# **Recap of [Lesson 2](https://github.com/dlt-hub/dlt/blob/master/docs/education/dlt-fundamentals-course/lesson_2_dlt_sources_and_resources_create_first_dlt_pipeline.ipynb) üë©‚ÄçüíªüöÄ**

1. Used `@dlt.resource` to load and query data such as lists, dataframes, and REST API responses into DuckDB.  
2. Grouped multiple resources into a single `@dlt.source` for better organization and efficiency.  
3. Used `@dlt.transformer` to process and enrich data between resources.  

Next: We'll dive deeper into building dlt pipelines using pagination, authentication, and dlt configuration! üöÄ

---

# **Pagination & Authentication & dlt Configuration** ü§´üî©   [![Open in molab](https://marimo.io/molab-shield.svg)](https://molab.marimo.io/github/dlt-hub/dlt/blob/master/docs/education/dlt-fundamentals-course/lesson_3_pagination_and_authentication_and_dlt_configuration.py) [![Open In Colab](https://colab.research.google.com/assets/colab-badge.svg)](https://colab.research.google.com/github/dlt-hub/dlt/blob/master/docs/education/dlt-fundamentals-course/lesson_3_pagination_and_authentication_and_dlt_configuration.ipynb) [![GitHub badge](https://img.shields.io/badge/github-view_source-2b3137?logo=github)](https://github.com/dlt-hub/dlt/blob/master/docs/education/dlt-fundamentals-course/lesson_3_pagination_and_authentication_and_dlt_configuration.ipynb)



**In this lesson, you will learn how to:**
- Use pagination for REST APIs.
- Use environment variables to manage both secrets & configs.
- Add values to `secrets.toml` or `config.toml`.

To learn more about credentials, refer to the [dlt documentation](https://dlthub.com/docs/general-usage/credentials/).

In the previous lesson, we loaded data from the GitHub API to DuckDB,

In [1]:
%%capture
!pip install "dlt[duckdb]"

In [2]:
import dlt
from dlt.sources.helpers import requests
from dlt.common.typing import TDataItems


# define dlt resources
@dlt.resource
def github_events() -> TDataItems:
    url = "https://api.github.com/orgs/dlt-hub/events"
    response = requests.get(url)
    yield response.json()


# define dlt pipeline
_pipeline = dlt.pipeline(destination="duckdb")

# run dlt pipeline
load_info = _pipeline.run(github_events)
print(load_info)

# explore loaded data
_pipeline.dataset().github_events.df()

  - payload__issue__milestone
  - payload__issue__type
  - payload__issue__active_lock_reason
  - payload__issue__performed_via_github_app
  - payload__comment__performed_via_github_app
  - payload__forkee__language
  - payload__forkee__mirror_url
  - payload__forkee__license

Unless type hints are provided, these columns will not be materialized in the destination.
One way to provide type hints is to use the 'columns' argument in the '@dlt.resource' decorator.  For example:

@dlt.resource(columns={'payload__issue__milestone': {'data_type': 'text'}})



Pipeline dlt_colab_kernel_launcher load step completed in 0.62 seconds
1 load package(s) were loaded to destination duckdb and into dataset dlt_colab_kernel_launcher_dataset
The duckdb destination used duckdb:////content/dlt_colab_kernel_launcher.duckdb location to store data
Load package 1769049325.9172785 is LOADED and contains no failed jobs


Unnamed: 0,id,type,actor__id,actor__login,actor__display_login,actor__gravatar_id,actor__url,actor__avatar_url,repo__id,repo__name,...,payload__comment__commit_id,payload__comment__original_commit_id,payload__comment__pull_request_url,payload__comment___links__self__href,payload__comment___links__html__href,payload__comment___links__pull_request__href,payload__comment__original_position,payload__comment__position,payload__comment__subject_type,payload__issue__pull_request__merged_at
0,5976295863,IssueCommentEvent,37356882,rory-data,rory-data,,https://api.github.com/users/rory-data,https://avatars.githubusercontent.com/u/37356882?,452221115,dlt-hub/dlt,...,,,,,,,,,,NaT
1,5974408503,WatchEvent,9116773,azaricstefan,azaricstefan,,https://api.github.com/users/azaricstefan,https://avatars.githubusercontent.com/u/9116773?,452221115,dlt-hub/dlt,...,,,,,,,,,,NaT
2,5972705076,WatchEvent,48696302,mengeziml,mengeziml,,https://api.github.com/users/mengeziml,https://avatars.githubusercontent.com/u/48696302?,452221115,dlt-hub/dlt,...,,,,,,,,,,NaT
3,7694766714,PushEvent,25770064,ivasio,ivasio,,https://api.github.com/users/ivasio,https://avatars.githubusercontent.com/u/25770064?,452221115,dlt-hub/dlt,...,,,,,,,,,,NaT
4,5971675841,IssueCommentEvent,25770064,ivasio,ivasio,,https://api.github.com/users/ivasio,https://avatars.githubusercontent.com/u/25770064?,452221115,dlt-hub/dlt,...,,,,,,,,,,NaT
5,5971655203,IssuesEvent,25770064,ivasio,ivasio,,https://api.github.com/users/ivasio,https://avatars.githubusercontent.com/u/25770064?,452221115,dlt-hub/dlt,...,,,,,,,,,,NaT
6,5971654822,IssueCommentEvent,25770064,ivasio,ivasio,,https://api.github.com/users/ivasio,https://avatars.githubusercontent.com/u/25770064?,452221115,dlt-hub/dlt,...,,,,,,,,,,NaT
7,5971479618,IssueCommentEvent,73139402,cloudflare-workers-and-pages[bot],cloudflare-workers-and-pages,,https://api.github.com/users/cloudflare-worker...,https://avatars.githubusercontent.com/u/73139402?,452221115,dlt-hub/dlt,...,,,,,,,,,,NaT
8,5971401117,PullRequestEvent,25770064,ivasio,ivasio,,https://api.github.com/users/ivasio,https://avatars.githubusercontent.com/u/25770064?,452221115,dlt-hub/dlt,...,,,,,,,,,,NaT
9,7694252319,CreateEvent,25770064,ivasio,ivasio,,https://api.github.com/users/ivasio,https://avatars.githubusercontent.com/u/25770064?,452221115,dlt-hub/dlt,...,,,,,,,,,,NaT


