Secrets

Secrets stores sensitive credentials — API keys, connection strings, tokens — in an encrypted vault your app or agent reads at runtime.

Secrets is an encrypted vault for sensitive credentials. Your app or agent reads secrets at runtime as environment variables — they are never written into source code or exposed to the frontend.

Available in both the App builder and Agent builder via the + button.

What you see

Three collapsible sections:

Section

When it applies

Variables for Backend

Available in all environments (development and production)

Variables for Backend, only in app workspace

Development only

Variables for Backend, only in deployed app

Production only

Each variable row shows its name, a hidden value (click Reveal & Edit to view or change it), and a delete button. Variables from team-level integrations appear as read-only with a lock icon.

Adding a secret

Expand the appropriate section
Click Add secret
Enter the key name (e.g. ERP_API_KEY) and value
Save — the Riff agent can use it immediately by referencing the key name

On enterprise accounts, click Add from Team to attach a shared account-level secret. It appears as a read-only variable once added — your project can use it without seeing the raw value.

PreviousStorage NextVersion History

Last updated 16 days ago

Was this helpful?