Skip to main content
The workflow vault stores sensitive values for workflows. Use it for API tokens, passwords, SMTP credentials, SSH material, webhook caller keys, or signing keys used by workflow authorizers. Vault values are returned as metadata after creation. The secret value itself is not exposed again through the API response.

Prerequisites

Before you create vault items, make sure you have:
  • Permission to manage workflow vault entries.
  • A clear owner and rotation plan for each secret.
  • The workflow or authorizer that will use the secret.
  • An expiry date for credentials that should rotate.

Create A Secret

1

Open the vault

Go to Automation, open Workflows, then open Vault.
2

Create the item

Add a secret with a name between 3 and 50 characters. Use a name that describes the service and environment.
3

Enter the value

Paste the secret value. Regular vault secret values can be up to 2,000 characters.
4

Set expiry when useful

Add an expiry date for credentials that should not live forever.
5

Save and reference it

Save the item, then select it from workflow nodes that support vault-backed credentials.

Generate A Workflow API Key

For workflow API keys, create a vault item whose name starts with api-key:. SDX generates a key with the wfk_ prefix and shows it once.
Generated API keys cannot be retrieved again. Store the generated key in your organization’s approved secret manager immediately after creation.

Where Vault Items Are Used

Common vault-backed workflow uses include:
  • Authorization headers for external HTTP calls.
  • SMTP passwords.
  • SSH credentials.
  • SOAP authentication material.
  • Static signing keys for authorizers.
  • Workflow API keys for inbound requests.

Rotation And Deletion

When rotating a credential:
  1. Create or update the vault item.
  2. Test the workflow node that uses it.
  3. Run a controlled workflow test.
  4. Watch the first production run after activation.
  5. Delete stale vault items only after all workflows have moved to the new secret.
Use environment-specific names such as prod-ticketing-api-token or test-smtp-password. Generic names make incident response slower.

Workflow authorizations

Understand user-delegated workflow access.

Build workflows

Use vault-backed secrets safely inside nodes.