What are Secrets?
Workspace-Level Secrets
Creating Secrets
Using Secrets in Actions
Managing Secrets
Security Best Practices
Common Secret Types
Troubleshooting
Next Steps

Secrets

Secrets are secure storage for sensitive information like API keys, passwords, and credentials that your actions need to access external services. UpdateMate encrypts and securely stores your secrets so you can use them in your actions without exposing sensitive data.

What are Secrets?

Secrets are encrypted variables that store sensitive information: API keys, passwords, tokens, and connection strings. They're encrypted at rest and only decrypted when needed by your actions. They're never exposed in logs, documents, or the UI.

Workspace-Level Secrets

Secrets belong to workspaces, not individual users. All actions in a workspace can access all secrets in that workspace. All workspace members can view secret names (but not values). Root users can create, edit, and delete secrets. Members can use secrets in actions but may have restrictions on management.

Creating Secrets

Navigate to Secrets, click "New Secret", and enter a descriptive name (e.g., "HubSpot API Key"), the actual secret value, and an optional description. The secret is encrypted and stored securely.

Use clear, descriptive names that indicate what service the secret is for, what type it is, and which environment if applicable. Good examples: "HubSpot API Key", "Intercom Access Token", "Database Password Production". Avoid generic names like "Secret 1" or "Key".

Important: Secret names are used directly in code, so use names that are valid Python attribute names (letters, numbers, underscores). For example, use HUBSPOT_API_KEY not HubSpot API Key.

Using Secrets in Actions

Secrets are automatically available to all actions in your workspace through the app.secrets object. You don't need to import or configure anything—just reference them by name.

In your action code, access secrets using app.secrets.SECRET_NAME. Secret names in code use the exact name you created, converted to a valid Python attribute. When creating secrets, use names that work well as Python attributes (uppercase with underscores).

When describing actions in the chat interface, mention which secrets to use. UpdateMate will automatically use the appropriate secrets when generating code.

Managing Secrets

You can view secret names and descriptions, but the actual secret values are never displayed for security reasons. To update a secret, select it, edit the value, and save. When you update a secret, all actions using it will automatically use the new value on their next run.

When deleting secrets, ensure no active actions are using the secret, modify any actions that reference the deleted secret (or they'll fail), and confirm deletion. Secrets are permanently removed and cannot be recovered.

Security Best Practices

Use unique secrets—don't reuse the same secret across multiple services. Rotate regularly, especially API keys. Secrets are isolated per workspace. Root users can manage secrets; members can use them in actions. Secret values are never shown in UI, logs, documents, or error messages.

When connecting integrations, prefer OAuth flows over API keys when possible, grant only minimum permissions needed, review regularly, and use environment-specific secrets for production, staging, and development.

Never log secrets, never include secrets in documents, always access through app.secrets (never hardcode), and when describing actions, mention secrets by name but never include values.

Common Secret Types

API Keys: Long alphanumeric strings for external services. Store as secrets, never in code. Usage: api_key = app.secrets.HUBSPOT_API_KEY.

Access Tokens: Bearer tokens or similar. Store as secrets. Usage: token = app.secrets.INTERCOM_TOKEN.

Database Credentials: Connection strings with embedded credentials. Store entire connection string as secret. Usage: conn_string = app.secrets.DATABASE_URL.

Service Account Keys: JSON keys or similar. Store entire key file content as secret. Parse JSON in your action code.

Troubleshooting

Secret Not Found: Verify the name matches exactly (case-sensitive), check that the secret exists in your workspace, verify you have access to the workspace, use chat to help identify the correct secret name.

Authentication Failures: Verify the secret value is correct and up-to-date, check if the secret has expired, ensure the secret has correct permissions/scopes, test manually using the secret value directly in the API.

Integration Issues: Verify secrets are configured correctly, check secret names match in action code, review action logs for authentication errors, use chat to fix secret usage in actions.

Next Steps

Now that you understand secrets, create your first secret, use secrets in actions using app.secrets.SECRET_NAME, describe secrets in chat when creating actions, review security, and set up integrations.

Secrets are a critical part of secure automation. By properly managing your secrets, you can keep your workflows secure while enabling powerful integrations.