> ## Documentation Index
> Fetch the complete documentation index at: https://braintrust.dev/docs/llms.txt
> Use this file to discover all available pages before exploring further.

# Fix 'No secrets match the org' error

export const plans_0 = "Any"

export const deployments_0 = "Self-hosted"

export const data_plane_version_0 = "Data plane - Helm 6.7.1+"

export const use_case_0 = "Use case - Resolve self-hosted deployment errors where secrets are filtered because the deployment is not configured to allow the secret's organization (add org UUID to allowed orgs or set env var for older Helm charts)."

<Note>
  **Applies to:**

  * Plan - {plans_0}
  * Deployment - {deployments_0}
  * {data_plane_version_0}
  * {use_case_0}
</Note>

## Summary

Scorer or function invocations can fail with `Error: No secrets match the org configured for this deployment. Please see logs for more details.`

In the data plane logs, the selected AI provider credential, such as `OPENAI_API_KEY`, may show `secret_org_id` set and `secret_org_name: null`. This means the credential has an org UUID, but the deployment does not allowlist that UUID.

## What is happening

Braintrust stores AI provider credentials as secrets. Before using one, the data plane allows it only when either:

* `secret_org_name` exactly matches `ORG_NAME`
* `secret_org_id` is included in `ALLOWED_ORG_IDS`

If neither condition is true, data plane logs may show:

```text theme={"theme":{"light":"github-light","dark":"github-dark-dimmed"}}
ORG_NAME: "<your org name>"
secret_name: "<your secret name>"
secret_org_id: "<your org UUID>"
secret_org_name: null
```

## Suggested fix

Add the organization UUID to the deployment's allowed org list, then redeploy the affected data plane services. See [Configure organization authorization](/admin/self-hosting/advanced#configure-organization-authorization).

* For AWS deployments using Terraform module v5.8.1 or newer, set `allowed_org_ids`.
* For GCP or Azure deployments using Helm chart v6.7.1 or newer, set `global.allowedOrgIds`.

For both settings, use a comma-separated string of Braintrust organization UUIDs with no spaces, for example:

```text theme={"theme":{"light":"github-light","dark":"github-dark-dimmed"}}
ORG_UUID_1,ORG_UUID_2
```

If you are on an older deployment module or chart version, upgrade to a version that supports the allowed-org setting. For older GCP / Azure Helm charts, you can set `ALLOWED_ORG_IDS` directly on the API deployment with `api.extraEnvVars` as a temporary workaround:

```yaml theme={"theme":{"light":"github-light","dark":"github-dark-dimmed"}}
api:
  extraEnvVars:
    - name: ALLOWED_ORG_IDS
      value: "REPLACE_WITH_ORG_UUID"
```

## How to confirm it worked

* Re-run the failing scorer or function invocation.
* Confirm the `No secrets match the org configured...` error is gone.
* Confirm logs no longer show `Filtering out secret because its org is not allowed for this deployment` for that provider secret.

## Notes

* To get the org UUID, hover over the org name in the Braintrust UI and click **Copy ID**.
* Keep `ORG_NAME` configured as-is; add the org UUID through the deployment’s allowed-org setting.
