Workflow secrets are environment-scoped credentials that Retab can inject into
workflow execution without storing raw values in block code or workflow config.
Use secrets for API keys, bearer tokens, basic auth passwords, partner
credentials, and other values that should not appear in prompts, block configs,
or run output.
How Secrets Work
A secret has a stable name and an encrypted value:
The name is visible in metadata, workflow config, logs, and local bundles. The
value is encrypted at rest and is only resolved when a workflow runtime needs it
or when an authorized user explicitly asks for the value.
Do not paste secret values into function code, API-call headers, prompts,
block labels, test fixtures, or sample JSON files. Store the value as a Retab
secret and reference it by name.
Create And Manage Secrets
Use the CLI to create and update secrets without putting values in shell history:
or:
List and inspect metadata:
Metadata responses do not include the secret value. To read a value explicitly:
This prints the raw value so it can be used in shell commands:
For structured tooling, request JSON:
Delete a secret:
Mount Secrets Into Blocks
Blocks declare the secrets they need through mounts.secrets. A mount maps the
Retab secret name to the same environment variable name inside the runtime.
Function Blocks
Function blocks receive mounted secrets as environment variables. Read them with
os.environ:
Keep the value out of returned output and traces. If a function needs to call an
external HTTP API, prefer an API-call block because function sandboxes do not
have outbound network access.
API-Call Blocks
API-call blocks can reference mounted env vars in URL, header, and body fields:
Rendered request artifacts redact sensitive headers. The raw value is still used
for execution.
Local Development
When you pull a function or API-call block config locally, Retab generates
placeholder env files:
The local bundle includes:
By default, .env.local contains placeholders:
You can fill the values yourself, export them in your shell, or let Retab fill
them explicitly:
--fill-secrets writes values only to .env.local, never to config.json or
manifest.json, and it does not print secret values. Existing local values are
preserved by default. To overwrite them:
Local runtime resolution order is:
That lets you override one run without editing the file:
API Reference
Best Practices
- Use one secret per credential and name it after the environment variable the
runtime should receive.
- Keep test and production credentials in separate Retab environments.
- Reference secrets through
mounts.secrets; do not inline raw values in block
config.
- Treat
retab secrets value and --fill-secrets as explicit local developer
actions.
- Do not commit
.env.local, sample files containing credentials, or rendered
unredacted request artifacts.