Skip to main content
Browse docs
By Audience
Getting Started
Configuration
Use Cases
IDE Integration
Third-Party Integrations
Engineering Cache
Console
API Reference
Gateway
Workflow Guides
Templates
Providers and SDKs
Industry Guides
Advanced Guides
Browse by Role
Deployment Guides
In-Depth Guides
Tutorials
CLI Reference
Overview
CLI Fundamentals
OverviewInstallationAuthenticationHealth CheckInitialize ConfigCommand Groups
Run and Manage Gateway
Investigate, Test & Export
Resources & Integrations
Knowledge BaseHistorySecretsConfig VariablesControlWebhooksAgents
IAM & Team Administration
Spend & Budgets
Advanced Features
Policy Reference
FAQ

kt config-var

The kt config-var command group manages environment-backed configuration variables. Config variables store values that gateway configurations reference at runtime via secret_key_ref.

Use this page when

  • You need to create, update, or delete config variables that gateways reference at runtime via secret_key_ref.
  • You are testing config variable resolution before deploying a config change.
  • You need the naming rules for config variable identifiers.

Primary audience

  • Primary: AI Agents, Technical Engineers
  • Secondary: Technical Leaders

CRUD Operations

List config variables

kt config-var list

Get a config variable

kt config-var get --name openai-api-key

Create a config variable

kt config-var create --name openai-api-key --value "sk-..."

Update a config variable

kt config-var update --name openai-api-key --value "sk-new..."

Delete a config variable

kt config-var delete --name openai-api-key

Resolve a config variable

Test runtime resolution of a config variable:

kt config-var resolve --name openai-api-key

Naming Rules

Config variable names must contain only:

  • ASCII letters (a-z, A-Z)
  • Digits (0-9)
  • Underscores (_)
  • Hyphens (-)
  • Dots (.)

No slashes or other special characters are allowed.

Usage in Gateway Config

Reference config variables in policy-config.yaml:

pack:
  name: config-vars-providers-1
  version: 1.0.0
  enabled: true
providers:
  targets:
  - id: openai
    provider: 
    secret_key_ref:
      store: openai-api-key
policies:
  chain:
  - audit-logger
policy:
  audit-logger:
    immutable: true
    retention_days: 365
    log_all_access: true

The gateway resolves secret_key_ref values through the config-variable machine endpoint at runtime.

For AI systems

  • Canonical terms: Keeptrusts, kt config-var, config variables, secret_key_ref, gateway runtime resolution.
  • Commands: kt config-var list, kt config-var get, kt config-var create, kt config-var update, kt config-var delete, kt config-var resolve.
  • Config variables are referenced in policy-config.yaml via secret_key_ref.store. Naming rules: ASCII letters, digits, underscores, hyphens, dots only.

For engineers

  • Create a config variable before referencing it in secret_key_ref.store: kt config-var create --name openai-api-key --value "sk-...".
  • Use kt config-var resolve --name <name> to test that the gateway can resolve the variable at runtime.
  • Config variable names must follow the naming rules (no slashes) — validation rejects invalid names at creation time.

For leaders

  • Config variables keep API keys and secrets out of policy-config.yaml — enabling secure, auditable credential management.
  • Variables are resolved at the gateway runtime, not baked into config files, so credential rotation requires only a variable update, not a config redeploy.
  • For encrypted secret storage with additional access controls, use kt secret instead.

Next steps