> ## Documentation Index
> Fetch the complete documentation index at: https://mcp-server-langgraph.mintlify.site/llms.txt
> Use this file to discover all available pages before exploring further.

# Secrets Management

> Securely manage API keys and secrets in LangGraph Platform

### Overview

LangGraph Platform integrates with LangSmith for secure secrets management. All secrets are encrypted at rest and in transit.

<Warning>
  **Never** hardcode API keys in your code or commit them to git. Always use LangSmith secrets.
</Warning>

### Quick Start

<Steps>
  <Step title="Set Secrets">
    ```bash theme={null}
    langsmith secret set ANTHROPIC_API_KEY "sk-ant-your-key"
    langsmith secret set OPENAI_API_KEY "sk-your-key"
    ```
  </Step>

  <Step title="Reference in Code">
    ```python theme={null}
    import os

    api_key = os.environ["ANTHROPIC_API_KEY"]
    ```
  </Step>

  <Step title="Deploy">
    ```bash theme={null}
    langgraph deploy
    ```

    Secrets are automatically available to your deployment.
  </Step>
</Steps>

### Setting Secrets

#### Via CLI

```bash theme={null}
## Set a secret
langsmith secret set SECRET_NAME "secret-value"

## Set for specific deployment
langsmith secret set API_KEY "prod-key" --deployment my-agent-prod

## Set from file
langsmith secret set SSH_KEY --from-file ~/.ssh/id_rsa

## Set from environment variable
export MY_SECRET="value"
langsmith secret set MY_SECRET --from-env MY_SECRET
```

#### Via LangSmith UI

1. Go to [smith.langchain.com](https://smith.langchain.com/)
2. Navigate to Settings → Secrets
3. Click "Add Secret"
4. Enter name and value
5. Save

### Viewing Secrets

```bash theme={null}
## List all secrets
langsmith secret list

## View secret names (values are hidden)
langsmith secret get ANTHROPIC_API_KEY
```

<Note>
  Secret values are never displayed for security. You can only set or delete secrets.
</Note>

### Updating Secrets

```bash theme={null}
## Update a secret (overwrites existing)
langsmith secret set ANTHROPIC_API_KEY "new-key-value"

## Redeploy to use updated secret
langgraph deploy
```

<Tip>
  Secret updates don't require redeployment - they're available immediately. However, redeploying ensures your application reloads the new values.
</Tip>

### Deleting Secrets

```bash theme={null}
## Delete a secret
langsmith secret delete OLD_API_KEY

## Force delete without confirmation
langsmith secret delete OLD_API_KEY --force
```

### Environment-Specific Secrets

Use different secrets for each environment:

<Tabs>
  <Tab title="Development">
    ```bash theme={null}
    # Set dev secrets
    langsmith secret set ANTHROPIC_API_KEY "dev-key" \
      --deployment my-agent-dev

    langsmith secret set LANGSMITH_PROJECT "my-agent-dev" \
      --deployment my-agent-dev
    ```
  </Tab>

  <Tab title="Staging">
    ```bash theme={null}
    # Set staging secrets
    langsmith secret set ANTHROPIC_API_KEY "staging-key" \
      --deployment my-agent-staging

    langsmith secret set LANGSMITH_PROJECT "my-agent-staging" \
      --deployment my-agent-staging
    ```
  </Tab>

  <Tab title="Production">
    ```bash theme={null}
    # Set production secrets
    langsmith secret set ANTHROPIC_API_KEY "prod-key" \
      --deployment my-agent-prod

    langsmith secret set LANGSMITH_PROJECT "my-agent-prod" \
      --deployment my-agent-prod
    ```
  </Tab>
</Tabs>

### Common Secrets

#### LLM API Keys

```bash theme={null}
## Anthropic Claude
langsmith secret set ANTHROPIC_API_KEY "sk-ant-..."

## OpenAI
langsmith secret set OPENAI_API_KEY "sk-..."

## Google Gemini
langsmith secret set GOOGLE_API_KEY "..."

## Azure OpenAI
langsmith secret set AZURE_OPENAI_API_KEY "..."
langsmith secret set AZURE_OPENAI_ENDPOINT "https://..."
```

#### Authentication

```bash theme={null}
## JWT secret for token signing
langsmith secret set JWT_SECRET_KEY "$(openssl rand -base64 32)"

## OAuth credentials
langsmith secret set OAUTH_CLIENT_ID "your-client-id"
langsmith secret set OAUTH_CLIENT_SECRET "your-client-secret"
```

#### Database & Services

```bash theme={null}
## Database URLs
langsmith secret set DATABASE_URL "postgresql://..."

## Redis
langsmith secret set REDIS_URL "redis://..."

## S3
langsmith secret set AWS_ACCESS_KEY_ID "..."
langsmith secret set AWS_SECRET_ACCESS_KEY "..."
```