You may notice we received only one page ‚Äî just 30 records ‚Äî even though this endpoint has many more.

To fetch everything, enable pagination: many APIs (like GitHub) return results in pages and limit how much you can retrieve per request, so paginating lets you iterate through all pages to collect the full dataset.

![Lesson_3_Pagination_%26_Authentication_%26_dlt_Configuration_img1](https://storage.googleapis.com/dlt-blog-images/dlt-fundamentals-course/Lesson_3_Pagination_%26_Authentication_%26_dlt_Configuration_img1.webp)

---
## **Pagination**

GitHub provides excellent documentation, making it easy to find the relevant section on [Pagination.](https://docs.github.com/en/rest/using-the-rest-api/using-pagination-in-the-rest-api?apiVersion=2022-11-28)

It explains that:

>You can use the `Link` header from the response to request additional pages of data.

>The `Link` header contains URLs that let you fetch other pages of results ‚Äî for example, the previous, next, first, and last pages.

**GitHub API Pagination Example**

The GitHub API provides the `per_page` and `page` query parameters:

* `per_page`: The number of records per page (up to 100).
* `page`: The page number to retrieve.

In [3]:
response = requests.get("https://api.github.com/orgs/dlt-hub/events?per_page=10&page=1")
response.headers

{'Date': 'Thu, 22 Jan 2026 02:38:03 GMT', 'Content-Type': 'application/json; charset=utf-8', 'Cache-Control': 'public, max-age=300, s-maxage=300', 'Vary': 'Accept,Accept-Encoding, Accept, X-Requested-With', 'ETag': 'W/"378475f97bfd08ed2208c084b3a14e067c7d5c182a005c1aa1c25de346e5a2f2"', 'Last-Modified': 'Thu, 22 Jan 2026 02:04:05 GMT', 'X-Poll-Interval': '60', 'X-GitHub-Media-Type': 'github.v3; format=json', 'Link': '<https://api.github.com/organizations/89419010/events?per_page=10&page=2>; rel="next", <https://api.github.com/organizations/89419010/events?per_page=10&page=30>; rel="last"', 'x-github-api-version-selected': '2022-11-28', 'Access-Control-Expose-Headers': 'ETag, Link, Location, Retry-After, X-GitHub-OTP, X-RateLimit-Limit, X-RateLimit-Remaining, X-RateLimit-Used, X-RateLimit-Resource, X-RateLimit-Reset, X-OAuth-Scopes, X-Accepted-OAuth-Scopes, X-Poll-Interval, X-GitHub-Media-Type, X-GitHub-SSO, X-GitHub-Request-Id, Deprecation, Sunset', 'Access-Control-Allow-Origin': '*', '

Got it! We can see the `Link` field in the response headers. Alternatively, you can access it directly using `response.links`:

In [4]:
response = requests.get("https://api.github.com/orgs/dlt-hub/events?per_page=10&page=1")
response.links

{'next': {'url': 'https://api.github.com/organizations/89419010/events?per_page=10&page=2',
  'rel': 'next'},
 'last': {'url': 'https://api.github.com/organizations/89419010/events?per_page=10&page=30',
  'rel': 'last'}}

### **dlt RESTClient**

Now that we know how pagination works conceptually, let‚Äôs see how to implement it efficiently!

When working with APIs, you could implement pagination using only Python and the `requests` library. While this approach works, it often requires writing boilerplate code for tasks like managing authentication, constructing URLs, and handling pagination logic.

