Applied LabsDocs
Skip to Content

Secrets

Secrets store credentials that connector actions need at runtime, such as API keys, bearer tokens, account IDs, and webhook signing values.

Use Secrets when a value should be reused across actions, rotated without editing every action, or kept out of prompts, connector descriptions, and Flow inputs.

How secrets work

A secret is a named workspace record. Each secret can contain multiple key/value pairs.

For example, a single stripe-production secret might include:

  • API_KEY
  • ACCOUNT_ID
  • WEBHOOK_SECRET

Secret values are stored in GCP Secret Manager and are not shown again after they are saved. Applied keeps the secret name, key names, references, and last used timestamp visible so your team can manage the secret without exposing the values.

Create a secret

  1. Go to Settings > Workspace > Secrets.
  2. Click New secret.
  3. Enter a name that describes the system or environment.
  4. Add one or more key/value pairs.
  5. Save the secret.

Key names must start with a letter or underscore and can contain only letters, numbers, and underscores. Use names like API_KEY, ACCESS_TOKEN, and ACCOUNT_ID.

Edit or rotate a secret

Open the secret from Settings > Workspace > Secrets and use the Edit tab to update values.

When you save new values, future connector runs use the updated version. Use the same key names when rotating credentials so existing connector actions keep working.

Review references

The secret detail page shows:

  • Last used: the latest successful runtime access for the secret.
  • References: Custom connector actions that use the secret.
  • Edit: fields for updating the secret name, description, and values.

Use references before deleting or renaming a secret so you know which actions will be affected.

Use secrets in Custom connectors

Custom connector actions select one named secret at a time.

For HTTP actions, reference secret keys with {secrets.KEY_NAME} in the URL, headers, or request body.

{
  "Authorization": "Bearer {secrets.API_KEY}",
  "X-Account-ID": "{secrets.ACCOUNT_ID}"
}

For code actions, Applied injects the selected secret’s keys as environment variables. For example, a key named API_KEY is available as API_KEY inside the action runtime.

Best practices

  • Create separate secrets for separate systems or environments.
  • Prefer stable key names so rotations do not require connector edits.
  • Do not paste raw credentials into connector descriptions, prompts, Flow inputs, or action code.
  • Check references before deleting a secret.
  • Rotate credentials in the source system and then update the matching secret in Applied.

Next steps

Last updated on
Syncing DataGoogle Workspace Connector