Skip to main content
Hardcoding sensitive information like API keys, authentication tokens, or passwords directly into your workflows is insecure and makes managing credentials difficult. The Altostrat Vault solves this problem by providing a secure, centralized location to store your secrets. Values stored in the Vault are encrypted at rest and can only be accessed by your workflows during execution. The secret values are never exposed in the UI or API responses after they are created, ensuring your credentials remain confidential.

​
The Secure Workflow with the Vault

​
Managing Secrets in the Vault

1

1. Navigate to the Vault

In the SDX dashboard, go to Automation β†’ Vault. This will display a list of all the secrets you have stored. Note that only the names and metadata are shown, never the secret values themselves.
2

2. Create a New Vault Item

Click + Add Item to create a new secret.
  1. Name: Provide a unique, descriptive name for your secret. This is how you will reference it in your workflows (e.g., stripe_production_key).
  2. Secret Value: Paste the sensitive value (the API key, token, etc.) into this field. This is the only time you will enter the secret.
  3. Expiration (Optional): Set an optional expiration date for the secret. This is a good security practice for rotating keys.
  4. Click Save.
3

3. Edit or Delete an Item

From the Vault list, you can click on any item to update its name or secret value, or click the trash can icon to permanently delete it.

​
Using a Secret in a Workflow

Once a secret is stored in the Vault, you can reference it in any workflow action that supports text input (like a Webhook action’s headers or body). To reference a secret, use the vault object with Liquid syntax: {{ vault.your_secret_name }}

​
Example: Authenticating an API Call

The most common use case is providing a bearer token in an Authorization header for a Webhook action.
  1. Create a Webhook action in your workflow.
  2. Add a new header with the key Authorization.
  3. For the value, enter your secret reference. If the secret name is my_service_api_key, the value would be: Bearer {{ vault.my_service_api_key }}
During execution, the workflow will replace the Liquid tag with the actual secret value from the Vault before sending the request.

​
Special Feature: Generating API Keys

The Vault can also generate secure, random API keys for you. This is useful when you need to provide a key to an external service so it can securely call one of your Webhook Triggers. To generate a key, simply prefix the Name with api-key: when creating a new Vault item. For example, api-key:incoming-webhook-key. Leave the Secret Value field blank, and the system will generate a secure key for you and display it once.

​
Best Practices

Never Hardcode Secrets

The most important rule. Always use the Vault for API keys, tokens, passwords, and any other sensitive string. This is the primary purpose of the Vault.

Use Descriptive Names

Name your secrets clearly, including the environment if applicable (e.g., stripe_test_key, slack_webhook_production). This makes your workflows easier to read and manage.

Implement Key Rotation

For high-security credentials, set an expiration date when you create them in the Vault. This encourages good security hygiene by prompting you to rotate keys periodically.