Workspace secrets let you store sensitive values once and reference them from workflow expressions and custom code. They’re encrypted at rest and never logged.
#Where to find it
Settings → Secrets in your workspace. The page lists every secret you’ve created.
#Creating a secret
Click New secret and provide:
- Name: a short identifier you’ll reference (e.g.
STRIPE_KEY,OPENAI_KEY). - Value: the secret itself. Stored encrypted.
- Description (optional): context for your future self.
Once saved, the value is hidden, you can update or delete it but you can’t view it again.
#Using a secret
#In workflow expressions
Reference a secret with {{secrets.NAME}}:
Authorization: Bearer {{secrets.STRIPE_KEY}}
Use this in HTTP request headers, integration action config, or anywhere the builder accepts a variable.
#In custom code
Add the secret to the custom code node’s credentials list. Each entry pairs a secret with an alias used inside the sandbox. The alias becomes a key in context.secrets:
const ctx = JSON.parse(fs.readFileSync("./context.json", "utf8"));
const stripeKey = ctx.secrets.STRIPE_KEY;
Aliases must be valid identifiers (letters, numbers, underscores; no leading digit).
#Why use secrets instead of inline values
- Encrypted at rest: values aren’t visible in workflow definitions or run history.
- Rotate in one place: update the secret once and every workflow using it picks up the new value.
- Safer sharing: when you publish a workflow as a template, secret values are stripped automatically.
#System-managed secrets
Some integrations create system-managed secrets (OAuth tokens, API keys created during connection). These show up in the secrets list with a system tag, you don’t manage them directly. Use the integration page to reconnect or revoke instead.
To see system-managed secrets in the list, click the “Show system-managed secrets” toggle.