Skip to content

Credential Injection

Credential injection lets a runtime call an approved HTTP service without storing the credential inside the runtime. Store the secret once for each tenant, then attach a runtime-scoped secret stub that injects it only for matching outbound requests.

Create or reuse a runtime:

Terminal window
runta run --name demo --cpus 2 --memory 2048

Store a credential. Use --value-env, --value-stdin, or --prompt so the secret does not appear in shell history:

Terminal window
export OPENAI_API_KEY=sk...
runta secret set openai-api-key --value-env OPENAI_API_KEY

Set a secret stub that injects the stored credential as an HTTP header when the runtime calls api.openai.com:

Terminal window
runta secret rule set \
demo \
--host api.openai.com \
--path '/v1/*' \
--secret openai-api-key \
--header Authorization \
--template 'Bearer ${credential}'

The literal ${credential} placeholder is replaced by the stored secret value at request time.