Passing external credentials at runtime
If you use a secrets store like HashiCorp Vault or AWS Secrets Manager, store credentials in a database, or use a service like Nango to manage auth, you can retrieve these secrets at runtime and pass them to any step.
There are two ways to pass external auth at runtime:
- Pass it in an HTTP request
- Fetch credentials from a DB or secrets store within a workflow step
External auth is in beta Passing external credentials at runtime is in beta, and we're looking for feedback. Please let us know how you're using it, what's not working, and what else you'd like to see.
Pass credentials via HTTP
- If not already configured, add an HTTP trigger to your workflow.
- From your app, retrieve credentials and send them in an HTTP request to the endpoint with the rest of the payload.
- In the step of your workflow where you'd like to pass these credentials, select the Use external authentication option at the bottom-right of the account selector:
- You'll be prompted for all required credentials for the app, often just an
oauth_access_token
orapi_key
. Find the variable that contains your credentials and pass them to each field:
Most steps require additional, user-specific configuration. For example, the Slack Send a Message action requires a Channel ID, which may be specific to the end user's workspace. You'll need to fetch these values from another step and reference them here.
Default logging
When you return credentials from workflow steps, Pipedream stores it with the rest of the workflow execution data. Workflow events are retained according to the default retention policy for your plan and any data retention controls you've configured.
You can set the pd-nostore
flag to 1
on requests with credentials to disable logging for those requests only.
Fetch credentials from a DB or secrets store
- Add a step to your workflow to fetch credentials from your DB or secrets store.
- In the step of your workflow where you'd like to pass these credentials, select the Use external authentication option at the bottom-right of the account selector:
- You'll be prompted for all required credentials for the app, often just an
oauth_access_token
orapi_key
. Find the variable that contains your credentials and pass them to each field:
Most steps require additional, user-specific configuration. For example, the Slack Send a Message action requires a Channel ID, which may be specific to the end user's workspace. You'll need to fetch these values from another step and reference them here.
Default logging
When you return credentials from workflow steps, Pipedream stores it with the rest of the workflow execution data. Workflow events are retained according to the default retention policy for your plan and any data retention controls you've configured.
You can set the pd-nostore
flag to 1
on requests with credentials to disable logging for those requests only.