Runpod secrets provide a secure way to store and manage sensitive information such as API keys, passwords, and authentication tokens in your Pod templates. Secrets are encrypted at rest and can be safely referenced in your templates without exposing sensitive data in plain text.

What are Runpod Secrets

Secrets are encrypted strings that store sensitive information separately from your template configuration. This approach offers several advantages:
  • Security: Sensitive data is encrypted and never displayed in plain text once created, protecting against accidental exposure.
  • Reusability: The same secret can be referenced across multiple templates and Pods without duplication.
  • Access control: Secrets are tied to your account or team, ensuring only authorized users can access them.
  • Audit trail: Changes to secrets are tracked, providing visibility into when sensitive data is modified.

Creating a secret

You can create secrets through the Runpod web interface to securely store sensitive information:
  1. Navigate to the Secrets section in the Runpod console
  2. Click Create Secret to open the creation form
  3. Provide the required information:
    • Secret Name: A unique identifier for your secret (e.g., huggingface_token, database_password)
    • Secret Value: The actual sensitive data you want to store
    • Description (optional): A helpful description of what this secret contains or how it’s used
  4. Click Create Secret to save your encrypted secret
Once a secret is created, its value cannot be viewed through the interface. This is a security feature that prevents accidental exposure of sensitive data. If you need to verify or change the value, you must modify the secret or create a new one.

Managing existing secrets

Modifying a secret value

To update the value of an existing secret:
  1. Go to the Secrets section
  2. Click on the name of the secret you want to modify
  3. Click the configuration icon and select Edit Secret Value
  4. Enter the new secret value
  5. Click Save Changes to update the encrypted value

Viewing secret details

You can view metadata about your secrets without exposing the sensitive values:
  1. Navigate to the Secrets section
  2. Click on the secret name you want to inspect
  3. Click the configuration icon and select View Secret
This shows you the secret name, description, and creation date, but never the actual secret value.

Deleting a secret

To permanently remove a secret:
  1. Go to the Secrets section
  2. Click on the secret you want to delete
  3. Click the configuration icon and select Delete Secret
  4. Type the secret name to confirm deletion
  5. Click Confirm Delete to permanently remove the secret
Deleting a secret is permanent and cannot be undone. Make sure no active templates or Pods are using the secret before deletion, as this will cause those deployments to fail.

Using secrets in Pod templates

Once you’ve created secrets, you can reference them in your Pod templates to provide secure access to sensitive data.

Direct reference method

Reference your secrets directly in the environment variables section of your Pod template using the RUNPOD_SECRET_ prefix followed by your secret name: 
{{ RUNPOD_SECRET_secret_name }}
For example, if you created a secret named huggingface_token, you would reference it as: 
{{ RUNPOD_SECRET_huggingface_token }}
This syntax tells Runpod to substitute the encrypted secret value when the Pod starts, making it available as an environment variable inside your container.

Web interface selection

When creating or editing a Pod template through the web interface, you can also:
  1. Navigate to the environment variables section of your template
  2. Use the secret selector to choose from your available secrets
  3. The interface will automatically format the reference syntax for you

Best practices for using secrets

Naming conventions: Use descriptive names that clearly indicate the secret’s purpose (e.g., openai_api_key, database_password, github_token). Environment variable mapping: Map secrets to appropriately named environment variables in your templates: 
API_KEY={{ RUNPOD_SECRET_openai_key }}
DATABASE_URL={{ RUNPOD_SECRET_db_connection }}
Minimal exposure: Only include secrets in templates that actually need them to reduce the attack surface. Regular rotation: Periodically update secret values, especially for long-lived credentials like API keys.

Common use cases

Secrets are particularly valuable for: API authentication: Store API keys for services like OpenAI, Hugging Face, or cloud providers without hardcoding them in your templates. Database credentials: Securely provide database connection strings and passwords to your applications. Model access tokens: Store authentication tokens required to download gated models or datasets. Service integration: Keep webhook URLs, service account keys, and other integration credentials secure. Development vs. production: Use different secrets for different environments while keeping the same template structure.