Secrets are crendentials that you can pull into your workflows to access APIs and tooling.

You can find the complete list of secrets and requirements in the secrets cheatsheet.

Secret Types

We currently only support custom type secrets, where the encrypted credentials are a list of key-value pair JSON objects with only the keys key and value.

For example:

{
  "type": "custom",
  "name": "my_secret",
  "keys": [
    {
      "key": "SOME_API_KEY",
      "value": "SOME_SECRET_VALUE"
    },
    {
      "key": "ANOTHER_API_KEY",
      "value": "ANOTHER_SECRET_VALUE"
    }
  ]
}

We have planned support for other secret types like oauth2, token.

Just-In-Time Secrets Access

Tracecat’s secret manager manages the lifecycle of secrets during execution. We actively try to minimize secret exposure in the execution context and environment by making them available only at the time of execution. When an action completes, Tracecat removes secrets from the execution context.

Secrets also use pydantic.SecretStr to ensure that the secrets are not accidentally logged or exposed in the UI/logs.

Creating Secrets

You can create secrets using the Tracecat CLI or the API.

ActionsWebhooks