Secret
A Secret stores sensitive values (API keys, tokens, passwords) used by other resources. ModelEndpoints, Tools, McpServers, and TaskWebhooks reference Secrets for authentication.
Defining a Secret
The simplest way to create a Secret is with the CLI:
orlojctl create secret openai-api-key --from-literal value=sk-your-api-key-hereOr with a YAML manifest:
apiVersion: orloj.dev/v1
kind: Secret
metadata:
name: openai-api-key
spec:
stringData:
value: sk-your-api-key-hereKey Fields
| Field | Description |
|---|---|
data | Base64-encoded key-value pairs. This is what the runtime reads at execution time. |
stringData | Write-only plaintext convenience input. Entries are base64-encoded into data during normalization, then cleared. |
How Secrets Work
stringDataentries are merged intodataas base64 during normalization.- Every
datavalue must be non-empty valid base64. stringDatais cleared after normalization (write-only behavior) -- it is never stored or returned by the API.- Secret resolution is performed fresh per tool invocation. There is no caching of raw secret values, so rotated secrets take effect immediately.
Environment Variable Override
In production, you can skip Secret resources entirely and inject values via environment variables:
ORLOJ_SECRET_<name>=<value>See Secret Handling for details.
Related
- ModelEndpoint -- uses Secrets for model provider auth
- Tool -- uses Secrets for tool auth
- McpServer -- uses Secrets for MCP server auth
- Resource Reference: Secret