Creating & Managing Vaults

Vaults store sensitive values -- API keys, tokens, passwords, and credentials -- that your workflows and connectors need to interact with external systems. Vaults are encrypted at rest, scoped to your Company, and never displayed by default.

How Vaults Work

Vaults are stored encrypted and scoped to your company. They are never exposed in logs, audit trails, or API responses. When a workflow phase or connector needs a vault value, it references the vault by name, and Nembl injects the value at runtime.

The vault:reveal permission gates the ability to view a stored value through the UI; vault:read alone grants metadata-only access (name, tags, last-rotated date, bound resources) without value access. See Roles & Permissions for the split.

Vault Path Convention

Each vault is stored under your company's namespace:

nembl/{companyId}/{vaultSlug}

The slug must be lowercase alphanumeric with hyphens (e.g., github-api-token, slack-bot-key).

Creating a Vault

Navigate to Settings > Vaults.
Click Create Vault.
Enter a name (slug) for the vault. This is the identifier used in workflows and connectors.
Enter the value (the actual API key, token, or password).
Add an optional description explaining what the vault is for.
Add optional tags for policy-based access control (e.g., environment: production, service: github).
Click Save.

The vault value is encrypted immediately. After save, the value is only visible to users with the secret:reveal permission via the Reveal button on the vault detail page.

Vault Types

Type	Use Case	Example
API Key	Authenticating with external APIs	GitHub personal access token, Stripe API key
OAuth Token	Stored OAuth refresh tokens for connectors	Slack bot token, Jira OAuth credentials
Password	Database or service passwords	External database password
Certificate	TLS certificates or signing keys	Webhook signature verification key
Custom	Any arbitrary sensitive value	License keys, shared values

Managing Vaults

Viewing Vaults

Navigate to Settings > Vaults to see all vaults in your company. The flat list shows:

Vault name (slug)
Description
Tags
Created date
Last rotated date
Bound resources (which workflows or connectors reference this vault)

The list supports sort and multi-select filtering by tag. Click any row for the detail page.

Revealing a Vault Value

Users with the secret:reveal permission can view stored values:

Open the vault detail page.
Click Reveal.
The value is shown until you navigate away or refresh.

The Reveal action is recorded in the audit log (secret:reveal event). Users with only secret:read see the metadata but no Reveal button.

Updating a Vault Value

When you need to rotate a key or update a credential:

Open the vault detail page.
Click Update Value.
Enter the new value.
Click Save.

The new value takes effect immediately for all workflows and connectors that reference this vault. Running workflow instances that already retrieved the old value are unaffected; only new retrievals get the updated value.

Deleting a Vault

Click on the vault.
Click Delete.
Review the list of resources that reference this vault. Deleting a vault that is in use will cause those workflows or connectors to fail.
Confirm deletion.

Deleted vaults cannot be recovered. Create a new vault if you need to restore access.

Key Rotation

Regular key rotation reduces the risk of compromised credentials.

Manual Rotation

Generate a new API key or token from the external service.
Update the vault value in Nembl (see "Updating a Vault Value" above).
Verify that workflows and connectors continue to function with the new key.
Revoke the old key in the external service.

Rotation Reminders

Set a rotation reminder on any vault:

Open the vault detail page.
Click Set Rotation Reminder.
Choose a reminder interval (30, 60, 90 days, or custom).
Nembl sends a notification when the vault is due for rotation.

Binding Vaults to Workflow Connectors

Vaults are used in workflows by binding them to connector configurations or workflow phase environment variables.

In Connector Configuration

When configuring a connector (e.g., GitHub, Slack), you select a vault to use for authentication:

Navigate to Settings > Connectors.
Open the connector.
In the Authentication section, select the vault from the dropdown.
The connector uses this vault for all API calls.

In Workflow Phase Environment Variables

For custom integrations in workflow phases:

Open the workflow in the builder.
Click on the phase that needs the value.
In the phase configuration, add an environment variable.
Set the value source to Vault and select the vault name.
The vault value is injected at runtime as an environment variable.

Phase: "Deploy to Staging"
Environment Variables:
  DEPLOY_TOKEN = vault:deploy-api-token
  AWS_ACCESS_KEY = vault:aws-deploy-key

Access Control for Vaults

Vaults are governed by the policy engine. Use policies to control who can create, read, reveal, update, and delete vaults.

Common Patterns

Pattern	Policy
Only admins can create vaults	Allow `secret:create` for Admin role only
Developers can bind but not view values	Allow `secret:read` (metadata only); deny `secret:reveal`
Restrict production vaults	Deny `secret:update` where tag `environment: production` for non-admin groups

See Policies & ABAC for full policy configuration details.

Best Practices

Never hardcode values. Always use Nembl's vault management instead of pasting credentials into workflow configurations.
Rotate regularly. Set rotation reminders for all API keys and tokens, especially those with broad access.
Tag vaults consistently. Use environment, service, and sensitivity tags to enable policy-based access control.
Audit vault access. Review the audit log for secret:reveal events to monitor who is accessing sensitive credentials.
Delete unused vaults. When a connector or workflow is removed, clean up the associated vaults.

Add-ons BYOK: AI Agent Keys