Skip to main content
A secret reference is a pointer to a sensitive value — an API key, a password, an OAuth client secret — that you include in a journey by name only. Reqflo never stores or displays the actual secret value. When the journey runs, the runner resolves the reference and injects the value where needed.

When to use it

Use secret references for any value that should not appear in logs, UI, or journey exports:
  • API keys and bearer tokens.
  • Passwords and passphrases.
  • OAuth client IDs and secrets.
  • Signing keys or webhook secrets.
If you find yourself typing a sensitive value directly into a journey, that’s a signal to use a secret reference instead.

Key concepts

You select secrets by name, not by value. The journey stores the secret’s name (e.g., STRIPE_TEST_KEY). The actual value is never written into the journey definition, displayed in the UI, or included in build artifacts in plaintext. Resolution happens at execution time. The secret value is injected when the journey actually runs — not when it’s configured. Resolution depends on execution mode:
  • Cloud runs (Cloud Runner) — secrets are resolved from cloud-managed secret storage. Admins configure which secrets are available to which journeys. See Secrets management.
  • Local CLI runs — secrets resolve from your local environment (environment variables or a local secret config). If STRIPE_TEST_KEY is set in your shell, reqflo run picks it up automatically.
Secret references are different from hard-coded values and run inputs. A hard-coded value is stored in the journey and visible to anyone with access. A run input prompts the user to type a value, which could end up in logs. A secret reference never exposes the value at all.

How it works

  1. An admin registers a secret in Admin > Secrets management.
  2. In Build mode, when configuring a step’s value sources, you choose “Secret reference” and select the secret by name.
  3. The journey records only the name. No value is stored.
  4. At run time, the Cloud Runner (or local CLI) resolves the name to the actual value and injects it into the request.

Examples

A journey step that calls a protected endpoint: 
steps:
  - id: create-payment
    template: post-payment
    values:
      Authorization:
        type: secret
        name: PAYMENTS_API_KEY
The value of PAYMENTS_API_KEY is never in the YAML, never shown in the UI, and never appears in run logs. For local runs, set the secret in your shell before running: 
export PAYMENTS_API_KEY=sk_test_abc123
reqflo run payment-flow --env sandbox