Environment Variables and Secret Variables

When creating or configuring a Gear (Task, Jupyter Workspace), you can inject a set of environment variables in the form of variable name / variable value in the "Environment Variables" area, used to control the container's behavior — for example, passing in a token for a third-party service, a model repository address, and so on.

Each environment variable has a type, either plaintext or Secret, determined by whether the "Secret" checkbox to the right of the variable is selected. The differences between the two types are as follows:

	Plaintext variable	Secret variable
Storage	Stored in plaintext	The plaintext value cannot be read again after saving
Display	Shown in plaintext	Always shown masked (e.g. `hf••••23`)
Injection	Injected as an environment variable and written to `hyperai_params.json`	Injected only as an environment variable, not written to `hyperai_params.json`

Therefore, content you don't want others to read, such as keys and tokens, should be set to the Secret type; while content that needs to be read or recorded by your program, such as hyperparameters, can use the plaintext type.

Configuring Environment Variables

Find the "Environment Variables" area on the container's creation / configuration page:

Click "Add Environment Variable" and fill in the "Variable Name" and "Variable Value";
Choose the variable type: plaintext by default; if it is sensitive information such as a key or token, select the "Secret" checkbox to its right to set it to the Secret type;
You can add multiple variables; they are saved together with the container upon submission.

Masking and Reading of Secret Variables

Once a Secret variable is saved, the platform no longer returns its value in plaintext. Members with edit permission only ever see the masked placeholder everywhere on the page:

After masking, only the first and last 2 characters are kept, with the middle replaced by •••• (e.g. hf••••23);
When the original value is shorter than 8 characters, it is shown entirely as ••••••, so its real length is not revealed.

Members without edit permission cannot read the value at all — the API simply returns null.

The masked value is for display only and is not the variable's real value. What is injected at container runtime is always the original value saved at the time.

Handling Secrets on Restart and Clone

Whether the original Secret's real value is reused depends on whether this operation restarts the same execution or creates a new execution.

Restarting a Workspace

Starting a closed workspace again ("Quick Start" or "Update and Start"; see Restarting a Jupyter Workspace) is a continuation of the same execution, and will reuse the Secret's real value saved last time, with no need to re-enter it:

Quick Start: directly reuses the entire previous configuration; the Secret's real value is automatically backfilled by the platform on the server side.
Update and Start: Secrets are listed in masked, read-only form and reused by default. To change one, click "Replace" on that variable and enter a new value; click "Cancel Replace" to restore reusing the original value.

Clone / Create a New Execution

The following operations all generate a brand-new execution, and therefore will not carry over the original Secret's real value:

Cloning from a public tutorial or a public resource;
Cloning someone else's configuration and starting it, or cloning from AutoML;
Creating a new execution via "Continue Execution / Clone from Here" on an execution.

In these cases, the cloner cannot read the original Secret's plaintext in the first place, and the platform will not carry it over to the new execution. The page keeps the variable name and prompts "The original Secret value cannot be preserved, please enter a new value"; you need to fill in your own value for each Secret variable, or delete the variables you don't need before starting. Plaintext variables are carried over to the new execution as usual.

Changing a Variable's Type

A variable's type can be switched between plaintext and Secret:

Plaintext to Secret: just select "Secret"; the value already entered will be saved as the value of that Secret.
Secret to Plaintext: deselect "Secret". Since the saved Secret's original value can no longer be read, the original value is discarded after switching, and you need to re-enter the variable's value (the page will first show a confirmation dialog).

Limitations

OPENBAYES_ (case-insensitive) is a platform-reserved prefix and cannot be used as the name of a custom environment variable.

	Plaintext variable	Secret variable
Storage	Stored in plaintext	The plaintext value cannot be read again after saving
Display	Shown in plaintext	Always shown masked (e.g. `hf••••23`)
Injection	Injected as an environment variable and written to `hyperai_params.json`	Injected only as an environment variable, not written to `hyperai_params.json`

Configuring Environment Variables

Find the "Environment Variables" area on the container's creation / configuration page:

Click "Add Environment Variable" and fill in the "Variable Name" and "Variable Value";
Choose the variable type: plaintext by default; if it is sensitive information such as a key or token, select the "Secret" checkbox to its right to set it to the Secret type;
You can add multiple variables; they are saved together with the container upon submission.

Masking and Reading of Secret Variables

Once a Secret variable is saved, the platform no longer returns its value in plaintext. Members with edit permission only ever see the masked placeholder everywhere on the page:

After masking, only the first and last 2 characters are kept, with the middle replaced by •••• (e.g. hf••••23);
When the original value is shorter than 8 characters, it is shown entirely as ••••••, so its real length is not revealed.

