Credentials & secrets

gpu-train never stores raw secrets in your registry or code. Credentials are referenced by a secret_ref URI and resolved at runtime by a matching resolver.

secret_ref schemes#

{"cred_id": "runpod-1", "provider": "runpod", "secret_ref": "env://RUNPOD_API_KEY"}

The local credential store#

Keys you enter in the dashboard (Providers → Connect, including W&B) are written to ~/.gpu-train/credentials.json — honoring GPU_TRAIN_HOME — and the file is created with chmod 600. The store:// resolver reads values back at runtime.

The schema holds per-provider fields and a wandb block:

{
  "providers": {
    "runpod": {"api_key": "...", "ssh_key_path": "~/.ssh/id_ed25519"},
    "gcp": {"service_account_json": "{...}", "project": "p", "zone": "us-central1-a"},
    "colab": {"host": "0.tcp.ngrok.io", "port": 40022, "ssh_user": "root"}
  },
  "wandb": {"api_key": "...", "project": "my-proj", "entity": "my-team"}
}

How sources merge#

When the CLI or dashboard builds its registry, credentials from the environment take precedence over the store. A provider configured via an environment variable is shown read-only in the dashboard and cannot be overwritten or deleted there — unset the env var first to manage it from the UI.

Masking & redaction#

• The dashboard's read endpoint (GET /v1/credentials) returns masked values only (last 4 characters of secrets); plaintext is never returned to the UI.
• Secrets injected into a remote job (e.g. WANDB_API_KEY) are written to owner-only (chmod 600/700) files on the rented box.
• Known injected secret values are redacted to ***redacted*** in stored and streamed logs.

See the repository's SECURITY.md for the full security model.