---
title: tb secret
meta:
  description: Manage secrets in datafiles.
---

# tb secret

Manage secrets in datafiles, like connection credentials. Secrets consists of a name and a value.

You can add a secret to your workspace like this:

```shell
tb --cloud secret set KAFKA_USERNAME 12345
```

You can then use the secret in a datafile like this:

```tb
TYPE kafka
KAFKA_KEY {{ tb_secret("KAFKA_USERNAME", "") }}
```

In the datafile syntax, first argument is the name of the secret, and the second is the default
value that's used when the secret is not set.

{% callout type="caution" %}
Secrets are only replaced in your resources when you deploy. If you change a secret, you need to
deploy for the changes to take effect.
{% /callout %}  

## Environment variables

When working in local, you can store secrets in `.env.local` or `.env` files. They will be loaded automatically when you run `tb dev` or `tb build`.

```
KAFKA_USERNAME=12345
KAFKA_PASSWORD=67890
```

## Subcommands

The following subcommands are available:

{% table %}
  * Subcommand
  * Description
  ---
  * ls
  * Lists all secrets in the project.
  ---
  * rm NAME
  * Deletes a secret.
  ---
  * set NAME [VALUE]
  * Creates or updates a secret. If the value is not provided as part of the command, it will be asked. 
{% /table %}

## tb secret ls

Lists secrets.

{% table %}
  * Option
  * Description
  ---
  * --match TEXT
  * Retrieves any resource matching the pattern.
{% /table %}

## tb secret set
{% table %}
  * Option
  * Description
  ---
  * --multiline
  * Opens an editor to enter a multiline value
{% /table %}

## Environment support

{% table %}
  * Environment
  * Supported
  * Description
  ---
  * `--local`
  * ✓ Yes (default)
  * Manages secrets locally. Can use `.env` files.
  ---
  * `--cloud`
  * ✓ Yes
  * Manages secrets in Tinybird Cloud.
  ---
  * `--branch=BRANCH_NAME`
  * ✓ Yes
  * Manages secrets in a branch.
{% /table %}