API Monitoring & Testing: Secrets Management

The Secrets Management feature requires a qualifying plan. Please contact Sales to get started.

The secrets feature allows team owners to create and manage variables with a key/value pair, where the value is encrypted and hidden, and allows all team members to use the variables in their tests with the new built-in function {{get_secret(key)}}.

In the same way you might have a .env or config file in your app that includes sensitive variables you don't want to be checked in to your project's version control repository, our secrets feature can help you keep sensitive information secure.

A few common cases where Secrets can be used:

  • You might have an API key or access token that you do not wish to be visible in your tests for security reasons
  • You're working with an API that requires authentication credentials that you don't want exposed
  • You don't want to send certain information to 3rd-party integrations


Creating Secrets

Important: only team owners are able to view the secrets menu and create/edit/delete secrets variables.

Click on your profile on the top-right and select Secrets from the drop-down:

The Runscope logged in dashboard, highlighting the Secrets option on the user's drop-down menu

In the secrets page, if you are the team owner you'll see Add Secret. Click on it to create a new secret key/value pair, enter the name that will be used to access it throughout your tests, and the value:

The Secrets menu page view that a team owner can access, showing the Add Secret button and a secret variable created with the name private_api_key and an encrypted value

Click Save Changes, and you're all set!

Using Secrets

To use secrets in your tests, you'll have to use a built-in function:

Variable/Function Description
{{get_secret(key)}} Retrieves the secret value for the key name.
An API test in editor mode, highlighting a test step and the Headers section with a header for Authorization, and the value using the get_secrets function

To see what secrets are available in your Runscope account, you'll need to check with your team owner which can be found in the Team Members page.

This built-in function can be used just like any other Runscope built-in functions, which means you can add it to your environment settings, initial variables, pre-request/post-response scripts, etc. To use it in scripts, make sure you're calling the function as get_secret(key) without the parenthesis:

// Example pre-request / post-response script
request.params.push({name:"api_key", value: get_secret("secret_key")});

Whenever you have a step in your API tests that's using the get_secret function, the results for that step will omit any information that might contain the value for that secret, including the headers and body for both request and response.

An API test result, highlighting an assertion that shows a checkmark comparing two numbers, but the values are encrypted and only show asterisks since they're using a secrets variable