Members without edit permission cannot read the value at all — the API simply returns null.

The masked value is for display only and is not the variable's real value. What is injected at container runtime is always the original value saved at the time.

Handling Secrets on Restart and Clone

Whether the original Secret's real value is reused depends on whether this operation restarts the same execution or creates a new execution.

Restarting a Workspace

Quick Start: directly reuses the entire previous configuration; the Secret's real value is automatically backfilled by the platform on the server side.
Update and Start: Secrets are listed in masked, read-only form and reused by default. To change one, click "Replace" on that variable and enter a new value; click "Cancel Replace" to restore reusing the original value.

Clone / Create a New Execution

The following operations all generate a brand-new execution, and therefore will not carry over the original Secret's real value:

Cloning from a public tutorial or a public resource;
Cloning someone else's configuration and starting it, or cloning from AutoML;
Creating a new execution via "Continue Execution / Clone from Here" on an execution.

Changing a Variable's Type

A variable's type can be switched between plaintext and Secret:

Plaintext to Secret: just select "Secret"; the value already entered will be saved as the value of that Secret.
Secret to Plaintext: deselect "Secret". Since the saved Secret's original value can no longer be read, the original value is discarded after switching, and you need to re-enter the variable's value (the page will first show a confirmation dialog).

Limitations

OPENBAYES_ (case-insensitive) is a platform-reserved prefix and cannot be used as the name of a custom environment variable.

	Plaintext variable	Secret variable
Storage	Stored in plaintext	The plaintext value cannot be read again after saving
Display	Shown in plaintext	Always shown masked (e.g. `hf••••23`)
Injection	Injected as an environment variable and written to `hyperai_params.json`	Injected only as an environment variable, not written to `hyperai_params.json`

Configuring Environment Variables

Find the "Environment Variables" area on the container's creation / configuration page:

Click "Add Environment Variable" and fill in the "Variable Name" and "Variable Value";
Choose the variable type: plaintext by default; if it is sensitive information such as a key or token, select the "Secret" checkbox to its right to set it to the Secret type;
You can add multiple variables; they are saved together with the container upon submission.

Masking and Reading of Secret Variables

Once a Secret variable is saved, the platform no longer returns its value in plaintext. Members with edit permission only ever see the masked placeholder everywhere on the page:

After masking, only the first and last 2 characters are kept, with the middle replaced by •••• (e.g. hf••••23);
When the original value is shorter than 8 characters, it is shown entirely as ••••••, so its real length is not revealed.

Members without edit permission cannot read the value at all — the API simply returns null.

The masked value is for display only and is not the variable's real value. What is injected at container runtime is always the original value saved at the time.

Handling Secrets on Restart and Clone

Whether the original Secret's real value is reused depends on whether this operation restarts the same execution or creates a new execution.

Restarting a Workspace

Quick Start: directly reuses the entire previous configuration; the Secret's real value is automatically backfilled by the platform on the server side.
Update and Start: Secrets are listed in masked, read-only form and reused by default. To change one, click "Replace" on that variable and enter a new value; click "Cancel Replace" to restore reusing the original value.

Clone / Create a New Execution

The following operations all generate a brand-new execution, and therefore will not carry over the original Secret's real value:

Cloning from a public tutorial or a public resource;
Cloning someone else's configuration and starting it, or cloning from AutoML;
Creating a new execution via "Continue Execution / Clone from Here" on an execution.

Changing a Variable's Type

A variable's type can be switched between plaintext and Secret:

Plaintext to Secret: just select "Secret"; the value already entered will be saved as the value of that Secret.
Secret to Plaintext: deselect "Secret". Since the saved Secret's original value can no longer be read, the original value is discarded after switching, and you need to re-enter the variable's value (the page will first show a confirmation dialog).

Limitations

OPENBAYES_ (case-insensitive) is a platform-reserved prefix and cannot be used as the name of a custom environment variable.

Environment Variables and Secret Variables

Configuring Environment Variables

Masking and Reading of Secret Variables

Handling Secrets on Restart and Clone

Restarting a Workspace

Clone / Create a New Execution

Changing a Variable's Type

Limitations

On this page

Environment Variables and Secret Variables

Configuring Environment Variables

Masking and Reading of Secret Variables

Handling Secrets on Restart and Clone

Restarting a Workspace

Clone / Create a New Execution

Changing a Variable's Type

Limitations

On this page

Environment Variables and Secret Variables

Configuring Environment Variables

Masking and Reading of Secret Variables

Handling Secrets on Restart and Clone

Restarting a Workspace

Clone / Create a New Execution

Changing a Variable's Type

Limitations

On this page