# Secrets

Secrets let you store sensitive values - API keys, passwords, tokens - securely in DataJet. Secret values are encrypted at rest and automatically redacted from script logs, so they never appear in plain text outside your scripts.

### Creating a Secret

1. Go to **Settings** > **Secrets**
2. Click **Create secret**
3. Fill in the fields:
   * **Title** — A unique name in `UPPER_SNAKE_CASE` format (e.g. `MY_API_KEY`, `DB_PASSWORD`, `SMTP_TOKEN`). Must start with a letter and contain only uppercase letters, digits, and underscores.
   * **Value** — The sensitive value to store. This is encrypted immediately and cannot be viewed again after saving.
   * **Description** *(optional)* — A note to help you remember what this secret is for.
4. Click **Create**

### Using Secrets in Scripts

Secrets are available in all script types through the `secrets` object. Reference a secret by its title:

```liquid
{{ secrets.MY_API_KEY }}
```

#### Example: Calling an External API

```liquid
{% capture query %}
  mutation { ... }
{% endcapture %}

{% json headers %}
  {
    "Authorization": "Bearer {{ secrets.EXTERNAL_API_KEY }}"
  }
{% endjson %}

{% http url:"https://api.example.com/data",
    method:"GET",
    headers:headers
    as response %}

{% log response %}
```

### Updating a Secret

1. In the Secrets table, click **Update** next to the secret you want to change
2. Enter the new value (leave empty to keep the current value)
3. Optionally update the description
4. Click **Update**

The previous value is permanently overwritten — there is no version history for secret values.

### Deleting a Secret

Click **Delete** next to the secret in the table. This is immediate and permanent. Any scripts referencing the deleted secret will receive an empty value for that key.

### Log Redaction

Secret values are **automatically redacted** from all script logs. If a secret's decrypted value appears anywhere in a log entry, it is replaced with `[REDACTED]` before the log is stored.

This applies to both the `{% log %}` tag and the `| log` filter. You do not need to do anything extra — redaction is always active.

**Example:**

If you have a secret `API_KEY` with value `sk-abc123` and your script logs:

```liquid
{% log secrets.API_KEY %}
```

The stored log entry will show: `[REDACTED]`

### Limits

| Limit                | Value                                                                                |
| -------------------- | ------------------------------------------------------------------------------------ |
| Secrets per store    | 50                                                                                   |
| Maximum value length | 10,000 characters                                                                    |
| Title format         | `UPPER_SNAKE_CASE` — letters, digits, and underscores only, must start with a letter |
| Title uniqueness     | Each title must be unique within your store                                          |