitive information:
  1. Go to the Secrets section in the Runpod console.
  2. Click Create Secret to open the creation form.
  3. Provide the required information:
    • Secret Name: A unique identifier for your secret (e.g., huggingface_token, database_password).
    • Secret Value: The actual sensitive data you want to store.
    • Description (optional): A helpful description of what this secret contains or how it’s used.
  4. Click Create Secret to save your encrypted secret.
Once a secret is created, its value cannot be viewed through the interface. This is a security feature that prevents accidental exposure of sensitive data. If you need to verify or change the value, you must modify the secret or create a new one.

View secret details

You can view metadata about your secrets without exposing the sensitive values:
  1. Go to the Secrets section.
  2. Click on the secret name you want to inspect.
  3. Click the configuration icon and select View Secret.
This shows you the secret name, description, and creation date, but never the actual secret value.

Modify a secret value

To update the value of an existing secret:
  1. Go to the Secrets section.
  2. Click on the name of the secret you want to modify.
  3. Click Manage and select Edit Secret Value.
  4. Enter the new secret value.
  5. Click Save Changes to update the encrypted value.

Delete a secret

To permanently remove a secret:
  1. Go to the Secrets section.
  2. Click on the secret you want to delete.
  3. Click Manage and select Delete Secret.
  4. Type or copy/paste the secret name to confirm deletion.
  5. Click Confirm Delete to permanently remove the secret.
Deleting a secret is permanent and cannot be undone. Make sure no active templates or Pods are using the secret before deletion, as this will cause those deployments to fail.

Using secrets in Pod templates

Once you’ve created secrets, you can reference them in your Pod templates to provide secure access to sensitive data.

Direct reference method

Reference your secrets directly in the environment variables section of your Pod template using the RUNPOD_SECRET_ prefix followed by your secret name: 
{{ RUNPOD_SECRET_secret_name }}
For example, if you created a secret named huggingface_token, you would reference it as: 
{{ RUNPOD_SECRET_huggingface_token }}
This syntax tells Runpod to substitute the encrypted secret value when the Pod starts, making it available as an environment variable inside your container.

Web interface selection

When creating or editing a Pod template through the web interface, you can also:
  1. Navigate to the environment variables section of your template.
  2. Use the secret selector (click the key icon) to choose from your available secrets.
  3. The interface will automatically format the reference syntax for you.

Best practices for using secrets

  • Naming conventions: Use descriptive names that clearly indicate the secret’s purpose (e.g., openai_api_key, database_password, github_token).
  • Environment variable mapping: Map secrets to appropriately named environment variables in your templates: 
    API_KEY={{ RUNPOD_SECRET_openai_key }}
DATABASE_URL={{ RUNPOD_SECRET_db_connection }}
  • Minimal exposure: Only include secrets in templates that actually need them to reduce the attack surface.
  • Regular rotation: Periodically update secret values, especially for long-lived credentials like API keys.