> ## Documentation Index > Fetch the complete documentation index at: https://docs.reducto.ai/llms.txt > Use this file to discover all available pages before exploring further. # Securing Reducto > Learn how to secure on-premise Reducto deployments ## Authentication Reducto can read one or more tokens used for authenticating API calls from a file. On Kubernetes, a Secret can be mounted as a file in the `http` Pod - when this Secret is updated, Kubernetes automatically updates the mounted file using an eventually-consistent approach, allowing Reducto to reload the new value without requiring a restart. Multiple API keys can be specified by placing each key on a separate line. This enables progressive secret rotation: add the new key, roll your clients over, then remove the old key, all without downtime. ### Overview When enabled, Reducto reads the authentication secret from a mounted file specified by the `AUTH_SECRET_PATH` environment variable. This provides better security isolation and follows Kubernetes best practices for secret management. ### Setup instructions You can set up authentication using either manual secret creation or secret creation via Helm Chart. #### Option 1: Manual secret creation ##### 1. Create a Kubernetes secret First, create a Kubernetes secret containing your API key(s). For a single key: ```bash theme={null} kubectl create secret generic reducto-auth-secret \ --from-literal=secret=your-api-key-here \ --namespace reducto ``` For multiple keys (e.g., during rotation), separate them with newlines: ```bash theme={null} kubectl create secret generic reducto-auth-secret \ --from-literal=secret=$'current-key\nnew-key' \ --namespace reducto ``` ##### 2. Configure Helm values Add the following configuration to your Helm values file: ```yaml theme={null} auth: secretPath: enabled: true secretName: "reducto-auth-secret" mountPath: "/etc/auth" filename: "secret" ``` #### Option 2: Secret creation via Helm Chart ##### 1. Configure values for creation via Helm Chart Add the following configuration to your Helm values file to let the Helm chart create the secret: ```yaml theme={null} auth: secretPath: enabled: true createSecret: true apiKey: "your-api-key-here" # Must specify when createSecret is true. secretName: "reducto-auth-secret" mountPath: "/etc/auth" filename: "secret" ``` **Note**: With `createSecret: true` you must specify `apiKey` #### 2. Deploy Reducto (for both options) Deploy or upgrade your Reducto installation: ```bash theme={null} helm upgrade --install reducto oci://registry.reducto.ai/reducto-api/reducto \ --namespace reducto \ --values your-values.yaml ``` ### Configuration options | Parameter | Description | Default | | ------------------------------ | ---------------------------------------------------- | ----------------------- | | `auth.secretPath.enabled` | Enable file-based authentication | `false` | | `auth.secretPath.createSecret` | Create the Kubernetes secret | `false` | | `auth.secretPath.apiKey` | API key, must be specified when `createSecret: true` | - | | `auth.secretPath.secretName` | Name of the Kubernetes secret | `"reducto-auth-secret"` | | `auth.secretPath.mountPath` | Mount path for the secret file | `"/etc/auth"` | | `auth.secretPath.filename` | Filename within the secret | `"secret"` | ### How it works 1. When `auth.secretPath.enabled` is `true`, the Helm chart mounts the specified secret as a volume 2. The `AUTH_SECRET_PATH` environment variable is automatically set to the full file path 3. Reducto's authentication middleware reads all keys from the file (one per line) and authenticates API requests against any of them 4. The file is monitored for changes, supporting secret rotation without restarts 5. If the provided API key doesn't match any key in the file, a 401 error is returned ### Secret rotation To rotate keys without downtime: 1. Add the new key on a new line alongside the existing key 2. Update the Kubernetes secret (Reducto picks up the change automatically) 3. Migrate your clients to use the new key 4. Remove the old key from the secret