Documentation Index
Fetch the complete documentation index at: https://docs.retab.com/llms.txt
Use this file to discover all available pages before exploring further.
Workflow secrets are environment-scoped credentials that Retab can inject into
workflow execution without storing raw values in block code or workflow config.
Use secrets for API keys, bearer tokens, basic auth passwords, partner
credentials, and other values that should not appear in prompts, block configs,
or run output.
How Secrets Work
A secret has a stable name and an encrypted value:
RESEND_API_KEY
LOREAL_API_TOKEN
XPO_BASIC_AUTH
Do not paste secret values into function code, API-call headers, prompts,
block labels, test fixtures, or sample JSON files. Store the value as a Retab
secret and reference it by name.
Create And Manage Secrets
Use the CLI to create and update secrets without putting values in shell history:
retab secrets set RESEND_API_KEY --from-stdin
retab secrets set RESEND_API_KEY --from-file ./resend-api-key.txt
retab secrets list
retab secrets get RESEND_API_KEY
retab secrets value RESEND_API_KEY
export RESEND_API_KEY="$(retab secrets value RESEND_API_KEY)"
retab secrets value RESEND_API_KEY --output json
retab secrets delete RESEND_API_KEY
Mount Secrets Into Blocks
Blocks declare the secrets they need through mounts.secrets. A mount maps the
Retab secret name to the environment variable name that should be available to
the runtime.
{
"mounts": {
"secrets": [
{
"name": "RESEND_API_KEY",
"env": "RESEND_API_KEY",
"required": true
}
]
}
}
env is omitted, Retab uses the secret name as the environment variable
name.
Function Blocks
Function blocks receive mounted secrets as environment variables. Read them with
os.environ:
import os
from models import Input, Output
def transform(input_data: Input) -> Output:
api_key = os.environ["RESEND_API_KEY"]
return Output(has_api_key=bool(api_key))
API-Call Blocks
API-call blocks can reference mounted env vars in URL, header, and body fields:
{
"method": "POST",
"url": "https://api.example.com/orders",
"headers": {
"Authorization": "Bearer ${PARTNER_API_TOKEN}",
"Content-Type": "application/json"
},
"mounts": {
"secrets": [
{
"name": "PARTNER_API_TOKEN",
"env": "PARTNER_API_TOKEN"
}
]
}
}
Local Development
When you pull a function or API-call block config locally, Retab generates
placeholder env files:
retab workflows blocks pull-config wf_123 blk_api --out tmp/api
.env.local contains placeholders:
PARTNER_API_TOKEN=__REPLACE_ME__
retab workflows blocks api-calls hydrate tmp/api --fill-secrets
retab workflows blocks functions hydrate tmp/fn --fill-secrets
--fill-secrets writes values only to .env.local, never to config.json or
manifest.json, and it does not print secret values. Existing local values are
preserved by default. To overwrite them:
retab workflows blocks api-calls hydrate tmp/api --fill-secrets --force-secrets
shell environment > .env.local
PARTNER_API_TOKEN=override retab workflows blocks api-calls run tmp/api samples/order.json --execute
API Reference
Best Practices
- Use one secret per credential and name it after the environment variable the
runtime should receive.
- Keep test and production credentials in separate Retab environments.
- Reference secrets through
mounts.secrets; do not inline raw values in block
config.
- Treat
retab secrets value and --fill-secrets as explicit local developer
actions.
- Do not commit
.env.local, sample files containing credentials, or rendered
unredacted request artifacts.
