Skip to main content
W&B Secret Manager allows you to securely and centrally store, manage, and inject secrets, which are sensitive strings such as access tokens, bearer tokens, API keys, or passwords. Configure and manage team secrets in team settings. W&B features can read team secret values, removing the need to paste them or store them in code, training scripts, or plain-text automation configuration. Secrets are stored and managed in each team’s Secret Manager, in the Team secrets section of the team settings.
  • Only W&B Admins can create, edit, or delete a secret.
  • Secrets are included as a core part of W&B, including in W&B Server deployments that you host in Azure, Google Cloud, or AWS. Connect with your W&B account team to discuss how you can use secrets in W&B if you use a different deployment type.
  • In W&B Server, you are responsible for configuring security measures that satisfy your security needs.
    • W&B strongly recommends that you store secrets in a W&B instance of a cloud provider’s secrets manager provided by AWS, Google Cloud, or Azure, which are configured with advanced security capabilities.
    • W&B recommends against using a Kubernetes cluster as the backend of your secrets store unless you are unable to use a W&B instance of a cloud secrets manager (AWS, Google Cloud, or Azure), and you understand how to prevent security vulnerabilities that can occur if you use a cluster.

Where team secrets are used

Team secrets can be used in W&B in multiple contexts. After you add a secret, a feature like W&B Automations can access the secret by name.
  • Webhook automations: When an automation sends an HTTP request to a webhook, you can attach team secrets for authentication headers and for values referenced in the payload. Automations can be scoped to a project or a Registry. Registry-scoped automations that call a webhook use the same team webhooks and team secrets as project-scoped webhook automations.
  • Weave Playground: Provider credentials are supplied as named team secrets. See Add provider credentials and information.
  • Sandboxes: Securely provide team secrets to your sandboxes to make them available as environment variables. See Secrets in sandboxes.
  • LLM evaluation jobs: Some benchmarks need API keys or tokens stored as team secrets. See the Evaluation benchmark catalog.

Add a secret

To add a secret:
  1. If an external service gives you a token or API key, obtain that value through that service’s normal flow. If necessary, save the sensitive string securely, such as in a password manager, before you paste it into W&B Secret Manager.
  2. Log in to W&B and go to the team’s Settings page.
  3. In the Team Secrets section, click New secret.
  4. Using letters, numbers, and underscores (_), provide a name for the secret.
  5. Paste the sensitive string into the Secret field.
  6. Click Add secret.
When you configure a webhook for an automation, select which team secrets the webhook may use. For field names, access tokens, and payload variables, see Create a webhook automation.
Once you create a secret, you can access that secret in a webhook automation’s payload using the format ${SECRET_NAME}.

Rotate a secret

To rotate a secret and update its value:
  1. Click the pencil icon in the secret’s row to open the secret’s details.
  2. Set Secret to the new value. Optionally click Reveal secret to verify the new value.
  3. Click Add secret. The secret’s value updates and no longer resolves to the previous value.
After a secret is created or updated, you can no longer reveal its current value. Instead, rotate the secret to a new value.
Rotating or replacing a secret can affect every feature that still expects the old value. Update webhook automations, sandboxes that inject the secret, evaluation jobs, Weave Playground, or other consumers before you rely on the new value everywhere.

Delete a secret

To delete a secret:
  1. Click the trash icon in the secret’s row.
  2. Read the confirmation dialog, then click Delete. The secret is deleted immediately and permanently.

Manage access to secrets

A team’s secrets can be referenced by name in webhook automations, Weave Playground, sandboxes, LLM evaluation jobs, and other team-scoped features that select secrets by name. Before you remove a secret, update or remove every automation, job, sandbox configuration, or Playground flow that uses it so they do not stop working.