Skip to main content

Secret Store

The Secret Store lets you securely save API keys, tokens, passwords, and other credentials that your Agent Studio automations can use. Secrets are encrypted and stored in Google Secret Manager — values are never visible after saving.

Accessing the Secret Store

  1. Navigate to Settings from the main menu
  2. Select Secret Store from the settings sidebar

Managing Secrets

Creating a Secret

  1. Click Add Secret
  2. Enter a unique Key name (e.g., OPENAI_API_KEY, SLACK_WEBHOOK_TOKEN)
  3. Enter the secret Value in the password field
  4. Click Add Secret to save
Use descriptive key names that indicate the secret’s purpose, such as SALESFORCE_API_KEY or WEBHOOK_AUTH_TOKEN.

Updating a Secret

  1. Click the edit (pencil) icon next to the secret
  2. Enter the new value — the previous value is not shown
  3. Click Update Secret

Deleting a Secret

  1. Click the delete (trash) icon next to the secret
  2. Confirm the deletion in the dialog
Deleting a secret is permanent. Any automations using this secret will fail until a replacement is configured.

Using Secrets in Agent Studio

Secrets from the Secret Store are available in components that support authentication, such as the API Call V2 component.

Example: API Call with Bearer Token

  1. Create a secret with key MY_API_TOKEN and your token as the value
  2. In Agent Studio, add an API Call V2 component
  3. Set Authentication to Bearer Token
  4. Click the refresh icon on Secret Value to load your secrets
  5. Select MY_API_TOKEN from the dropdown
The component retrieves the actual token securely at runtime — it’s never exposed in the workflow configuration.

Supported Authentication Types

Auth TypeSecret Used As
API KeyThe API key value sent in a header or query parameter
Bearer TokenThe token in the Authorization: Bearer <token> header
Basic AuthThe password (username is configured separately)

Security

  • Secrets are encrypted at rest in Google Secret Manager
  • Secret values are never displayed in the UI after creation (always shown as ••••••••)
  • Each organization’s secrets are isolated — no cross-tenant access
  • Only admins can create, update, or delete secrets
  • Secrets are accessed at runtime only by the automation engine

Best Practices

Name secrets after their purpose and service: SLACK_WEBHOOK_URL, SALESFORCE_REFRESH_TOKEN, SENDGRID_API_KEY.
Update secrets periodically, especially after team member changes or suspected exposure.
Avoid reusing the same secret across unrelated integrations. This makes rotation easier and limits blast radius if a secret is compromised.