Secrets

Secrets stores sensitive credentials — API keys, connection strings, tokens — in an encrypted vault your app or agent reads at runtime.

Secrets is an encrypted vault for sensitive credentials. Your app or agent reads secrets at runtime as environment variables — they are never written into source code or exposed to the frontend.

Available in both the App builder and Agent builder via the + button.

What you see

Three collapsible sections:

Section
When it applies

Variables for Backend

Available in all environments (development and production)

Variables for Backend, only in app workspace

Development only

Variables for Backend, only in deployed app

Production only

Each variable row shows its name, a hidden value (click Reveal & Edit to view or change it), and a delete button. Variables from team-level integrations appear as read-only with a lock icon.

Adding a secret

  1. Expand the appropriate section

  2. Click Add secret

  3. Enter the key name (e.g. ERP_API_KEY) and value

  4. Save — the Riff agent can use it immediately by referencing the key name

On enterprise accounts, click Add from Team to attach a shared account-level secret. It appears as a read-only variable once added — your project can use it without seeing the raw value.

Last updated

Was this helpful?