Secrets

Overview W&B secrets, how they work, and how to get started using them.

3 minute read

W&B Secret Manager allows you to securely and centrally store, manage, and inject secrets, which are sensitive strings such as access tokens, bearer tokens, API keys, or passwords. W&B Secret Manager removes the need to add sensitive strings directly to your code or when configuring a webhook’s header or payload(/guides/core/automations/).

Secrets are stored and managed in each team’s Secret Manager, in the Team secrets section of the team settings.

Only W&B Admins can create, edit, or delete a secret.
Secrets are included as a core part of W&B, including in W&B Server deployments that you host in Azure, GCP, or AWS. Connect with your W&B account team to discuss how you can use secrets in W&B if you use a different deployment type.
In W&B Server, you are responsible for configuring security measures that satisfy your security needs.
- W&B strongly recommends that you store secrets in a W&B instance of a cloud provider’s secrets manager provided by AWS, GCP, or Azure, which are configured with advanced security capabilities.
- W&B recommends against using a Kubernetes cluster as the backend of your secrets store unless you are unable to use a W&B instance of a cloud secrets manager (AWS, GCP, or Azure), and you understand how to prevent security vulnerabilities that can occur if you use a cluster.

Add a secret

To add a secret:

If the receiving service requires it to authenticate incoming webhooks, generate the required token or API key. If necessary, save the sensitive string securely, such as in a password manager.
Log in to W&B and go to the team’s Settings page.
In the Team Secrets section, click New secret.
Using letters, numbers, and _, provide a name for the secret.
Paste the sensitive string into the Secret field.
Click Add secret.

Specify the secrets you want to use for your webhook automation when you configure the webhook. See the Configure a webhook section for more information.

Once you create a secret, you can access that secret in your W&B workflows with $.

Rotate a secret

To rotate a secret and update its value:

Click the pencil icon in the secret’s row to open the secret’s details.
Set Secret to the new value. Optionally click Reveal secret to verify the new value.
Click Add secret. The secret’s value updates and no longer resolves to the previous value.

After a secret is created or updated, you can no longer reveal its current value. Instead, rotate the secret to a new value.

Delete a secret

To delete a secret:

Click the trash icon in the secret’s row.
Read the confirmation dialog, then click Delete. The secret is deleted immediately and permanently.

Manage access to secrets

Each member of a team have access to its secrets. To revoke access to a secret from a particular member, remove that member from the team.

Feedback

Was this page helpful?

Glad to hear it! Please tell us how we can improve.

Sorry to hear that. Please tell us how we can improve.

Last modified March 26, 2025

Edit page Report issue PDF