Skip to content

Secrets

Secrets are encrypted key-value pairs stored per workspace. They let you inject credentials, tokens, and other sensitive strings into test runs without hard-coding values in test scripts. Once a secret is created, its value is never returned by any API or UI — only the secret name and metadata (version number, last-updated timestamp) are visible.

Secrets are workspace-scoped: each workspace has its own isolated vault. A secret in Workspace A is not visible to tests running in Workspace B.

Click Secrets in the left sidebar. When a workspace is selected in the top-bar scope switcher, the Secrets link navigates directly to that workspace’s vault at /workspaces/:workspaceId/secrets. When no workspace is selected, it navigates to the account-wide Secrets hub at /secrets, which shows a selector to pick a workspace vault.

Secrets hub: select a workspace to open its encrypted vault. Secrets are scoped per workspace.

The workspace secrets vault lists every secret stored in the workspace. Each row shows:

  • Name — the key you reference in your test environment configuration (e.g., STRIPE_SECRET).
  • Version — incremented each time the value is rotated (updated). Useful for confirming a rotation landed.
  • Last updated — the timestamp of the most recent create or rotate operation.

No secret value is ever displayed in the list. The vault is append-and-rotate only from the UI perspective: values go in, but never come back out.

  1. Navigate to the workspace vault (via Secrets in the sidebar, or /workspaces/:workspaceId/secrets).
  2. Click Create secret in the page header. A dialog opens.
  3. Enter a Name for the secret. Use a descriptive uppercase key name (e.g., PAYMENT_API_KEY, DATABASE_CREDENTIAL). Names must be unique within the workspace.
  4. Enter the Value in the masked password field. The value is not stored in browser history or shown as plain text.
  5. Click Save secret. The dialog closes and a toast confirms “Secret created (value stored encrypted; never shown again).”
  6. The new secret appears in the vault list with version 1.

Rotating a secret replaces its value with a new one and bumps the version number. Tests that reference the secret by name automatically pick up the new value on their next run.

  1. In the workspace vault list, find the secret you want to rotate.
  2. Click Rotate value. An inline input field appears next to the secret row.
  3. Enter the new value in the masked input.
  4. Click Save. A toast confirms “Secret value rotated (version bumped).” The version number in the row increments.
  5. Click Cancel at any point to discard without saving.
  1. In the vault list, find the secret to delete.
  2. Click Delete. A confirmation dialog appears: “Delete secret <name>? Tests lose bindings to it.”
  3. Confirm the deletion. The secret is removed from the vault immediately.

Secrets are injected into test runs as environment variables. You bind a secret to a specific environment variable name on the test’s configuration page — the runner injects the secret value into the process environment at run start.

How to bind a secret to a test:

  1. Open the test you want to configure in the Tests list.
  2. Go to the Configuration tab of the test detail page.
  3. In the environment variables section, add a variable named SECRET_<...> (e.g., SECRET_PAYMENT_API_KEY) and select the secret from the workspace vault by name.
  4. Save the configuration.
  5. Run the test. The runner injects the secret value as the named environment variable. The value is never logged or surfaced in run outputs.

  • Workspace scope is strict. A secret in one workspace cannot be referenced by a test in a different workspace, even within the same account. Create the secret in each workspace that needs it.
  • Names are case-sensitive. SECRET_DATABASE_CREDENTIAL and secret_database_credential are two different bindings. The SECRET_ prefix is required by the API (bound env var names must match ^SECRET_[A-Za-z0-9_]{1,120}$); the rest of the name is conventionally uppercase SCREAMING_SNAKE_CASE.
  • Versions help audit rotations. The version counter tells you how many times a secret has been rotated. Check it after a rotation to confirm the update landed.
  • No bulk export. Secret values cannot be exported in bulk from the console. If you need a backup of your secrets, maintain them in an external secrets manager and treat the MaxoPerf vault as a mirror.
  • Workspace editor role required. Only members with workspace editor (or higher) permissions can create, rotate, or delete secrets. Viewers can see secret names but not values or the create/rotate/delete controls.

  • Manage test secrets — task-oriented how-to for the complete secret binding workflow, including CI examples.
  • Tests — create and configure — covers the Configuration tab where secrets are bound to environment variables.
  • Workspaces — workspace management including member roles that govern secret access.
  • Navigating the console — explains the workspace scope switcher and how it affects the Secrets sidebar link.