Secrets and Secret Injection
Runta separates stored tenant secrets from runtime-scoped injection rules. Store a secret once, then attach a rule to a runtime so matching outbound requests receive a header or parameter value without writing the raw credential into the runtime filesystem.
Store a Secret
Section titled “Store a Secret”Use an input method that keeps the value out of shell history.
export OPENAI_API_KEY=sk-examplerunta secret add openai-api-key --value-env OPENAI_API_KEY
printf '%s' "$GITHUB_TOKEN" | runta secret add github-token --value-stdinrunta secret add internal-api --prompt --cache-ttl-secs 300import os
secret = runta.secrets.create( "openai-api-key", os.environ["OPENAI_API_KEY"], cache_ttl_secs=0,)const secret = await runta.secrets.create( "openai-api-key", process.env.OPENAI_API_KEY!, { cacheTtlSecs: 0 },);Secret list and get calls return metadata such as ID, display name, and cache TTL. They do not return the stored secret value.
runta secret listrunta secret delete openai-api-keyAdd an Injection Rule
Section titled “Add an Injection Rule”Rules match a destination host and optional path. The literal
${credential} placeholder is replaced with the stored secret value when the
egress gateway injects the outbound request.
runta secret rule add \ worker \ --host api.openai.com \ --path '/v1/*' \ --credential openai-api-key \ --inject-header Authorization \ --inject-value 'Bearer ${credential}'from runta import Injection
rule = runtime.secrets.create_rule( "https://api.openai.com", path="/v1/*", injection=Injection( credential="openai-api-key", header="Authorization", value="Bearer ${credential}", ),)const rule = await runtime.secrets.createRule("https://api.openai.com", { path: "/v1/*", injection: { credential: "openai-api-key", header: "Authorization", value: "Bearer ${credential}", },});The CLI currently exposes header injection flags. The SDK injection type also
supports parameter injection by setting param instead of header.
Rule Files
Section titled “Rule Files”The CLI can load YAML rule files:
rules: - runtime: worker host: api.openai.com path: /v1/* credential: openai-api-key inject: header: Authorization value: Bearer ${credential}runta secret rule add -f openai-rule.yamlList and Delete Rules
Section titled “List and Delete Rules”runta secret rule list workerrunta secret rule delete <rule-id>for rule in runtime.secrets.list_rules(): print(rule.id, rule.host_pattern, rule.path_pattern)
runtime.secrets.delete_rules(rule.id)for (const rule of await runtime.secrets.listRules()) { console.log(rule.id, rule.host_pattern, rule.path_pattern);}
await runtime.secrets.deleteRule(rule.id);Tenant-wide rule listing is available through runta.secrets.list_rules() in
Python and runta.secrets.listRules() in TypeScript.