Skip to main content

What are Credentials?

Credentials are encrypted key-value pairs that allow you to securely store sensitive information like API keys, tokens, and secrets. Instead of hardcoding sensitive values in your workflow code, you can reference them by name and the system will securely inject them at runtime.

Why Use Credentials?

Without CredentialsWith Credentials
API keys hardcoded in codeValues stored encrypted, referenced by name
Risk of accidentally exposing secretsSecrets never visible in logs or UI
Difficult to rotate keysEasy rotation without changing code
Same key repeated across workflowsSingle source of truth for all workflows

Managing Credentials

Accessing Credentials Settings

Navigate to Workspace SettingsCredentials to manage your workspace credentials.
Credentials settings page in Workspace Settings

Creating a Credential

  1. Click Add Credential
  2. Enter a Key (identifier you’ll use in code, e.g., SLACK_BOT_TOKEN)
  3. Enter the Value (the actual secret)
  4. Click Save
The credential value is encrypted before storage. Once saved, you cannot view the value again — you can only update or delete it.

Credential Key Naming

Choose descriptive, consistent names for your credential keys: 
SLACK_BOT_TOKEN
OPENAI_API_KEY
DATABASE_PASSWORD
GITHUB_ACCESS_TOKEN
STRIPE_SECRET_KEY
Use uppercase with underscores for consistency, similar to environment variables. This makes it easy to identify credentials in your code.

Updating a Credential (Rotation)

To rotate a credential:
  1. Find the credential in the list
  2. Click Edit
  3. Enter the new value
  4. Click Save
The new value takes effect immediately for any new workflow executions.

Deleting a Credential

Deleting a credential will cause any workflow referencing it to fail with a missing_credential error. Make sure no active workflows depend on the credential before deleting.

Using Credentials in Code Execution

In Code Execution steps, use the credential() function to retrieve secret values at runtime.

JavaScript/TypeScript

// Get a credential value
const apiKey = credential("OPENAI_API_KEY");

// Use it in your code
const response = await fetch("https://api.openai.com/v1/chat/completions", {
  headers: {
    "Authorization": `Bearer ${apiKey}`,
    "Content-Type": "application/json"
  },
  // ...
});

Using Credentials in Agents

When a workflow executes an Agent step, all workspace credentials are automatically available to the agent. You can instruct the agent to use a specific credential by referencing its name in your prompt or agent configuration. For example, you can tell the agent: “Use the SLACK_BOT_TOKEN credential to send a message to the #general channel.”
Credentials are inherited from the workflow’s scope. The agent receives the same credentials available to the workflow that triggered it.

How Credentials Work at Runtime

When a workflow step executes:
  1. The system resolves all available credentials for the workspace
  2. Credentials are decrypted and injected into the step’s runtime environment
  3. The credential() function reads from this secure context
  4. Credential values are kept in memory only — never persisted in logs, outputs, or state
The system uses best-effort masking to prevent credential values from appearing in logs. However, if your code explicitly prints a credential value, it may still be visible.

Credential Scopes

Credentials are defined at the workspace level, meaning they’re available to all workflows in the workspace.

How Resolution Works

When your code calls credential("KEY"):
  1. The system looks for a credential with that key in the workspace
  2. If found, the decrypted value is returned
  3. If not found, the step fails with a missing_credential error
credential("SLACK_BOT_TOKEN")

    Workspace credentials

    Found? → Return value
    Not found? → Error: missing_credential
Coming soon: Override credentials at the workflow or agent level, allowing you to use different values for specific workflows while keeping workspace defaults.

Security Considerations

Encryption

All credential values are encrypted using AES-256-GCM before storage. Values are only decrypted at the moment of execution and kept in memory for the minimum time necessary.

Access Control

  • Only workspace administrators can create, update, or delete credentials
  • Users with workflow edit/execute permissions can reference credentials by key, but cannot view values

Error Handling

Missing Credential

If your code references a credential that doesn’t exist: 
// This will throw an error if MY_KEY doesn't exist
const value = credential("MY_KEY");
// Error: missing_credential - Credential 'MY_KEY' not found
Solution: Create the credential in Workspace Settings before running the workflow.

Best Practice: Validate Early

Check for required credentials at the start of your code: 
// Validate all required credentials upfront
const slackToken = credential("SLACK_BOT_TOKEN");
const openaiKey = credential("OPENAI_API_KEY");

if (!slackToken || !openaiKey) {
  throw new Error("Missing required credentials");
}

// Continue with your logic...

Best Practices

Do

  • Use descriptive, consistent key names
  • Rotate credentials periodically
  • Use separate credentials for different services
  • Test workflows after credential rotation
  • Document what each credential is used for

Don't

  • Hardcode secrets in workflow code
  • Log or print credential values
  • Share credential values outside the system
  • Use the same credential for multiple purposes
  • Delete credentials without checking dependencies

Frequently Asked Questions

No. For security reasons, credential values cannot be retrieved after creation. You can only update (overwrite) or delete them.
Each step resolves credentials at execution time. If a credential is rotated mid-run, subsequent steps will use the new value. Already-executing steps continue with the value they retrieved.
Credentials are available in Code Execution steps and Agent steps via the credential() function. They cannot be used in workflow configuration fields or template strings.
There’s no strict limit, but we recommend keeping credentials organized and removing unused ones to maintain clarity.
No. Credentials are scoped to a single workspace. Each workspace has its own isolated set of credentials.
Credential values can be up to 64KB. For larger secrets, consider storing them in a dedicated secret manager and using a credential to store the access token.

Summary

FeatureDescription
StorageEncrypted key-value pairs in workspace settings
AccessVia credential("KEY") function in Code Execution and Agents
ScopeWorkspace-level (all workflows can access)
SecurityAES-256-GCM encryption, never logged or exposed
ManagementCreate, update (rotate), delete via Workspace Settings
Credentials provide a secure, centralized way to manage sensitive values across your workflows, eliminating the need for hardcoded secrets and simplifying key rotation.