> ## Documentation Index
> Fetch the complete documentation index at: https://docs.wandb.ai/llms.txt
> Use this file to discover all available pages before exploring further.

> Overview of W&B secrets, how they work, and how to get started using them.

# Manage secrets

W\&B Secret Manager allows you to securely and centrally store, manage, and inject *secrets*, which are sensitive strings such as access tokens, bearer tokens, API keys, or passwords. Configure and manage team secrets in [team settings](/platform/app/settings-page/teams). W\&B features can read team secret values, removing the need to paste them or store them in code, training scripts, or plain-text automation configuration.

Secrets are stored and managed in each team's Secret Manager, in the **Team secrets** section of the [team settings](/platform/app/settings-page/teams/).

<Note>
  * Only W\&B Admins can create, edit, or delete a secret.
  * Secrets are included as a core part of W\&B, including in [W\&B Server deployments](/platform/hosting/) that you host in Azure, Google Cloud, or AWS. Connect with your W\&B account team to discuss how you can use secrets in W\&B if you use a different deployment type.
  * In W\&B Server, you are responsible for configuring security measures that satisfy your security needs.

    * W\&B strongly recommends that you store secrets in a W\&B instance of a cloud provider's secrets manager provided by AWS, Google Cloud, or Azure, which are configured with advanced security capabilities.

    * W\&B recommends against using a Kubernetes cluster as the backend of your secrets store unless you are unable to use a W\&B instance of a cloud secrets manager (AWS, Google Cloud, or Azure), and you understand how to prevent security vulnerabilities that can occur if you use a cluster.
</Note>

## Where team secrets are used

Team secrets can be used in W\&B in multiple contexts. After you [add a secret](#add-a-secret), a feature like W\&B Automations can access the secret by name.

* **Webhook automations**: When an automation sends an HTTP request to a [webhook](/models/automations/create-automations/webhook/), you can attach team secrets for authentication headers and for values referenced in the payload. Automations can be scoped to a [project](/models/automations/automation-events/#project) or a [Registry](/models/automations/automation-events/#registry). Registry-scoped automations that call a webhook use the same team webhooks and team secrets as project-scoped webhook automations.
* **Weave Playground**: Provider credentials are supplied as named team secrets. See [Add provider credentials and information](/weave/guides/tools/playground#add-provider-credentials-and-information).
* **Sandboxes**: Securely provide team secrets to your sandboxes to make them available as environment variables. See [Secrets in sandboxes](/sandboxes/secrets).
* **LLM evaluation jobs:** Some benchmarks need API keys or tokens stored as team secrets. See the [Evaluation benchmark catalog](/models/launch/evaluations).

## Add a secret

To add a secret:

1. If an external service gives you a token or API key, obtain that value through that service's normal flow. If necessary, save the sensitive string securely, such as in a password manager, before you paste it into W\&B Secret Manager.
2. Log in to W\&B and go to the team's **Settings** page.
3. In the **Team Secrets** section, click **New secret**.
4. Using letters, numbers, and underscores (`_`), provide a name for the secret.
5. Paste the sensitive string into the **Secret** field.
6. Click **Add secret**.

When you configure a webhook for an automation, select which team secrets the webhook may use. For field names, access tokens, and payload variables, see [Create a webhook automation](/models/automations/create-automations/webhook).

<Note>
  Once you create a secret, you can access that secret in a [webhook automation's payload](/models/automations/create-automations/webhook/) using the format `${SECRET_NAME}`.
</Note>

## Rotate a secret

To rotate a secret and update its value:

1. Click the pencil icon in the secret's row to open the secret's details.
2. Set **Secret** to the new value. Optionally click **Reveal secret** to verify the new value.
3. Click **Add secret**. The secret's value updates and no longer resolves to the previous value.

<Note>
  After a secret is created or updated, you can no longer reveal its current value. Instead, rotate the secret to a new value.
</Note>

Rotating or replacing a secret can affect every feature that still expects the old value. Update [webhook automations](/models/automations/create-automations/webhook), [sandboxes](/sandboxes/secrets) that inject the secret, [evaluation jobs](/models/launch/evaluations), [Weave Playground](/weave/guides/tools/playground#add-provider-credentials-and-information), or other consumers before you rely on the new value everywhere.

## Delete a secret

To delete a secret:

1. Click the trash icon in the secret's row.
2. Read the confirmation dialog, then click **Delete**. The secret is deleted immediately and permanently.

## Manage access to secrets

A team's secrets can be referenced by name in [webhook automations](/models/automations/create-automations/webhook), [Weave Playground](/weave/guides/tools/playground#add-provider-credentials-and-information), [sandboxes](/sandboxes/secrets), [LLM evaluation jobs](/models/launch/evaluations), and other team-scoped features that select secrets by name.

Before you remove a secret, update or remove every automation, job, sandbox configuration, or Playground flow that uses it so they do not stop working.