Skip to main content

Documentation Index

Fetch the complete documentation index at: https://wb-21fd5541-docs-2661.mintlify.app/llms.txt

Use this file to discover all available pages before exploring further.

W&B Secret Manager lets you securely and centrally store, manage, and inject secrets, which are sensitive strings such as access tokens, bearer tokens, API keys, or passwords. W&B features can read team secret values, which removes the need to paste them or store them in code, training scripts, or plain-text automation configuration. This page is for W&B Admins who need to create, rotate, delete, or manage access to team secrets used by webhook automations, Weave Playground, sandboxes, and LLM evaluation jobs. Secrets live in each team’s Secret Manager, in the Team secrets section of the team settings.
  • Only W&B Admins can create, edit, or delete a secret.
  • Secrets are included as a core part of W&B, including in W&B Server deployments that you host in Azure, Google Cloud, or AWS. Connect with your W&B account team to discuss how you can use secrets in W&B if you use a different deployment type.
  • In W&B Server, you are responsible for configuring security measures that satisfy your security needs.
    • W&B strongly recommends that you store secrets in a W&B instance of a cloud provider’s secrets manager from AWS, Google Cloud, or Azure, which include advanced security capabilities.
    • W&B recommends against using a Kubernetes cluster as the backend of your secrets store. Use a cluster only if you can’t use a W&B instance of a cloud secrets manager (AWS, Google Cloud, or Azure) and you understand how to prevent the security vulnerabilities that can occur.

Where team secrets are used

You can use team secrets in W&B in multiple contexts. After you add a secret, a feature like W&B Automations can access the secret by name.
  • Webhook automations: When an automation sends an HTTP request to a webhook, you can attach team secrets for authentication headers and for values referenced in the payload. You can scope automations to a project or a Registry. Registry-scoped automations that call a webhook use the same team webhooks and team secrets as project-scoped webhook automations.
  • Weave Playground: Supply provider credentials as named team secrets. See Add provider credentials and information.
  • Sandboxes: Securely provide team secrets to your sandboxes to make them available as environment variables. See Secrets in sandboxes.
  • LLM evaluation jobs: Some benchmarks need API keys or tokens stored as team secrets. See the Evaluation benchmark catalog.

Add a secret

Add a secret when you want to make a sensitive value available to W&B features without exposing it in code or configuration. After you complete these steps, the secret is available by name to the team features described in Where team secrets are used. To add a secret:
  1. If an external service gives you a token or API key, obtain that value through that service’s normal flow. If necessary, save the sensitive string securely, such as in a password manager, before you paste it into W&B Secret Manager. Saving a backup matters because, after creation, W&B no longer reveals the secret’s value.
  2. Sign in to W&B and go to the team’s Settings page.
  3. In the Team Secrets section, click New secret.
  4. Provide a name for the secret, using letters, numbers, and underscores (_).
  5. Paste the sensitive string into the Secret field.
  6. Click Add secret.
When you configure a webhook for an automation, select which team secrets the webhook may use. For field names, access tokens, and payload variables, see Create a webhook automation.
After you create a secret, you can access that secret in a webhook automation’s payload using the format ${SECRET_NAME}.

Rotate a secret

Rotate a secret when its value changes (for example, when an upstream credential is regenerated or when you suspect the existing value has been compromised). Because W&B doesn’t reveal a secret’s current value after creation, rotation is also the way to replace a value you no longer have a copy of. To rotate a secret and update its value:
  1. Click the pencil icon in the secret’s row to open the secret’s details.
  2. Set Secret to the new value. Optionally, click Reveal secret to verify the new value.
  3. Click Add secret. The secret’s value updates and no longer resolves to the previous value.
After a secret is created or updated, you can no longer reveal its current value. Instead, rotate the secret to a new value.
Rotating or replacing a secret can affect every feature that still expects the old value. Before you rely on the new value everywhere, update webhook automations, sandboxes that inject the secret, evaluation jobs, Weave Playground, or other consumers.

Delete a secret

Delete a secret when no team feature uses it. Because deletion is immediate and permanent, confirm that no automations, sandboxes, or other consumers still reference the secret before you proceed (see Manage access to secrets). To delete a secret:
  1. Click the trash icon in the secret’s row.
  2. Read the confirmation dialog, then click Delete. The secret is deleted immediately and permanently.

Manage access to secrets

You can reference a team’s secrets by name in webhook automations, Weave Playground, sandboxes, LLM evaluation jobs, and other team-scoped features that select secrets by name. Before you remove a secret, update or remove every automation, job, sandbox configuration, or Playground flow that uses it so they don’t stop working.