Variables and secrets
Variables are named values stored in your workspace and reused across workflows and scripts. A secret is a variable whose value is encrypted at rest and never returned in plaintext through the API or UI.
Variables
Section titled “Variables”Variables hold non-sensitive configuration — a base URL, a feature flag, a default region. They are defined once and referenced wherever they are needed, so you change a value in one place rather than editing every workflow.
orvanta variable add https://api.example.com u/me/base_urlorvanta variable listVariables live at a path (e.g. u/me/base_url or f/folder/base_url) and are referenced by that path from a flow input or script.
Secrets
Section titled “Secrets”A secret is simply a variable marked secret — for credentials, API keys, and tokens. Secrets are encrypted with the workspace key and are:
- Write-only — you can set or rotate a secret, but never read its plaintext back through the UI or API.
- Injected at execution time — the value is decrypted only when a script or flow step that references it runs.
- Redacted in logs — secret values are masked if they appear in output.
Create a secret variable from the UI (toggle secret), or with the CLI and a secret spec:
orvanta variable get f/folder/stripe_api_keyA script reads it by referencing the variable’s path; the value is resolved and injected at runtime.
Scoping
Section titled “Scoping”Both variables and secrets are scoped to a workspace and can be further restricted by role, so only authorised users and workflows can reference a given secret.
Related
Section titled “Related”- Resources — Group connection details into reusable, typed objects.
- Roles and permissions — Control who can read or set secrets.
- Scripts — How scripts consume variables and secrets.