> ## Documentation Index
> Fetch the complete documentation index at: https://tbd-6fc993ce-hypeship-scraperly-link.mintlify.site/llms.txt
> Use this file to discover all available pages before exploring further.

# Secrets

There are multiple ways to pass secrets and API keys to your Kernel app:

## 1. Deployment environment variables

Deploy your app with secrets as [environment variables](/apps/deploy#environment-variables). Your app can then access them at runtime.

You can set environment variables in two ways:

* **`--env` flag**: Pass individual key-value pairs directly in the command
* **`--env-file` flag**: Load variables from a `.env` file

```bash theme={null}
# Using --env flag for individual variables
kernel deploy my_app.ts --env OPENAI_API_KEY=sk-... --env ANTHROPIC_API_KEY=sk-ant-...

# Using --env-file to load from a file
kernel deploy my_app.ts --env-file .env

# Combine both approaches
kernel deploy my_app.ts --env-file .env --env OPENAI_API_KEY=sk-...
```

Then access the variables in your app:

<CodeGroup>
  ```typescript TypeScript theme={null}
  import Anthropic from "@anthropic-ai/sdk";
  import OpenAI from "openai";

  app.action('ai-action', async (ctx: KernelContext) => {
    // Access API keys from environment variables
    const anthropic = new Anthropic({
      apiKey: process.env.ANTHROPIC_API_KEY,
    });

    const openai = new OpenAI({
      apiKey: process.env.OPENAI_API_KEY,
    });

    // Use the clients...
  });
  ```

  ```python Python theme={null}
  import os
  from anthropic import Anthropic
  from openai import OpenAI

  @app.action("ai-action")
  async def ai_action(ctx: KernelContext):
      # Access API keys from environment variables
      anthropic = Anthropic(
          api_key=os.environ.get("ANTHROPIC_API_KEY"),
      )

      openai = OpenAI(
          api_key=os.environ.get("OPENAI_API_KEY"),
      )

      # Use the clients...
  ```
</CodeGroup>

## 2. Runtime variables

For use cases where different API keys are needed per invocation (such as platforms using end-user keys), pass the secrets at runtime using the [payload parameter](/apps/invoke#payload-parameter).

Use encryption standards in your app to protect sensitive data.

<CodeGroup>
  ```typescript TypeScript theme={null}
  import OpenAI from "openai";

  app.action('ai-action', async (ctx: KernelContext, payload) => {
    // Decrypt the API key passed at runtime
    const apiKey = decrypt(payload.encryptedApiKey);

    const openai = new OpenAI({
      apiKey: apiKey,
    });

    // Use the client with the user's API key...
  });
  ```

  ```python Python theme={null}
  from openai import OpenAI

  @app.action("ai-action")
  async def ai_action(ctx: KernelContext, payload):
      # Decrypt the API key passed at runtime
      api_key = decrypt(payload["encryptedApiKey"])

      openai = OpenAI(
          api_key=api_key,
      )

      # Use the client with the user's API key...
  ```
</CodeGroup>