Skip to main content

Overview

LangGraph Platform integrates with LangSmith for secure secrets management. All secrets are encrypted at rest and in transit.
Never hardcode API keys in your code or commit them to git. Always use LangSmith secrets.

Quick Start

1

Set Secrets

langsmith secret set ANTHROPIC_API_KEY "sk-ant-your-key"
langsmith secret set OPENAI_API_KEY "sk-your-key"
2

Reference in Code

import os

api_key = os.environ["ANTHROPIC_API_KEY"]
3

Deploy

langgraph deploy
Secrets are automatically available to your deployment.

Setting Secrets

Via CLI

## Set a secret
langsmith secret set SECRET_NAME "secret-value"

## Set for specific deployment
langsmith secret set API_KEY "prod-key" --deployment my-agent-prod

## Set from file
langsmith secret set SSH_KEY --from-file ~/.ssh/id_rsa

## Set from environment variable
export MY_SECRET="value"
langsmith secret set MY_SECRET --from-env MY_SECRET

Via LangSmith UI

  1. Go to smith.langchain.com
  2. Navigate to Settings → Secrets
  3. Click “Add Secret”
  4. Enter name and value
  5. Save

Viewing Secrets

## List all secrets
langsmith secret list

## View secret names (values are hidden)
langsmith secret get ANTHROPIC_API_KEY
Secret values are never displayed for security. You can only set or delete secrets.

Updating Secrets

## Update a secret (overwrites existing)
langsmith secret set ANTHROPIC_API_KEY "new-key-value"

## Redeploy to use updated secret
langgraph deploy
Secret updates don’t require redeployment - they’re available immediately. However, redeploying ensures your application reloads the new values.

Deleting Secrets

## Delete a secret
langsmith secret delete OLD_API_KEY

## Force delete without confirmation
langsmith secret delete OLD_API_KEY --force

Environment-Specific Secrets

Use different secrets for each environment:
  • Development
  • Staging
  • Production
# Set dev secrets
langsmith secret set ANTHROPIC_API_KEY "dev-key" \
  --deployment my-agent-dev

langsmith secret set LANGSMITH_PROJECT "my-agent-dev" \
  --deployment my-agent-dev

Common Secrets

LLM API Keys

## Anthropic Claude
langsmith secret set ANTHROPIC_API_KEY "sk-ant-..."

## OpenAI
langsmith secret set OPENAI_API_KEY "sk-..."

## Google Gemini
langsmith secret set GOOGLE_API_KEY "..."

## Azure OpenAI
langsmith secret set AZURE_OPENAI_API_KEY "..."
langsmith secret set AZURE_OPENAI_ENDPOINT "https://..."

Authentication

## JWT secret for token signing
langsmith secret set JWT_SECRET_KEY "$(openssl rand -base64 32)"

## OAuth credentials
langsmith secret set OAUTH_CLIENT_ID "your-client-id"
langsmith secret set OAUTH_CLIENT_SECRET "your-client-secret"

Database & Services

## Database URLs
langsmith secret set DATABASE_URL "postgresql://..."

## Redis
langsmith secret set REDIS_URL "redis://..."

## S3
langsmith secret set AWS_ACCESS_KEY_ID "..."
langsmith secret set AWS_SECRET_ACCESS_KEY "..."

Accessing Secrets in Code

Secrets are available as environment variables: 
import os

## Direct access
anthropic_key = os.environ["ANTHROPIC_API_KEY"]

## With default fallback
model_name = os.environ.get("MODEL_NAME", "claude-sonnet-4-5-20250929")

## Raise error if missing
jwt_secret = os.environ["JWT_SECRET_KEY"]  # Raises KeyError if not set

## Check if exists
if "OPTIONAL_API_KEY" in os.environ:
    use_optional_feature()

With Pydantic Settings

from pydantic_settings import BaseSettings

class Settings(BaseSettings):
    anthropic_api_key: str
    openai_api_key: str
    jwt_secret_key: str
    model_name: str = "claude-sonnet-4-5-20250929"

    class Config:
        env_file = ".env"
        case_sensitive = False

settings = Settings()

Best Practices

Generate cryptographically secure secrets:
# Generate random secret
openssl rand -base64 32

# Set as secret
langsmith secret set JWT_SECRET_KEY "$(openssl rand -base64 32)"

# Generate new key
NEW_KEY=$(openssl rand -base64 32)

# Update secret
langsmith secret set JWT_SECRET_KEY "$NEW_KEY"

# Redeploy
langgraph deploy
Schedule secret rotation every 90 days.
Never share secrets between dev/staging/prod:
# Wrong: Using same key for all
langsmith secret set API_KEY "shared-key"

# Right: Different keys per environment
langsmith secret set API_KEY "dev-key" --deployment dev
langsmith secret set API_KEY "prod-key" --deployment prod
Check for required secrets at startup:
import os
import sys

REQUIRED_SECRETS = [
    "ANTHROPIC_API_KEY",
    "JWT_SECRET_KEY",
    "LANGSMITH_PROJECT"
]

missing = [s for s in REQUIRED_SECRETS if s not in os.environ]
if missing:
    print(f"Missing required secrets: {missing}")
    sys.exit(1)

import logging

# Wrong: Logging secret
logging.info(f"Using API key: {api_key}")  ❌

# Right: Log without secret
logging.info("API key loaded successfully")  ✅

# Right: Mask in logs
masked_key = api_key[:8] + "..." + api_key[-4:]
logging.debug(f"Using API key: {masked_key}")  ✅

Troubleshooting

Symptom: KeyError: 'ANTHROPIC_API_KEY'Solution:
# Verify secret exists
langsmith secret list | grep ANTHROPIC_API_KEY

# Set if missing
langsmith secret set ANTHROPIC_API_KEY "your-key"

# Redeploy
langgraph deploy
Symptom: API returns 401 UnauthorizedSolution:
# Update secret with correct value
langsmith secret set ANTHROPIC_API_KEY "correct-key"

# Redeploy (recommended)
langgraph deploy
Symptom: Production uses dev secretsSolution:
# Set secret for specific deployment
langsmith secret set API_KEY "prod-key" \
  --deployment my-agent-prod

Security Considerations

Security Checklist:
  • ✅ Never commit secrets to git
  • ✅ Use strong, randomly generated secrets
  • ✅ Rotate secrets every 90 days
  • ✅ Use different secrets per environment
  • ✅ Never log secret values
  • ✅ Validate secrets at startup
  • ✅ Use deployment-specific secrets
  • ✅ Delete unused secrets

Next Steps

Configuration

Configure your deployment

Deploy

Deploy with secrets

Monitoring

Monitor deployments

CI/CD

Automate secret management