Credential Injection
Credential injection lets a runtime call an approved HTTP service without storing the credential inside the runtime. Store the secret once for each tenant, then attach a runtime-scoped secret stub that injects it only for matching outbound requests.
Create or reuse a runtime:
runta run --name demo --cpus 2 --memory 2048from runta import Runta
runta = Runta()runtime = runta.runtimes.create("demo", vcpus=2, memory_mib=2048)import { Runta } from "@runta/runta-sdk";
const runta = new Runta();const runtime = await runta.runtimes.create("demo", { vcpus: 2, memoryMib: 2048,});Store a credential. Use --value-env, --value-stdin, or --prompt so the
secret does not appear in shell history:
export OPENAI_API_KEY=sk...runta secret set openai-api-key --value-env OPENAI_API_KEYimport os
secret = runta.secrets.set("openai-api-key", os.environ["OPENAI_API_KEY"])const secret = await runta.secrets.set( "openai-api-key", process.env.OPENAI_API_KEY!,);Set a secret stub that injects the stored credential as an HTTP header when the
runtime calls api.openai.com:
runta secret rule set \ demo \ --host api.openai.com \ --path '/v1/*' \ --secret openai-api-key \ --header Authorization \ --template 'Bearer ${credential}'from runta import SecretStubConfig
stub = runtime.secrets.set_secret_stub( "https://api.openai.com", path="/v1/*", config=SecretStubConfig( credential="openai-api-key", header="Authorization", value="Bearer ${credential}", ),)const stub = await runtime.secrets.setSecretStub("https://api.openai.com", { path: "/v1/*", config: { credential: "openai-api-key", header: "Authorization", value: "Bearer ${credential}", },});The literal ${credential} placeholder is replaced by the stored secret value
at request time.