Skip to main content

Setting Secrets

For setting sensitive information (such as API keys or database credentials) to be accessed within your fal functions you can use the fal secrets CLI interface. 
$ fal secrets set MY_API_TOKEN=token MY_IDENTITY_KEY=identity
Any secret that is set will be exposed to all functions running from your user, and can be accessible as if they are regular environment variables.

Secrets in Environments

Secrets can be scoped to specific environments. Use the --env flag to manage secrets for a particular environment: 
# Set a secret in the staging environment
$ fal secrets set MY_API_TOKEN=staging-token --env staging

# Set a secret in production (main environment)
$ fal secrets set MY_API_TOKEN=production-token
This allows you to use different API keys, database URLs, or other credentials for development, staging, and production.

Accessing Secrets in Your Code

import os
import fal

class MyApp(fal.App):
    @fal.endpoint("/")
    def print_secrets(self):
        print(os.getenv("MY_API_TOKEN"))
        print(os.getenv("MY_IDENTITY_KEY"))
        return {"status": "secrets printed"}

Accessing Secrets in Your Requirements

For security reasons, we don’t expose your secrets as environment variables during the environment building stage. Instead, you can use ${} to substitute your secret into a requirement. 
import fal

class MyApp(fal.App):
    requirements = [
        "git+https://${GITHUB_TOKEN}@github.com/myorg/myproj"
    ]

Listing Secrets

You can list the secrets you have through the CLI, but the values will be hidden for security reasons. 
$ fal secrets list
NameEnvCreated At
MY_API_TOKENmain2023-09-05 15:17:39.279347
MY_IDENTITY_KEYmain2023-09-05 15:17:41.444478
To list secrets for a specific environment: 
$ fal secrets list --env staging

Removing Secrets

To omit a secret from being present in new runs, you can simply delete it through the CLI: 
$ fal secrets unset MY_API_TOKEN
To remove a secret from a specific environment: 
$ fal secrets unset MY_API_TOKEN --env staging