Variables and secrets

Secrets in DevFlow are encrypted at rest with a per-workspace KMS key, decrypted only inside our edge probes at execution time, and never written to logs.

creating a secret

devflow secrets put PAYMENTS_PROD_TOKEN --value "df_pat_xxx"

Or paste it once into Settings → Secrets in the dashboard. Once created, the value is write-only — you can rotate it but you cannot read it back.

scopes

• Workspace secrets are visible to every project. Use for shared signing keys.
• Project secrets are visible only inside the project. Default; safer.

referencing in a monitor

headers:
  Authorization: "Bearer ${secrets.PAYMENTS_PROD_TOKEN}"

Or in the body:

body: |
  { "client_id": "${secrets.OAUTH_CLIENT_ID}", "scope": "read" }

The ${...} substitution happens edge-side at execution. The plaintext secret never appears in our control-plane logs.

template variables

In addition to secrets, every check has access to:

• {{run_id}} — UUID per execution. Use for idempotency keys.
• {{timestamp}} — Unix seconds at execution.
• {{region}} — the edge running the check (us-east-1 etc.).

{{run_id}} is the right fit for retry-policy idempotent retries.

rotation

devflow secrets put PAYMENTS_PROD_TOKEN --value "df_pat_yyy"

Effective on the next check. There's no monitor reload, no propagation delay greater than a few seconds. The audit trail shows who rotated and when — see rest-api-authentication for the full audit fields.

what we audit

Every secret create / update / delete is logged with actor, IP, and timestamp, retained for 365 days. Read access is never logged because there is no read access — secrets only flow to edges, not to humans.