Secrets & environment variables.
When a team shares a database or a set of keys, the sensitive values live in an encrypted vault — saved once, never shown again, and revealed only to the app that runs your code.
What gets stored
Orchid keeps three kinds of secret for a group, and only these:
- Connection credentials — the database password or service-account JSON behind a shared connection.
- Environment variables — a team’s shared keys and tokens (an API key, a bucket name) that your project runs need.
- Slack webhook URLs — the address Orchid posts a group’s notifications to.
Everything that isn’t secret — a connection’s host, port, and database name — is stored in the clear so people can see what they’re connecting to. The secret part is pulled out and locked away on its own.
Environment variables
A team can hold a set of environment variables on its Env tab (managers only). Each one is a name and a value — say STRIPE_API_KEY or S3_BUCKET. When a member runs a project the team can access, those variables are injected into the run’s environment automatically, so your code reads them with the usual os.environ['STRIPE_API_KEY'] — no one pastes a key into a notebook or keeps a private .env file in sync.
Mark a variable sensitive and it becomes write-only, just like a connection credential: you can set or replace it, but it’s never shown again on the settings page.
Anyone who can run a project the team can access reads these variables while their code runs — that’s how environment-variable injection works. Marking a value sensitive only hides it on the settings page; it does not hide it from a running notebook. Share a secret with a team only if you’d let everyone who can run the team’s projects see it.
Write-only by design
A secret in the vault is write-only. You can save it, replace it (rotate), or clear it — but no one reads it back, not even an owner. The dashboard only ever tells you whether a value is set, never what it is.
- To rotate, type a new value over the old one and save — the previous secret is overwritten.
- To clear, submit an empty value — the stored secret is removed.
- There is no “reveal” button, because the value is never returned anywhere.
How it’s protected
- Every secret is encrypted with AES-256-GCM before it’s stored.
- The vault has no read access through the database at all — only Orchid’s backend service holds the key and can decrypt.
- A value is never returned to the browser or to a web viewer. The dashboard works entirely on the “is it set?” flag.
- If the server’s encryption key isn’t configured, saving fails safely — nothing is written in plain text rather than risking an unencrypted secret.
Delivered at run time, audited every time
So how does a teammate use a shared secret without ever seeing it? At run time the backend decrypts the value and hands it to the Orchid desktop app — a connection credential for that one query, or the team’s env vars into the run’s environment. It never lands on a web page, and it’s never shown to the person running the code.
Connection checkouts are recorded too. Each one is written to the org or team Activity log — with no secret in the record, just who, what, and when — and the Metrics tab surfaces a running connection-checkouts count so you can see how heavily a shared connection is used.
The variables on this page are team secrets, shared through the cloud and injected into team project runs. They’re separate from your own machine’s launch settings — the ORCHID_* variables and your personal model-provider API keys are configured locally; see Configuration for those.
Slack notifications
Owners and admins can wire a group’s events to a Slack channel by pasting an incoming webhook URL. That URL is treated as a write-only secret too — saved, rotated, or cleared, never displayed. A test message button lets you confirm the channel receives events before you rely on it.
Where to next
- Shared connections — set up a connection your whole team can query.
- Sharing projects — grant a project to an org or team in one move.
- Permissions — who can see, edit, and manage what.