> ## Documentation Index
> Fetch the complete documentation index at: https://docs.lyceum.technology/llms.txt
> Use this file to discover all available pages before exploring further.

# Secrets

> Store environment variables and credentials for your runs

Secrets are key-value pairs stored on your account and injected into your runs as environment variables. Anything you'd otherwise put in a `.env` file or hard-code into your script, API keys, model tokens, database URLs, webhook endpoints, belongs here instead.

The advantage over baking values into source is twofold:

1. **They never appear in your code or container images.** You can commit your script to a public repo and the secret stays with your Lyceum account.
2. **They're shared across runs.** Update a token once and every subsequent run picks up the new value.

Each secret has a `key`, a `value`, and an `is_secret` flag. The `is_secret` flag affects how the value is displayed (always masked when set), but both kinds reach your code identically.

## Reading secrets in your code

Secrets become normal environment variables in the run's environment, accessible the usual way:

```python theme={null}
import os

token = os.environ["HF_TOKEN"]
db_url = os.environ.get("DATABASE_URL")
```

Inside Docker containers the same applies.

## REST API

| Method   | Endpoint                              | Purpose                                        |
| -------- | ------------------------------------- | ---------------------------------------------- |
| `GET`    | `/environment-variables/`             | List your variables                            |
| `POST`   | `/environment-variables/`             | Create or upsert (`key`, `value`, `is_secret`) |
| `DELETE` | `/environment-variables/{env_var_id}` | Delete a single variable                       |
| `DELETE` | `/environment-variables/`             | Delete every variable on your account          |

The upsert endpoint accepts a single object or a batch, you can roll out a new set of variables in one call.

### Validation

* Names must start with a letter or underscore
* Names may contain letters, digits, and underscores only
* Duplicate names within a single request are rejected

### What not to put here

Secrets are intended for short, individual values, tokens, URLs, IDs. Don't try to store large blobs (private keys, certificates, configuration files) here. For those, upload to [Storage](/docs/configuration/storage) and read the file from your run.