Learn more about building pagination with Python and `requests`:

* [Link 1](https://farnamdata.com/api-pagination)

* [Link 2](https://www.klamp.io/blog/python-requests-pagination-for-efficient-data-retrieval)

**But!** In this lesson, we‚Äôre going to use dlt's **[RESTClient](https://dlthub.com/docs/general-usage/http/rest-client)** to handle pagination seamlessly when working with REST APIs like GitHub.


**Why use RESTClient?**

RESTClient is part of dlt's helpers, making it easier to interact with REST APIs by managing repetitive tasks such as:

* Authentication
* Query parameter handling
* Pagination

This reduces boilerplate code and lets you focus on your data pipeline logic.

**Here‚Äôs how to fetch paginated data:**
1. Import `RESTClient`
2. Create a `RESTClient` instance
3. Use the `paginate` method to iterate through all pages of data

In [5]:
from dlt.sources.helpers.rest_client import RESTClient


client = RESTClient(
    base_url="https://api.github.com",
)

for page in client.paginate("orgs/dlt-hub/events"):
    print(page)

[{'id': '7648003607', 'type': 'PushEvent', 'actor': {'id': 22517436, 'login': 'tetelio', 'display_login': 'tetelio', 'gravatar_id': '', 'url': 'https://api.github.com/users/tetelio', 'avatar_url': 'https://avatars.githubusercontent.com/u/22517436?'}, 'repo': {'id': 452221115, 'name': 'dlt-hub/dlt', 'url': 'https://api.github.com/repos/dlt-hub/dlt'}, 'payload': {'repository_id': 452221115, 'push_id': 29943314017, 'ref': 'refs/heads/feat/faster-testing', 'head': '87587656b294558d457c53a20d33cb62d77b43fa', 'before': 'e9337e501ce41458ed18cd41c99ec84dc7bdf64e'}, 'public': True, 'created_at': '2026-01-20T15:00:41Z', 'org': {'id': 89419010, 'login': 'dlt-hub', 'gravatar_id': '', 'url': 'https://api.github.com/orgs/dlt-hub', 'avatar_url': 'https://avatars.githubusercontent.com/u/89419010?'}}, {'id': '7647810633', 'type': 'PushEvent', 'actor': {'id': 1155738, 'login': 'sh-rp', 'display_login': 'sh-rp', 'gravatar_id': '', 'url': 'https://api.github.com/users/sh-rp', 'avatar_url': 'https://avatar

‚òùÔ∏è The pagination type was detected automatically, but you can also specify it explicitly:

In [6]:
from dlt.sources.helpers.rest_client.paginators import HeaderLinkPaginator

client = RESTClient(
    base_url="https://api.github.com",
    paginator=HeaderLinkPaginator(),
)

The full list of available paginators is in the official [dlt documentation](https://dlthub.com/docs/general-usage/http/rest-client#paginators).


![Lesson_3_Pagination_%26_Authentication_%26_dlt_Configuration_img2](https://storage.googleapis.com/dlt-blog-images/dlt-fundamentals-course/Lesson_3_Pagination_%26_Authentication_%26_dlt_Configuration_img2.png)

The events endpoint doesn‚Äôt contain as much data, especially compared to the stargazers endpoint of the dlt repository.

If you run the pipeline for the stargazers endpoint, there's a high chance that you'll face a **rate limit error**.

In [7]:
for page in client.paginate("repos/dlt-hub/dlt/stargazers"):
    print(page)

[{'login': 'lalitpagaria', 'id': 19303690, 'node_id': 'MDQ6VXNlcjE5MzAzNjkw', 'avatar_url': 'https://avatars.githubusercontent.com/u/19303690?v=4', 'gravatar_id': '', 'url': 'https://api.github.com/users/lalitpagaria', 'html_url': 'https://github.com/lalitpagaria', 'followers_url': 'https://api.github.com/users/lalitpagaria/followers', 'following_url': 'https://api.github.com/users/lalitpagaria/following{/other_user}', 'gists_url': 'https://api.github.com/users/lalitpagaria/gists{/gist_id}', 'starred_url': 'https://api.github.com/users/lalitpagaria/starred{/owner}{/repo}', 'subscriptions_url': 'https://api.github.com/users/lalitpagaria/subscriptions', 'organizations_url': 'https://api.github.com/users/lalitpagaria/orgs', 'repos_url': 'https://api.github.com/users/lalitpagaria/repos', 'events_url': 'https://api.github.com/users/lalitpagaria/events{/privacy}', 'received_events_url': 'https://api.github.com/users/lalitpagaria/received_events', 'type': 'User', 'user_view_type': 'public', '

HTTPError: 403 Client Error: rate limit exceeded for url: https://api.github.com/repositories/452221115/stargazers?page=59

### **Exercise 1: Pagination with RESTClient**
Explore the cells above and answer the question below.
#### Question
What type of pagination should we use for the GitHub API?

---
## **Authentication**

To avoid the **rate limit error** you can use [GitHub API Authentication](https://docs.github.com/en/rest/authentication/authenticating-to-the-rest-api?apiVersion=2022-11-28):

1. Login to your GitHub account.
2. Generate an [API token](https://docs.github.com/en/authentication/keeping-your-account-and-data-secure/creating-a-personal-access-token) (classic).
2.  Use it as an access token for the GitHub API.

