All guides

8 min read

Use secrets and variables

Keep the values a task needs out of the prompt. Variables hold configuration, secrets hold credentials, and both are scoped to the level where they belong.

  1. 01

    Know which one you need

    A variable holds a value you would be happy to read in a run record: a channel name, a threshold, a sending address. A secret holds anything you would not: an API token, a signing key, a password. Secrets are envelope-encrypted at rest and stay masked everywhere they are displayed.

  2. 02

    Store it at the right level

    Values live at the organization, project, workflow, or user level. Put the sending domain at the organization level so every agent shares it, and put the one-off token at the workflow level so it stops where that task stops. The narrowest level that works is the right one.

  3. 03

    Reference it from the prompt

    Name the variable in the prompt and the agent resolves it at run time. A secret is injected into the sandbox when it is needed and never lands in the prompt text, so the value stays out of the run record that everyone on the team can read.

  4. 04

    Rotate without touching a prompt

    Because the value lives beside the workflow instead of inside it, rotating a token is one edit in one place. Every workflow that references it picks up the new value on its next run.

  5. 05

    Keep credentials in integrations where you can

    Reach for a secret when a task needs a value Helios does not already hold. Connected integrations already attach their credentials server-side, so the API token for Slack or Stripe belongs in the integration rather than a secret you manage by hand.

Try it in your workspace.

Start free, connect a tool, and describe the first task in plain English.