Provider keys stay in the vault — never in your code
AUTO EMBED resolves $red.secret.openai.api_key from the vault on every insert. Application code never sees the key.
Set the provider key once via the secrets vault. Every AUTO EMBED USING openai reads it through the typed $secret reference internally — no env var to leak, no key in source, no .env in your repo. Rotate by updating the KV; running queries pick up the new value on next call.
sql
-- Once, by an authorised principal.
SET CONFIG red.secret.openai.api_key = 'sk-...';
-- Forever after, by any service.
INSERT INTO notes (body) VALUES ($1)
WITH AUTO EMBED (body) USING openai;
-- Engine reads $red.secret.openai.api_key from vault as a typed Value.
-- Application code holds no key; logs hold no key; query plans hold no key.
-- Hybrid retrieval same way.
SEARCH HYBRID
TEXT $1 WEIGHT 0.7
KEYWORDS $2 WEIGHT 0.3
COLLECTION docs
USING openai -- vault-resolved
LIMIT $config.acme.rag.contextSize;