ToolBelt

Workflow Secrets

Per-user encrypted secrets for workflow integrations (API keys, webhooks).

Open tool

Overview

Workflow Secrets is the encrypted credential vault that backs your automations. You give each secret a name and a value — an API key, an OAuth bearer token, a webhook signing secret, a Slack incoming webhook URL — and workflow nodes reference it later as {{secrets.<name>}}. The plaintext is never echoed back to the UI once saved; only the name and a masked preview are visible after creation.

Reach for this tool whenever a workflow needs to authenticate against a third-party API or post to a private endpoint. It's the right home for personal access tokens, SMTP passwords, signing keys, and any other secret that should not live as a hard-coded string inside a workflow definition or in a git history.

How it works

Secrets are encrypted at rest using ASP.NET Core Data Protection, scoped per user, and decrypted only at workflow execution time inside the Hangfire worker. The template expression {{secrets.<name>}} is substituted into HTTP headers, query strings, request bodies, and connection fields just before the step fires, so the resolved value never appears in workflow JSON, run history, or logs — the run viewer masks substituted secret values.

Because Data Protection keys live with the deployment, secrets are tied to the environment that created them. They cannot be exported as plaintext and they are not portable across instances without re-entry.

Examples

  • Storing a Stripe API key as stripe_secret, then referencing Bearer {{secrets.stripe_secret}} in the Authorization header of an HTTP step.
  • Holding a Slack incoming webhook URL as slack_alerts and pointing a Slack step at {{secrets.slack_alerts}}.
  • Saving an SMTP app password as smtp_password for an email step without exposing it in the workflow definition.
  • Keeping an HMAC signing secret as webhook_signing_key and using it inside a script step to verify inbound webhook signatures.

FAQ

Can I view a secret's value after I save it?

No. Once saved, the plaintext is encrypted and never returned to the browser. If you forget a value, rotate it at the source and replace the secret.

How do I rotate a secret?

Update the value in place — the name stays the same, so every workflow that references {{secrets.<name>}} picks up the new value on its next run without edits.

Are secrets shared across my workflows?

Yes, secrets are scoped to your user account and visible to every workflow you own. They are not visible to other users.

Will the secret appear in run history?

No. Secret substitutions are masked in the run viewer so the resolved credential never lands in the execution log.

What happens if I delete a secret a workflow still uses?

The next run will fail at the step that referenced the missing secret. The error in Workflow Runs will point to the unresolved template.

Try Workflow Secrets

An unhandled error has occurred. Reload ×