> **! ATTENTION !**
> Never share your credentials publicly and never hard-code them in your code. Use **environment variables, files** or dlt's **secrets.toml**.

Create an environment variable for your access token in Colab.

![Lesson_3_Pagination_%26_Authentication_%26_dlt_Configuration_img3](https://storage.googleapis.com/dlt-blog-images/dlt-fundamentals-course/Lesson_3_Pagination_%26_Authentication_%26_dlt_Configuration_img3.webp)

In Molab, simply click on the `Secrets` section in the left-side menu and add your access token.

In [8]:
import os
from google.colab import userdata

access_token = userdata.get("SECRET_KEY")

Use the `access_token` variable in the code below:

In [9]:
from dlt.sources.helpers.rest_client.auth import BearerTokenAuth


client = RESTClient(
    base_url="https://api.github.com",
    auth=BearerTokenAuth(token=access_token),
)

for page in client.paginate("repos/dlt-hub/dlt/stargazers"):
    print(page)
    break

[{'login': 'lalitpagaria', 'id': 19303690, 'node_id': 'MDQ6VXNlcjE5MzAzNjkw', 'avatar_url': 'https://avatars.githubusercontent.com/u/19303690?v=4', 'gravatar_id': '', 'url': 'https://api.github.com/users/lalitpagaria', 'html_url': 'https://github.com/lalitpagaria', 'followers_url': 'https://api.github.com/users/lalitpagaria/followers', 'following_url': 'https://api.github.com/users/lalitpagaria/following{/other_user}', 'gists_url': 'https://api.github.com/users/lalitpagaria/gists{/gist_id}', 'starred_url': 'https://api.github.com/users/lalitpagaria/starred{/owner}{/repo}', 'subscriptions_url': 'https://api.github.com/users/lalitpagaria/subscriptions', 'organizations_url': 'https://api.github.com/users/lalitpagaria/orgs', 'repos_url': 'https://api.github.com/users/lalitpagaria/repos', 'events_url': 'https://api.github.com/users/lalitpagaria/events{/privacy}', 'received_events_url': 'https://api.github.com/users/lalitpagaria/received_events', 'type': 'User', 'user_view_type': 'public', '

Let's rewrite our GitHub dlt pipeline using the RestAPI Client and the `access_token`.

In [10]:
import dlt
from dlt.sources.helpers.rest_client import RESTClient
from dlt.sources.helpers.rest_client.auth import BearerTokenAuth


# define new resource - github stargazers
@dlt.resource
def github_stargazers() -> TDataItems:
    client = RESTClient(
        base_url="https://api.github.com", auth=BearerTokenAuth(token=access_token)
    )

    for page in client.paginate("repos/dlt-hub/dlt/stargazers"):
        yield page


# define new dlt pipeline
_pipeline = dlt.pipeline(destination="duckdb")


# run the pipeline with the new resource
load_info = _pipeline.run(github_stargazers)
print(load_info)


# explore loaded data
_pipeline.dataset().github_stargazers.df()

Pipeline dlt_colab_kernel_launcher load step completed in 2.36 seconds
1 load package(s) were loaded to destination duckdb and into dataset dlt_colab_kernel_launcher_dataset
The duckdb destination used duckdb:////content/dlt_colab_kernel_launcher.duckdb location to store data
Load package 1769050057.2045527 is LOADED and contains no failed jobs


