Secrets Vault
Securely manage sensitive API keys, database credentials, and environment variables locally without saving them to the Word document XML.
The Secrets Vault stores sensitive environment variables, API keys, and credentials needed by your Python and R code locally in the browser.
Items in the Secrets Vault are not written into the Word document (.docx) XML and are not embedded in exported notebook archives. They are injected into your kernel session at runtime and remain on your device.
How it works
When working with executable documents, a common mistake is hardcoding API keys into notebook cells. Because Word documents are often shared via email, SharePoint, or client portals, embedded credentials can leak to unauthorized parties.
InkRider reduces that risk by keeping secrets separate from the document:
- Local storage: Secrets are stored in browser storage on your device under a dedicated key.
- Runtime injection: When a kernel session starts (Pyodide or an external Jupyter Server), InkRider reads the vault and injects secrets into the kernel environment (
os.environ). - Not saved in the document: When the Word file is saved or shared, secrets stay on your machine. Colleagues use their own vault for their own credentials.
This protects against accidental credential embedding in shared documents. It does not make browser storage invulnerable to malware or XSS on the same origin—treat the vault as a convenience for local development workflows, not a hardware security module.
Managing Secrets
Open the Secrets Vault from the Settings Dialog by clicking the Secrets tab (the key/password icon in the left sidebar).
Adding a New Secret
- In the Key input field, enter the environment variable name (e.g.,
OPENAI_API_KEY). Keys must be uppercase alphanumeric strings with underscores. - In the Value input field, paste your secret key or password.
- Click Add Secret. The secret is immediately encrypted/obfuscated and saved to local storage.
Modifying an Existing Secret
To update an existing secret (for example, if your API key rotated), simply re-enter the exact same Key name with the new Value and click Add Secret. The existing value will be securely overwritten.
Deleting Secrets
- Single Secret Removal: Click the trash icon next to any individual secret in the list to remove it from your local vault immediately.
- Clear All Secrets: Click the Clear All Secrets button at the bottom of the panel to purge the entire vault from your browser.
Accessing Secrets at Runtime
Once added to the Secrets Vault, your credentials are automatically available to your Python code via the standard os module.
Python Example
import os
import requests
# Retrieve the API key injected by InkRider's Secrets Vault
api_key = os.environ.get("OPENAI_API_KEY")
if not api_key:
raise ValueError("OPENAI_API_KEY is missing from the Secrets Vault!")
# Use the key securely in an external API request
headers = {
"Authorization": f"Bearer {api_key}",
"Content-Type": "application/json"
}
response = requests.post(
"https://api.openai.com/v1/chat/completions",
headers=headers,
json={"model": "gpt-4o", "messages": [{"role": "user", "content": "Summarize quarterly performance."}]}
)
R Example (via JupyterLite / External Server)
# Retrieve the API key from the environment
api_key <- Sys.getenv("OPENAI_API_KEY")
if (api_key == "") {
stop("OPENAI_API_KEY is not set in the Secrets Vault")
}
Best Practices
- Use Descriptive Key Names: Standardize key names across your team (e.g.,
PROD_DB_PASSWORD,SALESFORCE_API_TOKEN) so shared notebooks run seamlessly for any team member who has populated their local vault. - Never Print Secrets: Avoid printing
os.environor raw secret values in notebook cells, as cell outputs are stored within the document structure unless explicitly cleared. - Regular Rotation: Rotate your API keys periodically in your external provider dashboards and update them in the InkRider Secrets Vault.