Skip to main content
Workflow secrets are environment-scoped credentials that Retab can inject into workflow execution without storing raw values in block code or workflow config. Use secrets for API keys, bearer tokens, basic auth passwords, partner credentials, and other values that should not appear in prompts, block configs, or run output.

How Secrets Work

A secret has a stable name and an encrypted value:
The name is visible in metadata, workflow config, logs, and local bundles. The value is encrypted at rest and is only resolved when a workflow runtime needs it or when an authorized user explicitly asks for the value.
Do not paste secret values into function code, API-call headers, prompts, block labels, test fixtures, or sample JSON files. Store the value as a Retab secret and reference it by name.

Create And Manage Secrets

Use the CLI to create and update secrets without putting values in shell history:
or:
List and inspect metadata:
Metadata responses do not include the secret value. To read a value explicitly:
This prints the raw value so it can be used in shell commands:
For structured tooling, request JSON:
Delete a secret:

Mount Secrets Into Blocks

Blocks declare the secrets they need through mounts.secrets. A mount maps the Retab secret name to the same environment variable name inside the runtime.

Function Blocks

Function blocks receive mounted secrets as environment variables. Read them with os.environ:
Keep the value out of returned output and traces. If a function needs to call an external HTTP API, prefer an API-call block because function sandboxes do not have outbound network access.

API-Call Blocks

API-call blocks can reference mounted env vars in URL, header, and body fields:
Rendered request artifacts redact sensitive headers. The raw value is still used for execution.

Local Development

When you pull a function or API-call block config locally, Retab generates placeholder env files:
The local bundle includes:
By default, .env.local contains placeholders:
You can fill the values yourself, export them in your shell, or let Retab fill them explicitly:
--fill-secrets writes values only to .env.local, never to config.json or manifest.json, and it does not print secret values. Existing local values are preserved by default. To overwrite them:
Local runtime resolution order is:
That lets you override one run without editing the file:

API Reference

Best Practices

  1. Use one secret per credential and name it after the environment variable the runtime should receive.
  2. Keep test and production credentials in separate Retab environments.
  3. Reference secrets through mounts.secrets; do not inline raw values in block config.
  4. Treat retab secrets value and --fill-secrets as explicit local developer actions.
  5. Do not commit .env.local, sample files containing credentials, or rendered unredacted request artifacts.