Unnamed: 0,login,id,node_id,avatar_url,gravatar_id,url,html_url,followers_url,following_url,gists_url,...,subscriptions_url,organizations_url,repos_url,events_url,received_events_url,type,user_view_type,site_admin,_dlt_load_id,_dlt_id
0,lalitpagaria,19303690,MDQ6VXNlcjE5MzAzNjkw,https://avatars.githubusercontent.com/u/193036...,,https://api.github.com/users/lalitpagaria,https://github.com/lalitpagaria,https://api.github.com/users/lalitpagaria/foll...,https://api.github.com/users/lalitpagaria/foll...,https://api.github.com/users/lalitpagaria/gist...,...,https://api.github.com/users/lalitpagaria/subs...,https://api.github.com/users/lalitpagaria/orgs,https://api.github.com/users/lalitpagaria/repos,https://api.github.com/users/lalitpagaria/even...,https://api.github.com/users/lalitpagaria/rece...,User,public,False,1769050057.2045527,hBT4645DF3OPvA
1,nikivdev,6391776,MDQ6VXNlcjYzOTE3NzY=,https://avatars.githubusercontent.com/u/639177...,,https://api.github.com/users/nikivdev,https://github.com/nikivdev,https://api.github.com/users/nikivdev/followers,https://api.github.com/users/nikivdev/followin...,https://api.github.com/users/nikivdev/gists{/g...,...,https://api.github.com/users/nikivdev/subscrip...,https://api.github.com/users/nikivdev/orgs,https://api.github.com/users/nikivdev/repos,https://api.github.com/users/nikivdev/events{/...,https://api.github.com/users/nikivdev/received...,User,public,False,1769050057.2045527,eotWAhbWkF2W+g
2,gerrykou,13572514,MDQ6VXNlcjEzNTcyNTE0,https://avatars.githubusercontent.com/u/135725...,,https://api.github.com/users/gerrykou,https://github.com/gerrykou,https://api.github.com/users/gerrykou/followers,https://api.github.com/users/gerrykou/followin...,https://api.github.com/users/gerrykou/gists{/g...,...,https://api.github.com/users/gerrykou/subscrip...,https://api.github.com/users/gerrykou/orgs,https://api.github.com/users/gerrykou/repos,https://api.github.com/users/gerrykou/events{/...,https://api.github.com/users/gerrykou/received...,User,public,False,1769050057.2045527,tMFnzl/E4bHLvg
3,jdmonty,3614077,MDQ6VXNlcjM2MTQwNzc=,https://avatars.githubusercontent.com/u/361407...,,https://api.github.com/users/jdmonty,https://github.com/jdmonty,https://api.github.com/users/jdmonty/followers,https://api.github.com/users/jdmonty/following...,https://api.github.com/users/jdmonty/gists{/gi...,...,https://api.github.com/users/jdmonty/subscript...,https://api.github.com/users/jdmonty/orgs,https://api.github.com/users/jdmonty/repos,https://api.github.com/users/jdmonty/events{/p...,https://api.github.com/users/jdmonty/received_...,User,public,False,1769050057.2045527,VDLUyM8n8Fmihg
4,alexeygrigorev,875246,MDQ6VXNlcjg3NTI0Ng==,https://avatars.githubusercontent.com/u/875246...,,https://api.github.com/users/alexeygrigorev,https://github.com/alexeygrigorev,https://api.github.com/users/alexeygrigorev/fo...,https://api.github.com/users/alexeygrigorev/fo...,https://api.github.com/users/alexeygrigorev/gi...,...,https://api.github.com/users/alexeygrigorev/su...,https://api.github.com/users/alexeygrigorev/orgs,https://api.github.com/users/alexeygrigorev/repos,https://api.github.com/users/alexeygrigorev/ev...,https://api.github.com/users/alexeygrigorev/re...,User,public,False,1769050057.2045527,gddwoZX5E0RglQ
...,...,...,...,...,...,...,...,...,...,...,...,...,...,...,...,...,...,...,...,...,...
4810,KevinGarrison,94624144,U_kgDOBaPZkA,https://avatars.githubusercontent.com/u/946241...,,https://api.github.com/users/KevinGarrison,https://github.com/KevinGarrison,https://api.github.com/users/KevinGarrison/fol...,https://api.github.com/users/KevinGarrison/fol...,https://api.github.com/users/KevinGarrison/gis...,...,https://api.github.com/users/KevinGarrison/sub...,https://api.github.com/users/KevinGarrison/orgs,https://api.github.com/users/KevinGarrison/repos,https://api.github.com/users/KevinGarrison/eve...,https://api.github.com/users/KevinGarrison/rec...,User,public,False,1769050057.2045527,8UgK6FDh9534Vw
4811,Doemsdagding,164404639,U_kgDOCcydnw,https://avatars.githubusercontent.com/u/164404...,,https://api.github.com/users/Doemsdagding,https://github.com/Doemsdagding,https://api.github.com/users/Doemsdagding/foll...,https://api.github.com/users/Doemsdagding/foll...,https://api.github.com/users/Doemsdagding/gist...,...,https://api.github.com/users/Doemsdagding/subs...,https://api.github.com/users/Doemsdagding/orgs,https://api.github.com/users/Doemsdagding/repos,https://api.github.com/users/Doemsdagding/even...,https://api.github.com/users/Doemsdagding/rece...,User,public,False,1769050057.2045527,grKdmL8mLNjHjw
4812,daruoktab,93104544,U_kgDOBYypoA,https://avatars.githubusercontent.com/u/931045...,,https://api.github.com/users/daruoktab,https://github.com/daruoktab,https://api.github.com/users/daruoktab/followers,https://api.github.com/users/daruoktab/followi...,https://api.github.com/users/daruoktab/gists{/...,...,https://api.github.com/users/daruoktab/subscri...,https://api.github.com/users/daruoktab/orgs,https://api.github.com/users/daruoktab/repos,https://api.github.com/users/daruoktab/events{...,https://api.github.com/users/daruoktab/receive...,User,public,False,1769050057.2045527,98AjKiDFndKdRg
4813,mengeziml,48696302,MDQ6VXNlcjQ4Njk2MzAy,https://avatars.githubusercontent.com/u/486963...,,https://api.github.com/users/mengeziml,https://github.com/mengeziml,https://api.github.com/users/mengeziml/followers,https://api.github.com/users/mengeziml/followi...,https://api.github.com/users/mengeziml/gists{/...,...,https://api.github.com/users/mengeziml/subscri...,https://api.github.com/users/mengeziml/orgs,https://api.github.com/users/mengeziml/repos,https://api.github.com/users/mengeziml/events{...,https://api.github.com/users/mengeziml/receive...,User,public,False,1769050057.2045527,amNiDTkulEoUbA


You can see that all dlt [stargazers](https://github.com/dlt-hub/dlt/stargazers) were loaded into the DuckDB destination.

