Custom secrets in Torq enable the secure handling of sensitive authentication and authorization data within your workflows. This includes keys, passwords, usernames, API tokens/keys, and SSH keys. When used in a workflow, the actual secret values are concealed to provide confidentiality.
Important to know
Torq uses Google KMS for secret storage, ensuring robust encryption and compliance with FIPS 140-2 L3 validated HSM standards. The program securely accesses these secrets as needed—they are never displayed or logged, which maintains strict data protection.
Create custom secrets
There are two ways you can create a custom secret:
Option #1: Within a workflow
Open the workflow: Within your workflow, navigate to the step requiring sensitive data.
Open the step: In the sensitive data input field, type
$.secrets.to trigger autocomplete for available secrets.Create the secret: Select + Create new secret.
Name the secret with a meaningful identifier, such as <VENDOR>_api_key.
Enter the secret value you wish to safeguard.
Click Add to finalize.
Option #2: Via the Custom Secrets integration
Navigate to the integration: Go to Integrations > Steps > Custom Secrets.
Create a new integration instance: Click Add instance.
Enter a meaningful name for the secret, such as <VENDOR>_api_key.
Enter the secret value you wish to safeguard.
Click Add to finalize.
Reference custom secrets in workflows
To incorporate a custom secret into a workflow step, you can reference it with $.secrets. This method seamlessly integrates the protected data where needed without exposing the secret itself.
Dynamically reference custom secrets in workflows
You can use the custom secret's name as a parameter in your workflow (e.g. Workflow Parameters step), which allows it to change dynamically based on the workflow execution context. The example code below shows how the output of any step that returns the custom secret's name can be used:
{{ secret $.workflow_parameters.<SECRET NAME> }}
