Secrets & Environment Variables
Secrets are key-value pairs you store per workflow. They are encrypted at rest and injected into every step of that workflow as properties of the global env object.
Secrets are scoped to the workflow they are defined in. A secret added to one workflow is not accessible from any other workflow.
Storing a secret
Section titled “Storing a secret”- Open a workflow in the code editor.
- Click More actions (top-right menu).
- Select Manage variables.
- Enter a name (e.g.
SLACK_BOT_TOKEN) and its value. - Save — it is immediately available in all steps of that workflow.
Accessing secrets in code
Section titled “Accessing secrets in code”Read any secret by name via the global env object:
class Workflow { async start(data, headers, api) { const slackToken = env.SLACK_BOT_TOKEN;
await fetch('https://slack.com/api/chat.postMessage', { method: 'POST', headers: { 'Content-Type': 'application/json', 'Authorization': `Bearer ${slackToken}`, }, body: JSON.stringify({ channel: '#orders', text: 'New order received' }), }); }}Platform-injected variables
Section titled “Platform-injected variables”Two variables are always present on env in every workflow, regardless of what you have stored:
| Key | Value |
|---|---|
env.SHOPIFY_STORE | Your store’s myshopify.com domain, e.g. "mystore.myshopify.com" |
env.SHOPIFY_API_VERSION | The Shopify API version configured for the app, e.g. "2024-01" |
Security
Section titled “Security”- Secrets are encrypted at rest and never exposed in run logs or the dashboard UI.
- Secrets are scoped to the individual workflow — no other workflow can read them.
- Deleting a secret removes it immediately from all future runs of that workflow, but does not affect runs already in progress.