Secrets

Secrets are secure storage for sensitive information like API keys, authentication tokens, passwords, and other credentials that give apps system-level access. These values are what your workspace uses to connect to external tools and protected systems, and if they were shared in plain text someone could gain direct access to your data. We encrypt and isolate these details so your actions can use them safely without exposing sensitive data to your team or to logs.

Security

Secrets are protected so you can safely store powerful credentials that control access to your systems.

Encryption and data handling

We protect secret values at rest and in transit using strong, industry-standard encryption.

Secrets are encrypted at rest using strong, industry-standard algorithms including AES‑256 and are only decrypted briefly in memory when an agent or action runs and needs to use them. All communication between your browser, our service, and connected systems uses modern TLS (TLS 1.2 or higher) so secret values are also protected in transit.

When a secret is used, we pass the value directly to the underlying system without displaying it in the UI. Secret values are never written to logs, documents, or error messages, never shared with LLMs, and access can be revoked centrally at any time by rotating or deleting the secret.

Access control

Secrets belong to a workspace, not to individual users. Any agent or action in the workspace can use a secret once it has been configured, but only workspace owners or admins can create, update, or delete secrets. Workspace members can see secret names and descriptions so they know what exists, but they can never see the underlying values.

This model gives semi-technical users a safe way to connect tools and services without handling raw keys and tokens directly.

Using Secrets in Actions

When you create or edit an action, you can select one or more secrets by name instead of pasting credentials into code or prompts. We inject the secret values securely when the action runs so that:

• Your team never needs to see or copy the underlying key or token.
• You can reuse a single secret across many actions.
• Rotating a secret automatically updates all actions that depend on it.

If you are describing an action in chat, mention which secret it should use and we will wire it in for you.

Managing Secrets

Add new credentials, update values when they change, and remove access that is no longer needed.

Adding Secrets

Add a new API key, token, or credential for your workspace.

1. Go to the Secrets section in your workspace.
2. Click New secret.
3. Enter a clear name (for example, “HubSpot API key – production”), paste the secret value, and optionally add a short description.
4. Click Save to store the secret securely.

Choose names that describe which system the secret belongs to, what it is used for, and which environment it applies to (such as production or sandbox). This makes it easier for your team to reuse the right secret without guessing.

Updating Secrets

Update a secret when a key or token has changed, needs to be rotated, or has been regenerated in an external system.

1. Generate a new key or token in the external system (for example, your CRM or analytics tool).
2. In your workspace, go to Secrets and select the secret you want to update.
3. Replace the old value with the new one and save.

All actions that use that secret will automatically pick up the new value the next time they run, so you do not need to edit each action individually.

Deleting Secrets

Delete a secret when it should no longer be used or when you want to revoke access for a system or integration.

1. Confirm that no active agents or actions still depend on it.
2. In Secrets, select the secret and choose Delete.
3. Confirm the deletion.

Deleting a secret immediately removes access for all actions that referenced it. Those actions will fail until they are updated to use a different secret, which is a useful way to deliberately revoke access when a system or integration should no longer be used.