Storing Secrets

Many patches need to use secret values like API keys to access external services. This guide explains how to securely store and use secrets in your patches.

Using Secrets

Secrets are stored in the code editor for your patch, and are accessible through sup.secret:

function main() {
  // Get a secret by name
  const apiKey = sup.secret("OPENAI_API_KEY");
  if (!apiKey) return "Please add OPENAI_API_KEY in patch settings";
  // Use the secret...
}

Common Use Cases

External APIs

When using external services like OpenAI or ElevenLabs:

function main() {
  const text = sup.input.text;
  if (!text) return "Please provide text to convert to speech";

  const elevenlabsKey = sup.secret("ELEVENLABS_API_KEY");
  if (!elevenlabsKey) {
    return "Please add ELEVENLABS_API_KEY in patch settings";
  }

  // Generate speech using the API key
  return sup.ex.elevenlabs("voice_id", text, elevenlabsKey);
}

Best Practices

Never Expose Secrets

• Don’t log secrets to the console
• Don’t include secrets in error messages
• Don’t return secrets in patch output

// ❌ Don't do this
function main() {
  const apiKey = sup.secret("API_KEY");
  console.log("Using API key:", apiKey); // Never log secrets!

  if (error) {
    return `API error with key ${apiKey}`; // Never expose secrets!
  }
}

// ✅ Do this instead
function main() {
  const apiKey = sup.secret("API_KEY");
  console.log("API key present:", !!apiKey);

  if (error) {
    return "API error occurred"; // Keep error messages general
  }
}

Secret Naming

Use clear, descriptive names for secrets:

// ❌ Unclear names
"key1";
"secret_thing";
"api";

// ✅ Clear names
"OPENAI_API_KEY";
"ELEVENLABS_API_KEY";
"GOOGLE_MAPS_API_KEY";
"STRIPE_SECRET_KEY";

Notes

• Secrets are only accessible to the patch owner
• Secrets are not shared with other users or patches, and are not copied when other users duplicate your patches