---
## **dlt configuration and secrets**

In dlt, [configurations and secrets](https://dlthub.com/docs/general-usage/credentials/) are essential for setting up data pipelines.

**Configurations** are **non-sensitive** settings that define the behavior of a data pipeline, including file paths, database hosts, timeouts, API URLs, and performance settings.

On the other hand, **secrets** are **sensitive** data like passwords, API keys, and private keys, which should never be hard-coded to avoid security risks.

Both can be set up in various ways:

* As environment variables
* Within code using `dlt.secrets` and `dlt.config`
* Via configuration files (`secrets.toml` and `config.toml`)

> **Note**: While you can store both configurations and credentials in `dlt.secrets` (or `secrets.toml`) if that‚Äôs more convenient, credentials cannot be placed in `dlt.config` (or `config.toml`) because dlt does not read them from there.

Let's create a dlt pipeline for both endpoints: `repos/dlt-hub/dlt/stargazers` and `orgs/dlt-hub/events`.

We'll use `@dlt.source` to group both resources.

In [11]:
from typing import Iterable
import dlt
from dlt.extract import DltResource
from dlt.sources.helpers import requests
from dlt.sources.helpers.rest_client import RESTClient
from dlt.sources.helpers.rest_client.auth import BearerTokenAuth


@dlt.source
def github_source() -> Iterable[DltResource]:
    client = RESTClient(
        base_url="https://api.github.com", auth=BearerTokenAuth(token=access_token)
    )

    @dlt.resource
    def github_events() -> TDataItems:
        for page in client.paginate("orgs/dlt-hub/events"):
            yield page

    @dlt.resource
    def github_stargazers() -> TDataItems:
        for page in client.paginate("repos/dlt-hub/dlt/stargazers"):
            yield page

    return github_events, github_stargazers

Now, we'll use `dlt.secrets.value` in our source, enabling dlt's automatic secrets resolution. Note that we first reset all environment variables to demonstrate what happens if dlt tries to resolve a non-existing variable:



In [None]:
os.environ.clear()

In [None]:
from typing import Iterable
import dlt
from dlt.extract import DltResource
from dlt.sources.helpers.rest_client import RESTClient
from dlt.sources.helpers.rest_client.auth import BearerTokenAuth
from dlt.common.typing import TDataItems


@dlt.source
def github_source(
    access_token=dlt.secrets.value,
) -> Iterable[DltResource]:
    client = RESTClient(
        base_url="https://api.github.com", auth=BearerTokenAuth(token=access_token)
    )

    @dlt.resource
    def github_events() -> TDataItems:
        for page in client.paginate("orgs/dlt-hub/events"):
            yield page

    @dlt.resource
    def github_stargazers() -> TDataItems:
        for page in client.paginate("repos/dlt-hub/dlt/stargazers"):
            yield page

    return github_events, github_stargazers

> Configs are defined in a similar way but are accessed using `dlt.config.value`. However, since configuration variables are internally managed by `dlt`, it is unlikely that you would need to explicitly use `dlt.config.value` in most cases.

If you now run the pipeline, you will see the following error:

In [12]:
# define new dlt pipeline
_pipeline = dlt.pipeline(destination="duckdb")


# run the pipeline with the new resource
load_info = _pipeline.run(github_source())
print(load_info)

  - payload__issue__milestone
  - payload__issue__type
  - payload__issue__active_lock_reason
  - payload__issue__performed_via_github_app
  - payload__comment__performed_via_github_app
  - payload__forkee__language
  - payload__forkee__mirror_url
  - payload__forkee__license

Unless type hints are provided, these columns will not be materialized in the destination.
One way to provide type hints is to use the 'columns' argument in the '@dlt.resource' decorator.  For example:

@dlt.resource(columns={'payload__issue__milestone': {'data_type': 'text'}})



Pipeline dlt_colab_kernel_launcher load step completed in 5.32 seconds
2 load package(s) were loaded to destination duckdb and into dataset dlt_colab_kernel_launcher_dataset
The duckdb destination used duckdb:////content/dlt_colab_kernel_launcher.duckdb location to store data
Load package 1769050194.927958 is LOADED and contains no failed jobs
Load package 1769050235.6786647 is LOADED and contains no failed jobs


That‚Äôs what happens when you use `dlt.secrets.value` for a variable in your pipeline but haven‚Äôt actually set the secret value.

