Runscope API Monitoring    Learn More →

Keeping Sensitive Information Secure with Secrets Management

By Heitor Tashiro Sergent on .

 
 Key by Alain W. from the Noun Project
 

Note: this feature is only available on enterprise plans. For more information, please reach out to our sales team.

We are very excited to announce a new feature for our enterprise customers: secrets management! Users can now easily create and manage sensitive information, such as API key or access tokens, and include them in their API monitors without exposing them in test results or 3rd-party integrations.

This feature request has been brought to us by a few customers, especially ones in highly regulated spaces such as finance, or healthcare, but we believe all of our enterprise customers will be able to benefit from it. Here at Runscope, we take extreme care with the security of our users' information, and we also like to provide tools for customers that will help them maintain any security standards they might have internally.

So, how does secrets management work?

Creating Secrets Variables

The team owner is the only person in a team who will be able to view the Secrets menu, as well as create/edit/delete secrets variables. After a secrets variable is created, any team member will then be able to use it in their API monitors.

If you're the team owner, click on the profile on the top-right and select Secrets from the drop-down:

 A screenshot of the logged in Runscope dashboard, showing a drop-down menu on the top-right with the  Secrets  option highlighted.

In the secrets page, if you are the team owner you'll see Add Secret. Click on it to create a new secret key/value pair, enter the name that will be used to access it throughout your tests, and the value:

 A screenshot of the Runscope  Secrets  menu, showing the interface to create a secret with one secrets variable added to the list with name "private_api_key", and an encrypted value of asterisks.

Click Save Changes, and you're all set!

Using Secrets

To use secrets in your tests, you'll have to use the built-in function get_secret(key_name), making sure to replace key_name with your secret's name:

 A screenshot of the Runscope test editor, with a step expanded, and highlighting the  Headers  section, with one header value added with name "Authorization", and the value using the  get_secret  function of "Bearer {{get_secret(secret_api_key)}}".

This built-in function can be used just like other Runscope built-in functions, which means you can add it to your environment settings, initial variables, pre-request/post-response scripts, etc.

Similar to how other built-in functions work, using it in Variables, Headers, or Endpoints will require you to format it with double-parenthesis like so: {{get_secret(key)}}.

For use in scripts, you can simply call the function without the parenthesis:

request.params.push({name:"api_key", value: get_secret("key")});

Whenever you have a step in your API tests that uses the get_secret function, in order to protect the secret, all assertions will be masked, and you won't be able to see any details in the Request tab, or the body for the Response tab:

 A screenshot of the Runscope test result page, showing the results for a test step that passed, and highlighting the  Assertions  section, showing an assertion that passed and the values are encrypted (showing as asterisk) since it was comparing to a variable using the  get_secret  function. The  Request  tab is also empty since the test step used the  get_secret  function.

For the latest information and details on the feature, please check out our Secrets Management docs. And if you have any questions or feedback, please let us know!

Categories: testing, product, monitoring, howto

Everything is going to be 200 OK®