The Secrets Vault provides a secure, zero-leakage storage mechanism for sensitive environment variables, API keys (e.g., OpenAI, Anthropic, database passwords), and custom credentials needed by your Python and R code.

Unlike standard notebook cells or hardcoded variables, items stored in the Secrets Vault are never written to the Word document (.docx) XML, never embedded in exported notebook archives, and never transmitted to our backend servers.

---

Architectural Security & Zero-Leakage Guarantee

When working with executable documents, a major security risk is accidentally committing API keys or credentials directly into notebook cells. Because Word documents are frequently shared via email, SharePoint, or external client portals, hardcoded credentials can easily leak to unauthorized parties.

InkRider solves this through a strict decoupling architecture:

1. Local Storage Isolation: Secrets are stored locally within your browser's localStorage (or IndexedDB) under a dedicated, obfuscated storage key.
2. Runtime Injection: When a kernel session starts (whether Pyodide WebAssembly or an external Jupyter Server), InkRider reads the vault and injects the secrets directly into the kernel's volatile environment (os.environ).
3. Zero Persistence: When the Word document is saved, exported, or synced, the secrets remain safely behind on your local machine. If you share the document with a colleague, they will use their own local Secrets Vault to provide their own API keys.

---

Managing Secrets

Open the Secrets Vault from the Settings Dialog by clicking the Secrets tab (the key/password icon in the left sidebar).

Adding a New Secret

1. In the Key input field, enter the environment variable name (e.g., OPENAI_API_KEY). Keys must be uppercase alphanumeric strings with underscores.
2. In the Value input field, paste your secret key or password.
3. Click Add Secret. The secret is immediately encrypted/obfuscated and saved to local storage.

Modifying an Existing Secret

To update an existing secret (for example, if your API key rotated), simply re-enter the exact same Key name with the new Value and click Add Secret. The existing value will be securely overwritten.

Deleting Secrets

• Single Secret Removal: Click the trash icon next to any individual secret in the list to remove it from your local vault immediately.
• Clear All Secrets: Click the Clear All Secrets button at the bottom of the panel to purge the entire vault from your browser.

---

Accessing Secrets at Runtime

Once added to the Secrets Vault, your credentials are automatically available to your Python code via the standard os module.

Python Example

import os
import requests

# Retrieve the API key injected by InkRider's Secrets Vault
api_key = os.environ.get("OPENAI_API_KEY")

if not api_key:
    raise ValueError("OPENAI_API_KEY is missing from the Secrets Vault!")

# Use the key securely in an external API request
headers = {
    "Authorization": f"Bearer {api_key}",
    "Content-Type": "application/json"
}

response = requests.post(
    "https://api.openai.com/v1/chat/completions",
    headers=headers,
    json={"model": "gpt-4o", "messages": [{"role": "user", "content": "Summarize quarterly performance."}]}
)

R Example (via JupyterLite / External Server)

# Retrieve the API key from the environment
api_key <- Sys.getenv("OPENAI_API_KEY")

if (api_key == "") {
  stop("OPENAI_API_KEY is not set in the Secrets Vault")
}

---

Best Practices

• Use Descriptive Key Names: Standardize key names across your team (e.g., PROD_DB_PASSWORD, SALESFORCE_API_TOKEN) so shared notebooks run seamlessly for any team member who has populated their local vault.
• Never Print Secrets: Avoid printing os.environ or raw secret values in notebook cells, as cell outputs are stored within the document structure unless explicitly cleared.
• Regular Rotation: Rotate your API keys periodically in your external provider dashboards and update them in the InkRider Secrets Vault.