### Accessing Secrets in Code

Secrets are available as environment variables:

```python theme={null}
import os

## Direct access
anthropic_key = os.environ["ANTHROPIC_API_KEY"]

## With default fallback
model_name = os.environ.get("MODEL_NAME", "claude-sonnet-4-5-20250929")

## Raise error if missing
jwt_secret = os.environ["JWT_SECRET_KEY"]  # Raises KeyError if not set

## Check if exists
if "OPTIONAL_API_KEY" in os.environ:
    use_optional_feature()
```

#### With Pydantic Settings

```python theme={null}
from pydantic_settings import BaseSettings

class Settings(BaseSettings):
    anthropic_api_key: str
    openai_api_key: str
    jwt_secret_key: str
    model_name: str = "claude-sonnet-4-5-20250929"

    class Config:
        env_file = ".env"
        case_sensitive = False

settings = Settings()
```

### Best Practices

<AccordionGroup>
  <Accordion title="Use Strong Secrets">
    Generate cryptographically secure secrets:

    ```bash theme={null}
    # Generate random secret
    openssl rand -base64 32

    # Set as secret
    langsmith secret set JWT_SECRET_KEY "$(openssl rand -base64 32)"
    ```
  </Accordion>

  <Accordion title="Rotate Secrets Regularly">
    ```bash theme={null}
    # Generate new key
    NEW_KEY=$(openssl rand -base64 32)

    # Update secret
    langsmith secret set JWT_SECRET_KEY "$NEW_KEY"

    # Redeploy
    langgraph deploy
    ```

    Schedule secret rotation every 90 days.
  </Accordion>

  <Accordion title="Use Deployment-Specific Secrets">
    Never share secrets between dev/staging/prod:

    ```bash theme={null}
    # Wrong: Using same key for all
    langsmith secret set API_KEY "shared-key"  ❌

    # Right: Different keys per environment
    langsmith secret set API_KEY "dev-key" --deployment dev  ✅
    langsmith secret set API_KEY "prod-key" --deployment prod  ✅
    ```
  </Accordion>

  <Accordion title="Validate Required Secrets">
    Check for required secrets at startup:

    ```python theme={null}
    import os
    import sys

    REQUIRED_SECRETS = [
        "ANTHROPIC_API_KEY",
        "JWT_SECRET_KEY",
        "LANGSMITH_PROJECT"
    ]

    missing = [s for s in REQUIRED_SECRETS if s not in os.environ]
    if missing:
        print(f"Missing required secrets: {missing}")
        sys.exit(1)
    ```
  </Accordion>

  <Accordion title="Never Log Secrets">
    ```python theme={null}
    import logging

    # Wrong: Logging secret
    logging.info(f"Using API key: {api_key}")  ❌

    # Right: Log without secret
    logging.info("API key loaded successfully")  ✅

    # Right: Mask in logs
    masked_key = api_key[:8] + "..." + api_key[-4:]
    logging.debug(f"Using API key: {masked_key}")  ✅
    ```
  </Accordion>
</AccordionGroup>

### Troubleshooting

<AccordionGroup>
  <Accordion title="Secret not found error">
    **Symptom**: `KeyError: 'ANTHROPIC_API_KEY'`

    **Solution**:

    ```bash theme={null}
    # Verify secret exists
    langsmith secret list | grep ANTHROPIC_API_KEY

    # Set if missing
    langsmith secret set ANTHROPIC_API_KEY "your-key"

    # Redeploy
    langgraph deploy
    ```
  </Accordion>

  <Accordion title="Wrong secret value">
    **Symptom**: API returns 401 Unauthorized

    **Solution**:

    ```bash theme={null}
    # Update secret with correct value
    langsmith secret set ANTHROPIC_API_KEY "correct-key"

    # Redeploy (recommended)
    langgraph deploy
    ```
  </Accordion>

  <Accordion title="Deployment-specific secret not working">
    **Symptom**: Production uses dev secrets

    **Solution**:

    ```bash theme={null}
    # Set secret for specific deployment
    langsmith secret set API_KEY "prod-key" \
      --deployment my-agent-prod
    ```
  </Accordion>
</AccordionGroup>

### Security Considerations

<Warning>
  **Security Checklist**:

  * ✅ Never commit secrets to git
  * ✅ Use strong, randomly generated secrets
  * ✅ Rotate secrets every 90 days
  * ✅ Use different secrets per environment
  * ✅ Never log secret values
  * ✅ Validate secrets at startup
  * ✅ Use deployment-specific secrets
  * ✅ Delete unused secrets
</Warning>

### Next Steps

<CardGroup cols={2}>
  <Card title="Configuration" icon="gear" href="/deployment/platform/configuration">
    Configure your deployment
  </Card>

  <Card title="Deploy" icon="rocket" href="/deployment/platform/quickstart">
    Deploy with secrets
  </Card>

  <Card title="Monitoring" icon="chart-line" href="/deployment/platform/monitoring">
    Monitor deployments
  </Card>

  <Card title="CI/CD" icon="infinity" href="/deployment/platform/ci-cd">
    Automate secret management
  </Card>
</CardGroup>
