# Secrets Secrets provide secure storage for sensitive data such as API tokens, credentials, and signing keys. Each project includes a dedicated Secrets section where you can store and reference confidential information without exposing it directly in flow configurations. ## Overview [Section titled “Overview”](#overview) Secrets are stored at the project level and can be referenced in: - App installation configurations - Block configuration expressions - Any JavaScript expression within your flows Once stored, secrets are never exposed in plain text within the flow editor or logs. They are securely injected at runtime when referenced. ## Managing Secrets [Section titled “Managing Secrets”](#managing-secrets) ### Creating a Secret [Section titled “Creating a Secret”](#creating-a-secret) To create a new secret: 1. Navigate to your project 1. Click the **Secrets** tab in the left sidebar 1. Click **Add secret** in the top-right corner 1. Enter a key (e.g., `ANTHROPIC_API_KEY`, `DEMO_BOT_SLACK_BOT_TOKEN`) 1. Enter the secret value 1. Click **Save** ## ![Secrets View](/images/secrets.png) ## Referencing Secrets [Section titled “Referencing Secrets”](#referencing-secrets) Secrets are referenced using the `secrets` object within JavaScript expressions. The syntax follows this pattern: ** ``` secrets.SECRET_KEY_NAME ``` ![Secrets Installation Referencing](/images/secrets-installation.png) ### In App Installation Configurations [Section titled “In App Installation Configurations”](#in-app-installation-configurations) When configuring an app installation, reference secrets directly in configuration fields: ** ``` secrets.DEMO_BOT_SLACK_BOT_TOKENsecrets.DEMO_BOT_SLACK_SIGNING_SECRET ``` ### In Block Configuration Expressions [Section titled “In Block Configuration Expressions”](#in-block-configuration-expressions) Secrets can be referenced in any block configuration expression: ** ``` // HTTP Request header{ "Authorization": `Bearer ${secrets.ANTHROPIC_API_KEY}`} // Dynamic API endpoint with secret token`https://api.example.com/data?token=${secrets.API_TOKEN}` ``` ## Security Considerations [Section titled “Security Considerations”](#security-considerations) ### Secret Visibility [Section titled “Secret Visibility”](#secret-visibility) Secrets are scoped to the project level. All users with access to the project can: - View secret keys (names) - Reference secrets in configurations - Update or delete secrets Secret values are never displayed in plain text after creation. ### Secrets in Logs [Section titled “Secrets in Logs”](#secrets-in-logs) When a block or app installation uses a secret, the secret value is not exposed in: - Flow execution logs - Debug output - Error messages - Event inspection views If a secret value appears in an API response or block output, it will be visible in subsequent block configurations that reference that output.