Skip to main content
Applies to:
  • Plan -
  • Deployment -

Summary

Scorer or function invocations can fail with Error: No secrets match the org configured for this deployment. Please see logs for more details. In the data plane logs, the selected AI provider credential, such as OPENAI_API_KEY, may show secret_org_id set and secret_org_name: null. This means the credential has an org UUID, but the deployment does not allowlist that UUID.

What is happening

Braintrust stores AI provider credentials as secrets. Before using one, the data plane allows it only when either:
  • secret_org_name exactly matches ORG_NAME
  • secret_org_id is included in ALLOWED_ORG_IDS
If neither condition is true, data plane logs may show:

Suggested fix

Add the organization UUID to the deployment’s allowed org list, then redeploy the affected data plane services. See Configure organization authorization.
  • For AWS deployments using Terraform module v5.8.1 or newer, set allowed_org_ids.
  • For GCP or Azure deployments using Helm chart v6.7.1 or newer, set global.allowedOrgIds.
For both settings, use a comma-separated string of Braintrust organization UUIDs with no spaces, for example:
If you are on an older deployment module or chart version, upgrade to a version that supports the allowed-org setting. For older GCP / Azure Helm charts, you can set ALLOWED_ORG_IDS directly on the API deployment with api.extraEnvVars as a temporary workaround:

How to confirm it worked

  • Re-run the failing scorer or function invocation.
  • Confirm the No secrets match the org configured... error is gone.
  • Confirm logs no longer show Filtering out secret because its org is not allowed for this deployment for that provider secret.

Notes

  • To get the org UUID, hover over the org name in the Braintrust UI and click Copy ID.
  • Keep ORG_NAME configured as-is; add the org UUID through the deployment’s allowed-org setting.