Secrets Vault
The Secrets Vault stores sensitive values — passwords, API keys, connection strings — encrypted at rest. Workflows reference secrets by name at runtime so plain-text credentials never appear in workflow files or execution logs.
Creating a Secret
Navigate to Dashboard → Secrets → New Secret.
| Field | Details |
|---|---|
| Name | Lowercase with underscores. Convention: smtp_password, db_connection_string, api_key_openai. Names are case-sensitive. |
| Value | The plain-text secret. Encrypted at rest and never returned to the UI after saving — you can only overwrite it. |
Using a Secret in a Workflow
In any activity property field or in a schedule's Input Data JSON, type {{secret:name_here}}.
workflow
| 1 | SendEmail: |
| 2 | SmtpHost: "smtp.gmail.com" |
| 3 | SmtpPort: 587 |
| 4 | Username: "ops@example.com" |
| 5 | Password: "{{secret:smtp_password}}" |
| 6 | To: "alice@example.com" |
| 7 | Subject: "Daily Report" |
| 8 | Body: "{{reportBody}}" |
You can also reference secrets in schedule input data:
workflow
| 1 | { |
| 2 | "password": "{{secret:smtp_password}}", |
| 3 | "apiKey": "{{secret:api_key_openai}}" |
| 4 | } |
Security Model
| Rule | Details |
|---|---|
| Access control | Only users with the Admin or Orchestrator Manager role can view the secrets list or add new secrets |
| Encryption | AES-256 encryption at rest in the database |
| Logging | Resolved plain-text values never appear in execution logs — the log shows {{secret:...}} |
| Resolution | The Robot resolves secret tokens at runtime, just before passing the value to the activity |
Rotating a Secret
Dashboard → Secrets → click the secret → Edit → enter the new value → Save. All workflows pick up the new value on their next run automatically — no republishing needed.
Naming ConventionUse descriptive names like
stripe_api_key or prod_db_connection. This makes it clear which workflows depend on which secrets when you need to rotate them.