Skip to main content

Secrets management

Fused provides a built-in secrets manager to securely store and access sensitive credentials like API keys, database passwords, and tokens. Both types of secrets require a paid plan. There are two kinds of secrets:

  • Team secrets (fused.secrets) — scoped to your team and accessible to everyone in your team.
  • User secrets (fused.user_secrets) — owned and accessible only by the authenticated user.

Storing secrets

Open the Integrations & secrets modal in Workbench:

  • From the home sidebar, click Integrations & secrets under your user section.
  • From inside a canvas, open the overflow menu and select Integrations & secrets.

The modal is organized into Personal integrations and Team integrations.

Each integration contains expandable rows for secrets (e.g. Google Drive, Dropbox, Notion).
To manage secrets, first expand the relevant integration row, then click Add new secret inside the expanded section.

Team secrets — fused.secrets

Team secrets are scoped to the execution environment (kernel) and shared across your team or organization. Use fused.secrets to read, write, and delete them:

import fused

@fused.udf
def udf():
    api_key = fused.secrets["OPENAI_API_KEY"]

    import openai
    client = openai.OpenAI(api_key=api_key)
    ...

You can also manage team secrets programmatically:

@fused.udf
def udf():
    fused.secrets["MY_KEY"] = "value"

    del fused.secrets["MY_KEY"]

    dir(fused.secrets)

User secrets — fused.user_secrets

User secrets are owned by the authenticated user.

User secrets are read-only in the SDK. To create, update, or delete user secrets, use the Workbench UI under Integrations & secrets.

@fused.udf
def udf():
    val = fused.user_secrets["MY_KEY"]
    # or
    val = fused.user_secrets.MY_KEY
    ...

To list all user secret keys:

@fused.udf
def udf():
    keys = list(fused.user_secrets)
    ...

How secrets are secured

All secrets are stored in AWS Secrets Manager, which encrypts secret values at rest and in transit.

  • Team secrets are each protected by a dedicated AWS KMS encryption key. IAM policies restrict access so that only the specific execution environment that owns a secret can decrypt it.
  • User secrets are encrypted at rest using AWS-managed encryption keys within Secrets Manager.
  • Secrets are never written to disk in plaintext or included in logs.
  • Access is authenticated and authorized through Fused's API layer — secrets are only decrypted at the moment they are read by your UDF code.

Security notes

  • Team secrets added to Fused are accessible by anyone in your team.
  • User secrets are private to the authenticated user.
  • Never print or return secret values from UDFs — anyone calling the UDF could otherwise read them. This applies to both fused.secrets and fused.user_secrets.
  • Use secrets instead of .env files to keep credentials out of your codebase.

For more on writing UDFs securely, see Security best practices.