Variables and Secrets
Variables and Secrets are tenant-level values you can reference from Actions instead of hard-coding them into steps. They keep configuration in one place and keep sensitive values out of prompts and step parameters.
- A Variable holds a plaintext value you can read back at any time — an endpoint URL, an environment name, an account ID.
- A Secret holds a sensitive value that is encrypted at rest and never shown again after you save it — an API key, token, or password.
Where to Find Them
Open Variables & Secrets under Tenant Admin. Only Tenant Admins can manage these values. The page has a Variables tab and a Secrets tab, each showing the items defined for the tenant.
Naming
A name must start with a letter and contain only letters, numbers, and underscores — for example SLACK_API_URL or STORAGE_SAS_TOKEN. Names are treated as uppercase.
Adding a Variable
- Open the Variables tab and select New Variable.
- Enter a Name and the Value (for example
https://api.example.com). - Select Save.
The value is visible whenever you open the variable, so use Variables only for non-sensitive configuration.
Adding a Secret
- Open the Secrets tab and select New Secret.
- Enter a Name and the secret Value.
- Select Save.
After saving, the value is hidden and the secret shows as Configured. To change it, open the secret and enter a new value — leaving the value empty keeps the existing one. Studio never displays a stored secret value back to you.
Referencing Them in Actions
Reference a Variable or Secret with a placeholder:
{{VARIABLE.NAME}}
{{SECRET.NAME}}
Replace NAME with the Variable or Secret name. You can use these placeholders in places such as:
- Tool and Input configuration — for example an authorization header
Bearer {{SECRET.API_TOKEN}}or a URL that includes{{VARIABLE.BASE_URL}}. - App credential fields and AI model credentials.
The page provides a copy button next to each item that copies its placeholder so you can paste it where it is needed.
In Code Steps
Code steps read Variables and Secrets through helpers rather than placeholders:
const baseUrl = variables.get("BASE_URL");
const apiKey = secrets.get("API_KEY");
variables.get(name) returns any tenant Variable (or null if it isn't set). A Code step can only read Secrets that are bound to that step, which keeps secret access explicit. See Code Steps.
A Code step can also write a Variable with variables.set(name, value). The value persists after the run and is shared across Actions, which makes Variables a simple place to keep counters or state between runs:
const next = Number(variables.get("RUN_COUNT") ?? 0) + 1;
variables.set("RUN_COUNT", String(next));
Writes go through the same validation as the UI: names must start with a letter and contain only letters, numbers, and underscores, values are limited to 8192 characters, and a tenant can hold at most 1000 Variables. Secrets cannot be written from code.
Promoting Between Environments
Variables and Secrets are not included when you export an Action or App. When you promote work from UAT to Production, recreate the tenant's Variables and Secrets in the target tenant before running the Action. See Promoting from UAT to Production.
Things to Know
- Use a Secret, never a Variable, for anything sensitive — Variable values are readable.
- Configuring or removing a secret is recorded in the Audit Log; the secret value itself is never logged.
- Keep names stable. Renaming a Variable or Secret breaks any Action that references the old name.
Related Pages
- Apps — where App credentials are configured.
- Code Steps — reading secrets in JavaScript.
- Audit Log — tracking changes to secrets.