Skip to main content
Secrets are key-value pairs stored on your account and injected into your runs as environment variables. Anything you’d otherwise put in a .env file or hard-code into your script — API keys, model tokens, database URLs, webhook endpoints — belongs here instead. The advantage over baking values into source is twofold:
  1. They never appear in your code or container images. You can commit your script to a public repo and the secret stays with your Lyceum account.
  2. They’re shared across runs. Update a token once and every subsequent run picks up the new value.
Each secret has a key, a value, and an is_secret flag. The is_secret flag affects how the value is displayed (always masked when set), but both kinds reach your code identically.

Reading secrets in your code

Secrets become normal environment variables in the run’s environment, accessible the usual way: 
import os

token = os.environ["HF_TOKEN"]
db_url = os.environ.get("DATABASE_URL")
Inside Docker containers the same applies.

REST API

MethodEndpointPurpose
GET/environment-variables/List your variables
POST/environment-variables/Create or upsert (key, value, is_secret)
DELETE/environment-variables/{env_var_id}Delete a single variable
DELETE/environment-variables/Delete every variable on your account
The upsert endpoint accepts a single object or a batch — you can roll out a new set of variables in one call.

Validation

  • Names must start with a letter or underscore
  • Names may contain letters, digits, and underscores only
  • Duplicate names within a single request are rejected

What not to put here

Secrets are intended for short, individual values — tokens, URLs, IDs. Don’t try to store large blobs (private keys, certificates, configuration files) here. For those, upload to Storage and read the file from your run.