Manage test secrets
Performance tests usually need credentials — an API token, a service account password, a webhook signing key. Maxoperf keeps these values in project secrets so they never live in your test files and never appear in run logs.
How project secrets work
Section titled “How project secrets work”- A project secret is a named, encrypted value stored at the project level.
- Each test binds the secrets it needs and maps each one to an environment-variable name.
- At run time, Maxoperf injects those variables into the runner before your test starts.
- The runtime payload is short-lived and scoped to one run.
Create a secret
Section titled “Create a secret”-
Open the project that owns the test and switch to the Secrets tab.
Secrets hub — pick the workspace vault, then open its secrets page to add a project secret. -
Click New secret. Give it a clear name like
checkout-api-token. -
Paste the value. It is encrypted as soon as you save.
-
Save. The secret appears in the list with the value masked.
You can rotate a secret by editing it; new runs use the new value, and the previous value is no longer accessible.
Bind a secret to a test
Section titled “Bind a secret to a test”- Open the test and switch to the Settings tab.
- Add a secret binding. Pick the project secret you created.
- Choose the environment-variable name the test expects — for example,
SECRET_CHECKOUT_API_TOKEN. - Save. Future runs of this test will see the variable.
In your test files, read the variable normally. For example:
- Taurus:
${__env(SECRET_CHECKOUT_API_TOKEN)} - k6:
__ENV.SECRET_CHECKOUT_API_TOKEN - JMeter:
${__BeanShell(System.getenv("SECRET_CHECKOUT_API_TOKEN"))}
What never happens
Section titled “What never happens”- Secret values are never written to result pages, run logs, or downloaded artifact bundles.
- Secret values are never available to teammates without project-level access.
- Secret values are never logged by the runner — only the names of injected variables appear in diagnostic output.
Where to go next
Section titled “Where to go next”- Run your first test — verify the secret binding works end to end.
- Accounts, workspaces, and projects — review who has access to project secrets.
- Upload test files — keep credentials out of uploaded files.