> ## Documentation Index > Fetch the complete documentation index at: https://docs.tensorlake.ai/llms.txt > Use this file to discover all available pages before exploring further. # Secrets > Providing secrets to Tensorlake functions Secrets allow providing sensitive values to your Tensorlake functions in a secure manner without having to put them into your code. ## Storing secrets You can store secrets on Tensorlake Cloud using the CLI: ```bash theme={null} tl secrets set AWS_ACCESS_KEY=MY_AWS_ACCESS_KEY tl secrets set OPENAI_API_KEY=MY_OPENAI_API_KEY ``` ## Using secrets Stored secrets are available as environment variables within your Tensorlake functions: ``` @application() @function(secrets=["AWS_ACCESS_KEY", "OPENAI_API_KEY"]) def my_function() -> str: aws_access_key = os.environ["AWS_ACCESS_KEY"] openai_api_key = os.environ["OPENAI_API_KEY"] ... ``` ### Secrets and application deployment When you add or update a secret used by an already deployed application, it needs to get redeployed for the new secret values to take effect. ## CLI Commands ### List Secrets List secrets that have been previously set. Values are not shown for security reasons. ```bash theme={null} $ tl secrets list | Name | Created At | | ----------- | ---------- | | SECRET_NAME | Date | ``` ### Set a Secret Set a secret will create or update a secret. ```bash theme={null} $ tl secrets set = [=] ``` ### Unset a Secret ```bash theme={null} tl secrets unset [] ``` ## Security Secrets use envelope encryption with AES-256-GCM, providing strong confidentiality and integrity. Each project has a dedicated Data Encryption Key (DEK) wrapped by a root Key Encryption Key (KEK) managed by AWS KMS, creating strict isolation boundaries. Secrets remain encrypted at rest and are only decrypted in-memory on dataplane machines running workflows that requires those secrets, with all communication secured through mutual TLS (mTLS). ## See Also Tutorial that demonstrates using secrets with the OpenAI API in a deployed workflow.