Variables and Secrets
Define variables once and reference them anywhere, and store API keys and secrets in encrypted storage workflows can read but humans cannot.
Variables and secrets let you define a value once and reference it across workflows, with plain variables readable in the editor and secrets encrypted on storage so workflows can use them at runtime while humans never see them again.
How it works
Open the visual editor, name a value, set it, and mark it plain or secret. Plain variables stay readable; secrets are encrypted the moment they hit storage and are never shown in full again. Choose a scope (global, workflow, or user), then drop the variable into any node field. The variables panel browses every variable in scope, shows secrets by name only, and offers autocomplete. References resolve at execution time, so every run picks up the current value. When a value changes, update it once and every workflow uses the new value on its next run.
Key capabilities
- Global, workflow, and user scopes, each mapping to a visibility pattern, set at creation.
- Encrypted secret storage at rest using workspace specific keys; secrets are write only after first entry.
- Visual variable editor to add, update, rotate, and retire variables, with search, filter by scope, and grouping.
- Variable syntax that works in plain fields, transform expressions, JavaScript blocks, and API request bodies.
- Key rotation in one save, with new values flowing to every workflow on the next run.
- Audit trail covering creation, updates, rotations, retirement, scope changes, and every read, with secret values never logged.
Tips
Secrets are write only after the first entry regardless of role. Even a workspace admin cannot read a secret back; they can rotate, retire, or replace it, but not view the underlying value. Workflows already in flight finish on the previous value, then switch on the next trigger.