For AI agents: a documentation index is available at the root level at /llms.txt and /llms-full.txt. Append /llms.txt to any URL for a page-level index, or .md for the markdown version of any page.
Dashboard
User GuideDeveloper GuidesAPI Reference
User GuideDeveloper GuidesAPI Reference
  • Getting Started
    • What is Runtype?
    • Creating your account
    • Platform keys vs. BYOK
    • Understanding the Runtype UI
    • Quickstart: Social Media Post Generator
    • Quickstart: From Agent to Chat Widget
  • Dashboard
    • What is the Dashboard?
    • Daily executions
  • Playground
    • What is the Playground?
  • Products & Surfaces
    • What are Products?
    • What are Surfaces?
    • Creating a product
    • Setting up a chat surface
    • Setting up an API surface
    • Setting up an MCP surface
    • Setting up an A2A surface
    • Setting up a Slack surface
    • Setting up a webhook surface
    • MCP authentication
    • Authenticating with product API keys
    • Embedding the chat widget (script tag)
    • Embedding the chat widget (React)
    • Surface orchestration modes
    • Product views
    • Adding capabilities to a product
    • Connecting external agents
    • How A2A works
    • Connecting to MCP clients
    • Scoping API keys to capabilities
    • Auto-generated OpenAPI spec
    • Calling your API endpoints
    • Client tokens and domain restrictions
    • AI-powered theme generation
    • Widget theming and customization
    • Product versioning and status
  • Flows
    • What are Flows?
    • Creating and editing flows
    • Flow step types overview
    • Agent and flow templates
    • Using prompt steps
    • Using transform-data steps
    • Using conditional steps
    • Using fetch-url and api-call steps
    • Using record steps (upsert/retrieve)
    • Flow variables and templates
    • Flow versioning and publishing
    • Running flows in batch
    • Handling batch failures
    • Debugging flows
  • Agents
    • What are Agents?
    • Creating and configuring agents
    • Agent tools
  • Records
    • What are Records?
    • Creating and managing records
    • Using records in flows
    • Filtering and searching records
  • Tools
    • What are Tools?
    • Built-in tools
    • Creating custom tools
    • Creating external tools
    • Runtime tools
  • Evals
    • What are Evals?
    • Running an eval
    • Interpreting eval results
  • Schedules
    • What are Schedules?
    • Automating batch processing
  • Logs
    • What are Logs?
    • Working with logs
  • Integrations
    • Connecting AI model providers
    • Slack integration
    • Google Workspace integration
    • GitHub integration
    • Linear integration
    • Weaviate (vector search)
    • Firecrawl (web scraping)
    • Exa (web search)
    • Braintrust (tracing)
  • Settings
    • What's in Settings?
    • Available AI models
    • What are Organizations?
    • Managing AI models
    • Managing API keys
    • Managing secrets
    • Billing and plans
    • Usage data
    • Team members and permissions
    • Appearance and preferences
    • Integrations (PostHog, Weaviate, Daytona)
  • Troubleshooting & FAQ
    • FAQ
    • Rate limits and usage
    • Managing Runtype with Claude
    • Agent skills
    • Flow execution failures
    • Common errors and solutions
    • Authentication issues
Dashboard
LogoLogo
On this page
  • How secrets work
  • Add a secret
  • Reference a secret in a tool
  • {{secret:NAME}} vs {{secrets.name}}
  • Rotate, revoke, and delete
  • Tools that need a secret
  • Next steps
Settings

Managing secrets

Was this page helpful?
Previous

Billing and plans

Next
Built with

Secrets are a secure, central place to store credentials — API keys, tokens, and other sensitive values — that your external tools need. You register a secret once under a name, then reference it by that name from any external tool. Runtype resolves the value at runtime and never exposes it to the AI model, the response, or your logs.

How secrets work

A secret is a named value stored encrypted in your account. Secrets are write-only: once you save one, the dashboard and API never return its value again. You only ever see a masked preview (for example, the last few characters) to help you identify it. To change a value, you rotate it — you cannot read the existing one back.

Each secret has:

  • A name that you reference in tools. Names are unique within your account and case-insensitive.
  • A masked preview so you can tell secrets apart in the list.
  • A status of active or revoked, and a version that increments each time you rotate the value.

Secrets are encrypted at rest, resolved only inside the tool that uses them, and scrubbed from streamed events, stored results, and logs.

Add a secret

  1. Go to Settings → Secrets.
  2. Click Add Secret.
  3. Enter a name (for example, stripe_api_key) and paste the value.
  4. Save.

The value is encrypted immediately. After saving, only the masked preview is shown.

Reference a secret in a tool

Use the {{secret:NAME}} syntax wherever an external tool accepts text — the URL, headers, or body:

Authorization: Bearer {{secret:stripe_api_key}}
X-API-Key: {{secret:service_key}}

At execution time, Runtype substitutes the stored value directly into the outgoing HTTP request before anything else runs. The value never enters the model’s context, so the AI cannot see or repeat it.

Managed secrets work only in external (HTTP) tools and in the fetch-url and api-call steps. They are intentionally blocked from custom code, transform-data steps, and other tool types so a credential can never be read by code you control. If you add a {{secret:NAME}} reference to a tool type that doesn’t support it, the save is rejected.

{{secret:NAME}} vs {{secrets.name}}

These look similar but are different mechanisms:

SyntaxSourceLifetime
{{secret:NAME}} (colon)Stored in your account’s Secrets storePersistent — managed in Settings
{{secrets.name}} (dot)Passed in the secrets field of a dispatch requestEphemeral — only for that request

Use {{secret:NAME}} for credentials you manage once and reuse. Use {{secrets.name}} when a developer supplies a per-request value through the API or SDK, such as a per-user token in a multi-tenant app.

Rotate, revoke, and delete

  • Rotate — replace the value while keeping the same name. Every tool that references it picks up the new value automatically, and the version increments.
  • Revoke — mark a secret inactive so it can no longer resolve.
  • Delete — remove the secret entirely.

Tools that need a secret

If a tool references a secret you haven’t configured yet, Runtype marks the tool as needing configuration rather than failing silently. When this happens through an MCP client, the tool returns a configuration-required response with a link to the dashboard, so the credential is never requested through the AI model. Open that link, add the missing secret, and the tool resolves normally on the next run.

Next steps

  • Creating external tools — build HTTP tools that use secrets
  • Using fetch-url and api-call steps — call APIs from a flow
  • Managing API keys — keys for calling the Runtype API itself