Secrets
Secrets let you store sensitive values, such as API keys or tokens, once and reuse them in integrations without exposing the full value in forms.
Secrets
Secrets let you store sensitive values, such as API keys or tokens, once and reuse them in integrations without exposing the full value in forms.
Before You Start
- You need access to the Organization > Secrets section.
- If you can view secrets but cannot create or edit them, ask an administrator for edit permissions.
What You Can Store
Each secret contains:
- Name: the identifier used later in requests
- Value: the sensitive value itself
- Description: optional notes for your team
- Allowed domains: optional list of domains where the secret is allowed to be used
Open the Secrets Page
- Open Organization.
- Go to Secrets.
- The list shows all configured secrets for your organization.
The secret value is shown in a masked form after saving.
Create a Secret
- Open Organization > Secrets.
- Click Create secret.
- Fill in the fields:
- Name: enter a unique secret name
- Value: paste the secret value
- Description: optional
- Allowed domains: optional
- Save the form.
Name Rules
- The name must start with a letter.
- It can contain letters, numbers, underscores (
_), hyphens (-), and dots (.). - Dots can be used to create readable groups, for example
crm.apiKeyoraws.accessKey. - The name must be unique.
Use a Secret in a Request
To insert a secret into an integration request, use this format:
{secrets.yourSecretName}Example:
Authorization: Bearer {secrets.crm.apiKey}You can use secret references in request fields such as:
- headers
- query parameters
- request body
- request path
- authentication headers
Do not use secrets in the integration Base URL field.
Edit a Secret
- Open Organization > Secrets.
- Select the secret you want to change.
- Update the name and description as needed.
- If you want to replace the stored value, enable value editing and enter the new value.
- Save the changes.
Important
- After a secret is saved, its full value is not shown again in the UI.
- If you do not provide a new value during editing, the current stored value remains unchanged.
Restrict a Secret to Specific Domains
Allowed domains help prevent a secret from being sent to unintended destinations.
If you leave Allowed domains empty, the secret can be used for requests to any domain.
Examples of valid entries:
example.comapi.example.com*.example.com
How Domain Restrictions Work
- If a secret is restricted, it can only be used when the request target matches one of the allowed domain patterns.
- If the target domain does not match, the request test or execution will fail with a domain restriction error.
Important
- To change Allowed domains for an existing secret, you must also provide a new secret value at the same time.
Delete a Secret
- Open Organization > Secrets.
- Find the secret in the list.
- Click the remove action.
- Confirm deletion.
Deleting a secret can break integrations or requests that still reference it.
What Happens If a Secret Is Missing
If a request references a secret that does not exist, the request test or execution will fail until the missing secret is created or the reference is removed.
Good Practices
- Use clear, stable names such as
crm.apiKeyorbilling.token. - Add descriptions so other users know what the secret is for.
- Use Allowed domains for production credentials whenever possible.
- Reuse existing secrets instead of creating duplicates with similar names.
- Before deleting a secret, check whether it is still used in integrations.
Example
Secret:
- Name:
crm.apiKey - Value:
abc123... - Allowed domains:
api.crm.example.com
Usage in request header:
Authorization: Bearer {secrets.crm.apiKey}Updated 20 days ago