Manage Secrets
Secrets store sensitive values (API keys, authentication tokens, certificates) that your evaluations need at runtime. AI GO! keeps them server-side so they do not appear in plain text in your YAML configs or evaluation logs by mistake.
Inline Secrets in YAML Configs
You can declare secrets directly inside your YAML configuration. Commands lf run or lf add process the config and automatically upload (create or update) the declared inline secrets to the server before creating any entities.
Top-Level Secrets
Declare a secrets dictionary at the root of your run config. Values are typically read from environment variables using the $VAR YAML directive:
# datasets: ...
# models: ...
# tasks: ...
secrets:
OPENAI_KEY: $OPENAI_API_KEY # or directly "sk-..."
JUDGE_KEY: $JUDGE_API_KEY # or directly "sk-..."Model-Level Secrets
Each model can also declare its own secrets dictionary.
models:
- key: my-model
secrets:
API_KEY_1: $OPENAI_API_KEY # or directly "sk-..."
config:
connection_type: custom_connection
api_key: "<< secrets.API_KEY_1 >>"
...
- key: judge-model
secrets:
API_KEY_2: $ANTHROPIC_API_KEY
config:
connection_type: custom_connection
api_key: "<< secrets.API_KEY_2 >>"
...Top-level and model-level secrets are merged before upload. If the same secret name appears in multiple places with different values, the CLI raises an error. Secrets are scoped per tenant.
If you manage a secret exclusively through lf secret add, you do not need to redeclare it in YAML. You only need to reference it with the << secrets.name >> syntax.
Manage Secrets with the CLI
The lf secret subcommand lets you manage secrets directly.
Create or Update a Secret
lf secret add --name OPENAI_KEY --value "sk-..."If a secret with that name already exists, its value is replaced.
List Secrets
lf secret listDelete a Secret
lf secret delete --name OPENAI_KEYSee the full lf secret CLI reference for all available options.