# Secrets

Secrets let you store sensitive values - API keys, passwords, tokens - securely in DataJet. Secret values are encrypted at rest and automatically redacted from script logs, so they never appear in plain text outside your scripts.

### Creating a Secret

1. Go to **Settings** > **Secrets**
2. Click **Create secret**
3. Fill in the fields:
   * **Title** — A unique name in `UPPER_SNAKE_CASE` format (e.g. `MY_API_KEY`, `DB_PASSWORD`, `SMTP_TOKEN`). Must start with a letter and contain only uppercase letters, digits, and underscores.
   * **Value** — The sensitive value to store. This is encrypted immediately and cannot be viewed again after saving.
   * **Description** *(optional)* — A note to help you remember what this secret is for.
4. Click **Create**

### Using Secrets in Scripts

Secrets are available in all script types through the `secrets` object. Reference a secret by its title:

```liquid
{{ secrets.MY_API_KEY }}
```

#### Example: Calling an External API

```liquid
{% capture query %}
  mutation { ... }
{% endcapture %}

{% json headers %}
  {
    "Authorization": "Bearer {{ secrets.EXTERNAL_API_KEY }}"
  }
{% endjson %}

{% http url:"https://api.example.com/data",
    method:"GET",
    headers:headers
    as response %}

{% log response %}
```

### Updating a Secret

1. In the Secrets table, click **Update** next to the secret you want to change
2. Enter the new value (leave empty to keep the current value)
3. Optionally update the description
4. Click **Update**

The previous value is permanently overwritten — there is no version history for secret values.

### Deleting a Secret

Click **Delete** next to the secret in the table. This is immediate and permanent. Any scripts referencing the deleted secret will receive an empty value for that key.

### Log Redaction

Secret values are **automatically redacted** from all script logs. If a secret's decrypted value appears anywhere in a log entry, it is replaced with `[REDACTED]` before the log is stored.

This applies to both the `{% log %}` tag and the `| log` filter. You do not need to do anything extra — redaction is always active.

**Example:**

If you have a secret `API_KEY` with value `sk-abc123` and your script logs:

```liquid
{% log secrets.API_KEY %}
```

The stored log entry will show: `[REDACTED]`

### Limits

| Limit                | Value                                                                                |
| -------------------- | ------------------------------------------------------------------------------------ |
| Secrets per store    | 50                                                                                   |
| Maximum value length | 10,000 characters                                                                    |
| Title format         | `UPPER_SNAKE_CASE` — letters, digits, and underscores only, must start with a letter |
| Title uniqueness     | Each title must be unique within your store                                          |


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.datajet-app.com/misc/secrets.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.