When this occurs, dlt searches for the missing secret across different possible locations and naming formats, as shown below:

```python
ConfigFieldMissingException: Following fields are missing: ['access_token'] in configuration with spec GithubSourceConfiguration
	for field "access_token" config providers and keys were tried in following order:
		In Environment Variables key DLT_COLAB_KERNEL_LAUNCHER__SOURCES____MAIN____GITHUB_SOURCE__ACCESS_TOKEN was not found.
		In Environment Variables key DLT_COLAB_KERNEL_LAUNCHER__SOURCES____MAIN____ACCESS_TOKEN was not found.
		In Environment Variables key DLT_COLAB_KERNEL_LAUNCHER__SOURCES__ACCESS_TOKEN was not found.
		In Environment Variables key DLT_COLAB_KERNEL_LAUNCHER__ACCESS_TOKEN was not found.
		In Environment Variables key SOURCES____MAIN____GITHUB_SOURCE__ACCESS_TOKEN was not found.
		In Environment Variables key SOURCES____MAIN____ACCESS_TOKEN was not found.
		In Environment Variables key SOURCES__ACCESS_TOKEN was not found.
		In Environment Variables key ACCESS_TOKEN was not found.
WARNING: dlt looks for .dlt folder in your current working directory and your cwd (/content) is different from directory of your pipeline script (/usr/local/lib/python3.10/dist-packages).
If you keep your secret files in the same folder as your pipeline script but run your script from some other folder, secrets/configs will not be found
Please refer to https://dlthub.com/docs/general-usage/credentials for more information
```

To define the `access_token` secret value, we can use (as mentioned earlier):

1. `dlt.secrets` in code (recommended for secret vaults or dynamic creds)
2. Environment variables (recommended for prod)
3. `secrets.toml` file (recommended for local dev)

### **Use `dlt.secrets` in code**

You can easily set or update your secrets directly in Python code. This is especially convenient when retrieving credentials from third-party secret managers or when you need to update secrets and configurations dynamically.

In [13]:
from google.colab import userdata

dlt.secrets["access_token"] = userdata.get("SECRET_KEY")

# define new dlt pipeline
github_pipeline = dlt.pipeline(destination="duckdb")

# run the pipeline with the new resource
load_info = github_pipeline.run(github_source())
print(load_info)

  - payload__issue__milestone
  - payload__issue__active_lock_reason
  - payload__issue__performed_via_github_app
  - payload__forkee__language
  - payload__forkee__mirror_url

Unless type hints are provided, these columns will not be materialized in the destination.
One way to provide type hints is to use the 'columns' argument in the '@dlt.resource' decorator.  For example:

@dlt.resource(columns={'payload__issue__milestone': {'data_type': 'text'}})



Pipeline dlt_colab_kernel_launcher load step completed in 5.50 seconds
1 load package(s) were loaded to destination duckdb and into dataset dlt_colab_kernel_launcher_dataset
The duckdb destination used duckdb:////content/dlt_colab_kernel_launcher.duckdb location to store data
Load package 1769050278.968254 is LOADED and contains no failed jobs


Alternatively, you can set:

```python
dlt.secrets["sources.access_token"] = userdata.get('SECRET_KEY')
dlt.secrets["sources.____main____.access_token"] = userdata.get('SECRET_KEY')
dlt.secrets["sources.____main____.github_source.access_token"] = userdata.get('SECRET_KEY')
...
```

* `sources` is a special word;

* `__main__` is a python module name;

* `github_source` is the resource name;

* `access_token` is the secret variable name.


So dlt looks for secrets according to this hierarchy:
```
pipeline_name
    |
    |-sources
        |
        |-<module name>
            |  
            |-<source function 1 name>
                |
                |- secret variable 1
                |- secret variable 2
```

To keep the **naming convention** flexible, dlt looks for a lot of **possible combinations** of key names, starting from the most specific possible path. Then, if the value is not found, it removes the right-most section and tries again.


### **Exercise 2: Run a pipeline with `dlt.secrets.value`**

Explore the cells above and answer the question below using `sql_client`.

#### Question

Who has id=`17202864` in the `stargazers` table? Use `sql_client`.

###  **Use environment variables**

Let's explicitly set the environment variable for our access token in one of the formats dlt accepts: `ACCESS_TOKEN`.


In [14]:
from google.colab import userdata

os.environ["ACCESS_TOKEN"] = userdata.get("SECRET_KEY")

# define new dlt pipeline
_pipeline = dlt.pipeline(destination="duckdb")


# run the pipeline with the new resource
load_info = _pipeline.run(github_source())
print(load_info)

  - payload__issue__milestone
  - payload__issue__active_lock_reason
  - payload__issue__performed_via_github_app
  - payload__forkee__language
  - payload__forkee__mirror_url

Unless type hints are provided, these columns will not be materialized in the destination.
One way to provide type hints is to use the 'columns' argument in the '@dlt.resource' decorator.  For example:

@dlt.resource(columns={'payload__issue__milestone': {'data_type': 'text'}})



Pipeline dlt_colab_kernel_launcher load step completed in 4.96 seconds
1 load package(s) were loaded to destination duckdb and into dataset dlt_colab_kernel_launcher_dataset
The duckdb destination used duckdb:////content/dlt_colab_kernel_launcher.duckdb location to store data
Load package 1769050408.7078192 is LOADED and contains no failed jobs


