Nembl
Admin Guide
Secrets
Creating & Managing Secrets

Creating & Managing Secrets

Secrets store sensitive values -- API keys, tokens, passwords, and credentials -- that your workflows and connectors need to interact with external systems. Nembl manages secrets securely using AWS Secrets Manager as the underlying storage.

How Secrets Work

Secrets are stored encrypted and scoped to your company. They are never exposed in logs, audit trails, or API responses. When a workflow phase or connector needs a secret, it references the secret by name, and Nembl injects the value at runtime.

Secret Path Convention

Each secret is stored under your company's namespace:

nembl/{companyId}/{secretSlug}

The slug must be lowercase alphanumeric with hyphens (e.g., github-api-token, slack-bot-key).

Creating a Secret

  1. Navigate to Settings > Secrets.
  2. Click Create Secret.
  3. Enter a name (slug) for the secret. This is the identifier used in workflows and connectors.
  4. Enter the value (the actual API key, token, or password).
  5. Add an optional description explaining what the secret is for.
  6. Add optional tags for policy-based access control (e.g., environment: production, service: github).
  7. Click Save.

The secret value is encrypted immediately and cannot be viewed again after creation. You can only replace it.

Secret Types

TypeUse CaseExample
API KeyAuthenticating with external APIsGitHub personal access token, Stripe API key
OAuth TokenStored OAuth refresh tokens for connectorsSlack bot token, Jira OAuth credentials
PasswordDatabase or service passwordsExternal database password
CertificateTLS certificates or signing keysWebhook signature verification key
CustomAny arbitrary sensitive valueLicense keys, shared secrets

Managing Secrets

Viewing Secrets

Navigate to Settings > Secrets to see all secrets in your company. The list shows:

  • Secret name (slug)
  • Description
  • Tags
  • Created date
  • Last rotated date
  • Bound resources (which workflows or connectors reference this secret)

The secret value is never shown. Only the metadata is visible.

Updating a Secret Value

When you need to rotate a key or update a credential:

  1. Click on the secret from the list.
  2. Click Update Value.
  3. Enter the new value.
  4. Click Save.

The new value takes effect immediately for all workflows and connectors that reference this secret. Running workflow instances that already retrieved the old value are unaffected; only new retrievals get the updated value.

Deleting a Secret

  1. Click on the secret.
  2. Click Delete.
  3. Review the list of resources that reference this secret. Deleting a secret that is in use will cause those workflows or connectors to fail.
  4. Confirm deletion.

Deleted secrets cannot be recovered. Create a new secret if you need to restore access.

Key Rotation

Regular key rotation reduces the risk of compromised credentials.

Manual Rotation

  1. Generate a new API key or token from the external service.
  2. Update the secret value in Nembl (see "Updating a Secret Value" above).
  3. Verify that workflows and connectors continue to function with the new key.
  4. Revoke the old key in the external service.

Rotation Reminders

Set a rotation reminder on any secret:

  1. Open the secret detail page.
  2. Click Set Rotation Reminder.
  3. Choose a reminder interval (30, 60, 90 days, or custom).
  4. Nembl sends a notification when the secret is due for rotation.

Binding Secrets to Workflow Connectors

Secrets are used in workflows by binding them to connector configurations or workflow phase environment variables.

In Connector Configuration

When configuring a connector (e.g., GitHub, Slack), you select a secret to use for authentication:

  1. Navigate to Settings > Connectors.
  2. Open the connector.
  3. In the Authentication section, select the secret from the dropdown.
  4. The connector uses this secret for all API calls.

In Workflow Phase Environment Variables

For custom integrations in workflow phases:

  1. Open the workflow in the builder.
  2. Click on the phase that needs the secret.
  3. In the phase configuration, add an environment variable.
  4. Set the value source to Secret and select the secret name.
  5. The secret value is injected at runtime as an environment variable.
Phase: "Deploy to Staging"
Environment Variables:
  DEPLOY_TOKEN = secret:deploy-api-token
  AWS_ACCESS_KEY = secret:aws-deploy-key

Access Control for Secrets

Secrets are governed by the policy engine. Use policies to control who can create, read, update, and delete secrets.

Common Patterns

PatternPolicy
Only admins can create secretsAllow secrets:create for Admin role only
Developers can use but not view secretsAllow secrets:read (metadata only); deny secrets:read_value
Restrict production secretsDeny secrets:update where tag environment: production for non-admin groups

See Policies & ABAC for full policy configuration details.

Best Practices

  • Never hardcode secrets. Always use Nembl's secret management instead of pasting values into workflow configurations.
  • Rotate regularly. Set rotation reminders for all API keys and tokens, especially those with broad access.
  • Tag secrets consistently. Use environment, service, and sensitivity tags to enable policy-based access control.
  • Audit secret access. Review the audit log for secrets:read events to monitor who is accessing sensitive credentials.
  • Delete unused secrets. When a connector or workflow is removed, clean up the associated secrets.
CreditsB2B Registry