> ## Documentation Index
> Fetch the complete documentation index at: https://altostrat.io/docs/llms.txt
> Use this file to discover all available pages before exploring further.

# Use The Workflow Vault

> Store workflow secrets, generated API keys, and signing material without exposing sensitive values in workflow definitions.

The workflow vault stores sensitive values for workflows. Use it for API tokens, passwords, SMTP credentials, SSH material, webhook caller keys, or signing keys used by workflow authorizers.

Vault values are returned as metadata after creation. The secret value itself is not exposed again through the API response.

## Prerequisites

Before you create vault items, make sure you have:

* Permission to manage workflow vault entries.
* A clear owner and rotation plan for each secret.
* The workflow or authorizer that will use the secret.
* An expiry date for credentials that should rotate.

## Create A Secret

<Steps>
  <Step title="Open the vault">
    Go to **Automation**, open **Workflows**, then open **Vault**.
  </Step>

  <Step title="Create the item">
    Add a secret with a name between 3 and 50 characters. Use a name that describes the service and environment.
  </Step>

  <Step title="Enter the value">
    Paste the secret value. Regular vault secret values can be up to 2,000 characters.
  </Step>

  <Step title="Set expiry when useful">
    Add an expiry date for credentials that should not live forever.
  </Step>

  <Step title="Save and reference it">
    Save the item, then select it from workflow nodes that support vault-backed credentials.
  </Step>
</Steps>

## Generate A Workflow API Key

For workflow API keys, create a vault item whose name starts with `api-key:`. SDX generates a key with the `wfk_` prefix and shows it once.

<Warning>
  Generated API keys cannot be retrieved again. Store the generated key in your organization's approved secret manager immediately after creation.
</Warning>

## Where Vault Items Are Used

Common vault-backed workflow uses include:

* Authorization headers for external HTTP calls.
* SMTP passwords.
* SSH credentials.
* SOAP authentication material.
* Static signing keys for authorizers.
* Workflow API keys for inbound requests.

## Rotation And Deletion

When rotating a credential:

1. Create or update the vault item.
2. Test the workflow node that uses it.
3. Run a controlled workflow test.
4. Watch the first production run after activation.
5. Delete stale vault items only after all workflows have moved to the new secret.

<Tip>
  Use environment-specific names such as `prod-ticketing-api-token` or `test-smtp-password`. Generic names make incident response slower.
</Tip>

## Related Pages

<CardGroup cols={2}>
  <Card title="Workflow authorizations" icon="user-check" href="./authorizations" arrow="true">
    Understand user-delegated workflow access.
  </Card>

  <Card title="Build workflows" icon="workflow" href="./building-workflows" arrow="true">
    Use vault-backed secrets safely inside nodes.
  </Card>
</CardGroup>