Config & Secrets
Manage environment variables, API keys, and sensitive credentials securely.
Config & Secrets provides centralized management for environment variables, API keys, and sensitive credentials used by your workflows.
Variables vs Secrets
| Type | Purpose | Storage |
|---|---|---|
| Variables | Non-sensitive configuration values | Plain text |
| Secrets | API keys, passwords, tokens | Encrypted |
Variables
Environment and workflow variables for configuration:
- Feature flags
- Environment-specific settings (dev, staging, prod)
- Service endpoints and URLs
- Default parameters
Using Variables
Reference variables in your workflows using the variable syntax. Values are resolved at runtime.
Secrets
Secure storage for sensitive credentials:
- LLM provider API keys (OpenAI, Anthropic, etc.)
- Database connection strings
- OAuth tokens
- Service account credentials
Secret Security
- Encrypted at rest — All secrets are encrypted in storage
- Encrypted in transit — TLS for all communications
- Access controlled — Role-based access to secrets
- Audit logged — Track who accessed what and when
Scopes
Configure at different levels:
| Scope | Visibility |
|---|---|
| Workflow | Only this workflow |
| Workspace | All workflows in workspace |
| Organization | All workspaces in org |
Best Practices
- Never hardcode secrets in workflows
- Use the most restrictive scope possible
- Rotate secrets regularly
- Review access permissions periodically