Skip to main content
Secrets in Reqflo follow a strict separation: you store the actual credential in the workspace secret store, and journey builders reference it by name only. The secret value is never shown in the UI, never embedded in a journey definition, and is only resolved when a journey actually runs.

When to use it

Manage secrets in Admin → Secrets management when:
  • A journey needs an API key, token, or other credential that must not appear in plain text.
  • You need to rotate a secret without touching any journey definition — update the value here once, and every journey that references it picks up the new value automatically.
  • You are onboarding a new service that requires credentials for Cloud Runner executions.

Key concepts

Secret references, not secret values. When a journey builder adds a secret to a step’s value configuration, they select the secret name from a list. The name is what gets saved in the journey definition. The actual value is never stored in the journey, never shown in the editor, and never appears in run logs. Where values resolve. Resolution happens at execution time, in two contexts:
  • Cloud runs (Cloud Runner): The Cloud Runner retrieves the value from the workspace’s cloud-managed secret store at the start of execution. The secret is injected into the run environment and is not surfaced in output.
  • Local runs (CLI): The CLI uses your local environment variables or a local secret configuration. The workspace secret store is not accessed for local runs.
This means the same journey can reference a secret by name and resolve correctly in both contexts — what changes is where the value comes from. Secret lifecycle. Secrets have a name, an optional description, and a stored value. You can add, update (rotate), and delete secrets from the Admin page. Deleting a secret that is referenced by journeys will cause those journeys to fail the Run check for missing secrets.
Secret values are write-only in the Reqflo UI. Once a secret is saved, the value cannot be retrieved or displayed — only overwritten. Store values securely outside Reqflo as well.

How it works

1

Add a secret

In Admin → Secrets management, click Add secret. Give it a memorable name (e.g., payments-api-key), an optional description, and the secret value. Save it.
2

Reference it in a journey

In a journey’s Values panel or step configuration, select the secret by name from the secret reference picker. The name appears in the journey; the value does not.
3

Run the journey

When the journey runs in the cloud, the Cloud Runner resolves the secret at execution time. When run locally with the CLI, your local environment provides the value.
4

Rotate when needed

Update the secret value in Admin. No journey definitions need to change — they continue referencing the same name.

Examples

Referencing a secret in a step value. In the step’s value configuration, rather than typing an API key directly, you select Secret reference as the value source and pick payments-api-key from the list. The journey YAML records the reference name, not the value: 
values:
  api_key:
    source: secret
    name: payments-api-key
Rotating a credential. Your payments API key is rolling. In Admin, find payments-api-key, click Update value, paste the new key, and save. Every journey referencing payments-api-key will use the new value on the next run — no journey edits required.