Secrets
Your account's Secrets hold two kinds of credentials: API keys that authenticate every SDK call and HTTP request against the Socaity backend, and Access Tokens (Docker Hub credentials) that let APIPod push your container image when you deploy your own model. Create and manage both from Account → Secrets on socaity.ai. The SDK reads SOCAITY_API_KEY and sends it as Authorization: Bearer <key>.
- Sign in at socaity.ai.
- Open Account → Secrets.
- Click Create key.
- Name the key after the service or environment it belongs to (for example
production-apporci-runner). - Copy the key now. Socaity shows the full value once and stores only a hash; you cannot recover it later.
Set SOCAITY_API_KEY in your environment, or pass it to the client on construction with api_key=.... If the key is missing or rejected by the backend, the SDK raises APIKeyError with the signup URL and the canonical env var name.
Replicate-backed models routed through Socaity reuse the same key. If you bypass Socaity and point a Replicate-direct ServiceAddress at replicate.com, the SDK reads REPLICATE_API_KEY. Note the suffix: upstream Replicate calls it REPLICATE_API_TOKEN, the Socaity SDK does not.
# .env in your project root, ignored by git
SOCAITY_API_KEY=sk_your-key-here
# Or export it for the current shell
export SOCAITY_API_KEY=sk_your-key-hereimport os
from socaity.sdk.replicate.black_forest_labs import flux_schnell
# Pass the key explicitly, or set SOCAITY_API_KEY in the environment.
# The SDK sends it as an Authorization: Bearer header.
flux = flux_schnell(api_key=os.getenv("SOCAITY_API_KEY"))
# Replicate-backed models routed through Socaity reuse the same key.
# Only direct-to-Replicate ServiceAddress objects read REPLICATE_API_KEY.
image = flux(prompt="a cat on mars").get_result()
image.save("output.webp")Environment Variables
Load keys from the environment. A hard-coded key in source is a key that ships to wherever your source ships.
Keep Out of Git
Add .env to .gitignore. For CI/CD, store the key in your platform secrets manager (GitHub Actions secrets, Vercel envs, GitLab CI variables).
One Key per Service
Issue a separate key per environment or service. If one key leaks, you revoke one blast radius, not the whole account.
Rotate Regularly
Rotate every 90 days, and immediately if a key is committed, logged, or shared outside its blast radius.
Rotate in three steps: issue a new key from the dashboard, roll SOCAITY_API_KEY on every host or CI runner that needs it, then delete the old key. Socaity keeps the old key valid until you delete it, so you can cut over without downtime.
Access Tokens are the other half of Secrets, separate from API keys. They store your Docker Hub credentials so that when you deploy your own model with APIPod, the build can push the container image to your registry. You only need them for the deploy path: calling hosted services needs only an API key. Add or remove tokens under Account → Secrets; deleting one may break deployments that rely on it.