Skip to main content
There are multiple ways to pass secrets and API keys to your Kernel app:

1. Deployment environment variables

Deploy your app with secrets as environment variables. Your app can then access them at runtime. You can set environment variables in two ways:
  • --env flag: Pass individual key-value pairs directly in the command
  • --env-file flag: Load variables from a .env file
# Using --env flag for individual variables
kernel deploy my_app.ts --env OPENAI_API_KEY=sk-... --env ANTHROPIC_API_KEY=sk-ant-...

# Using --env-file to load from a file
kernel deploy my_app.ts --env-file .env

# Combine both approaches
kernel deploy my_app.ts --env-file .env --env OPENAI_API_KEY=sk-...
Then access the variables in your app: 
import Anthropic from "@anthropic-ai/sdk";
import OpenAI from "openai";

app.action('ai-action', async (ctx: KernelContext) => {
  // Access API keys from environment variables
  const anthropic = new Anthropic({
    apiKey: process.env.ANTHROPIC_API_KEY,
  });

  const openai = new OpenAI({
    apiKey: process.env.OPENAI_API_KEY,
  });

  // Use the clients...
});

2. Runtime variables

For use cases where different API keys are needed per invocation (such as platforms using end-user keys), pass the secrets at runtime using the payload parameter. Use encryption standards in your app to protect sensitive data. 
import OpenAI from "openai";

app.action('ai-action', async (ctx: KernelContext, payload) => {
  // Decrypt the API key passed at runtime
  const apiKey = decrypt(payload.encryptedApiKey);

  const openai = new OpenAI({
    apiKey: apiKey,
  });

  // Use the client with the user's API key...
});