# Executor secrets Executor secrets can be used to define additional values to be used in Sourcegraph executors. Secret values are currently only available in server-side batch changes. Use [`step.env`](/batch-changes/batch-spec-yaml-reference#stepsenv) to reference configured secrets in executions. ## How secrets work Executor secrets are defined per-feature. If you want to define a secret for server-side batch changes, create a secret for that namespace (examples of namespaces are "Code Graph" and "Batch Changes"). Secrets are [encrypted](/self-hosted/encryption) if encryption is on, and always redacted in log outputs. There are two types of secrets: - **Global secrets** These secrets are defined by an admin in the site-admin interface and will be usable by every user on the Sourcegraph instance. - **Namespaced secrets** These secrets are set either in org or user settings and are only usable by the user or org members in their respective namespaces. For example, user-specific executor secrets apply only to batch changes within the user's namespace. If you've created a server-side batch spec under an organization or a different namespace, ensure the secret is defined under `/organizations/{org-namespace}/settings/executors/secrets`. If a namespaced secret has the same name as a global secret, the namespaced secret is preferred. Examples: - Global secret `GITHUB_TOKEN` Can be used by every server-side batch change - User 1 secret `GITHUB_TOKEN` Can be used by batch changes created by user 1 in their own namespace, overwrites the global secret - Org 1 secret `GITHUB_TOKEN` Can be used by batch changes created by any org member of org 1 in the org namespace, overwrites the global secret ## Creating a new secret To create a global secret, go to **Site-admin** > **Executors/Secrets** and click **Add secret**. To create a user secret, go to your user profile from the navbar > **Settings** > **Executor secrets** and click **Add secret**. To create an org secret, go to the org profile from the navbar > **Executor secrets** and click **Add secret**. Then, fill in a name for the secret. This will be the name of the environment variable it will be accessible as. Next, fill in the secret value and hit **Add secret**. ![Create executor secret dialog](https://storage.googleapis.com/sourcegraph-assets/docs/images/batch_changes/create_executor_secret.png) ## Rotating a secret To rotate a secret or to update the secret value, go to **Executor secrets** (see [Creating a new secret](#creating-a-new-secret)). Next to the secret you want to update or rotate click on **Update**. Fill in the new value and hit **Update secret**. > Note: When updating secrets server-side batch changes execution caches that reference the secret will be invalidated. ![Update executor secret dialog](https://storage.googleapis.com/sourcegraph-assets/docs/images/batch_changes/update_executor_secret.png) ## Removing a secret To remove a secret, go to **Executor secrets** (see [Creating a new secret](#creating-a-new-secret)). Next to the secret you want to delete click on **Remove**. > Note: When removing secrets server-side batch changes execution caches that reference the secret will be invalidated. ![Remove executor secret dialog](https://storage.googleapis.com/sourcegraph-assets/docs/images/batch_changes/remove_executor_secret.png)