In [17]:
with github_pipeline.sql_client() as client:
    with client.execute_query("SELECT * FROM github_stargazers WHERE id=17202864") as cursor:
        rows = cursor.fetchall()
        for row in rows:
            print(row)

('rudolfix', 17202864, 'MDQ6VXNlcjE3MjAyODY0', 'https://avatars.githubusercontent.com/u/17202864?v=4', '', 'https://api.github.com/users/rudolfix', 'https://github.com/rudolfix', 'https://api.github.com/users/rudolfix/followers', 'https://api.github.com/users/rudolfix/following{/other_user}', 'https://api.github.com/users/rudolfix/gists{/gist_id}', 'https://api.github.com/users/rudolfix/starred{/owner}{/repo}', 'https://api.github.com/users/rudolfix/subscriptions', 'https://api.github.com/users/rudolfix/orgs', 'https://api.github.com/users/rudolfix/repos', 'https://api.github.com/users/rudolfix/events{/privacy}', 'https://api.github.com/users/rudolfix/received_events', 'User', 'public', False, '1769050057.2045527', 'fNtlN5zNvGsfDA')
('rudolfix', 17202864, 'MDQ6VXNlcjE3MjAyODY0', 'https://avatars.githubusercontent.com/u/17202864?v=4', '', 'https://api.github.com/users/rudolfix', 'https://github.com/rudolfix', 'https://api.github.com/users/rudolfix/followers', 'https://api.github.com/use

Alternatively, you can set:

> `userdata.get()` is Colab-specific.

```python
os.environ["SOURCES__ACCESS_TOKEN"] = userdata.get('SECRET_KEY')
os.environ["SOURCES____MAIN____ACCESS_TOKEN"] = userdata.get('SECRET_KEY')
os.environ["SOURCES____MAIN____GITHUB_SOURCE__ACCESS_TOKEN"] = userdata.get('SECRET_KEY')
...
```

**How does it work?**

`dlt` **automatically extracts** configuration settings and secrets based on flexible naming conventions.

It then **injects** these values where needed in functions decorated with `@dlt.source`, `@dlt.resource`, or `@dlt.destination`.


>dlt uses a specific naming hierarchy to search for the secrets and config values. This makes configurations and secrets easy to manage.
>
> The naming convention for **environment variables** in dlt follows a specific pattern. All names are **capitalized** and sections are separated with **double underscores** __ , e.g.  `SOURCES____MAIN____GITHUB_SOURCE__SECRET_KEY`.


###  **Use dlt `secrets.toml` or `config.toml`**


> Note that Colab is not well-suited for using `secrets.toml` or `config.toml` files. As a result, these sections will provide instructions rather than code cells, detailing how to use them in a local environment. You should test this functionality on your own machine. For Colab, it is recommended to use environment variables instead.

The `secrets.toml` file - along with the `config.toml` file - should be stored in the `.dlt` directory where your pipeline code is located:

```
/your_project_directory
‚îÇ
‚îú‚îÄ‚îÄ .dlt
‚îÇ   ‚îú‚îÄ‚îÄ secrets.toml
‚îÇ   ‚îî‚îÄ‚îÄ config.toml
‚îÇ
‚îî‚îÄ‚îÄ my_pipeline.py
```

Read more about adding [credentials](https://dlthub.com/docs/walkthroughs/add_credentials).

To set credentials via the toml files, you would first add your access token to `secrets.toml`:

```toml
# .dlt/secrets.toml

[sources]
secret_key = "your_access_token"
```




Alternatively, you can set:

```
[sources]
secret_key = "your_access_token"
```
which is equal to:

```
secret_key = "your_access_token"
```

and to:

```
[sources.____main____]
secret_key = "your_access_token"
```
as well as:

```
[sources.____main____.github_source]
secret_key = "your_access_token"
```


### **Configure secrets in Colab**

You can configure secrets using the **Secrets** sidebar. Just create a variable with the name `secrets.toml` and paste the content of the toml file from your `.dlt` folder into it. We support `config.toml` variable as well.

Open the **Secrets** sidebar, press `Add new secret`, create a variable with name `secrets.toml` and copy-paste secrets in the `Value` field and click `Enable`:

```
[sources]
secret_key = "your_access_token"
```


>dlt will not reload the secrets automatically. **Restart your interpreter** in Colab options when you add/change the variables above.

![Lesson_3_Pagination_%26_Authentication_%26_dlt_Configuration_img4](https://storage.googleapis.com/dlt-blog-images/dlt-fundamentals-course/Lesson_3_Pagination_%26_Authentication_%26_dlt_Configuration_img4.png)

‚úÖ ‚ñ∂ Proceed to the [next lesson](https://github.com/dlt-hub/dlt/blob/master/docs/education/dlt-fundamentals-course/lesson_4_using_pre_build_sources_and_destinations.ipynb)!