---
title: "Manage secrets | Grafana Cloud documentation"
description: "Store and reference sensitive values like API tokens in Grafana Workflows using Grafana Secrets Management."
---

# Manage secrets

> Note
> 
> Grafana Workflows is currently in [private preview](/docs/release-life-cycle/). Grafana Labs offers support on a best-effort basis, and breaking changes might occur prior to the feature being made generally available.

Secrets let you reference sensitive values like API tokens without including them in workflow definitions. Grafana Workflows uses [Grafana Secrets Management](/docs/grafana-cloud/security-and-account-management/manage-secrets/) to store and resolve secrets securely.

## Before you begin

To use secrets in workflows, you need:

- Access to Grafana Secrets Management in your Grafana Cloud stack
- The **Workflows** decrypter enabled so the workflow engine can resolve secrets at execution time

## Create a secret

Before you can reference a secret in a workflow, create it in Grafana Secrets Management. You can create secrets through the Grafana Cloud UI or the Grafana Secrets Management API.

When creating a secret, select the **Workflows** decrypter so the workflow engine can resolve the secret at execution time.

The secret name becomes part of the URI you use in the workflow definition. For example, if you create a secret named `workflows/http/auth-token`, the corresponding URI in your workflow is `secret://workflows/http/auth-token`.

## Reference secrets in a workflow

Define secret references in the `resources.secrets` section of your workflow definition. Each entry maps a reference name to a secret URI:

YAML ![Copy code to clipboard](/media/images/icons/icon-copy-small-2.svg) Copy

```yaml
spec:
  resources:
    secrets:
      api-token: "secret://workflows/http/auth-token"
  steps:
    - id: call-api
      type: http.call
      inputs:
        method: "GET"
        url: "https://api.example.com/data"
        authMethod: "bearer"
        authSecret: "${resources.secret.api-token}"
```

Secret URIs must start with `secret://` followed by a valid identifier.

### Use secret references in step inputs

Step inputs reference secrets using `${resources.secret.<key>}` syntax, where `<key>` is the reference name defined in `resources.secrets`.

For keys with special characters, use bracket notation:

text ![Copy code to clipboard](/media/images/icons/icon-copy-small-2.svg) Copy

```text
${resources.secret["my-api-token"]}
```

### Understand secret scoping and resolution

Secrets are scoped to your Grafana Cloud stack. Each workflow run resolves secrets using the stack identity of the triggering event. The engine resolves secrets at execution time and redacts them from step logs.

## Next steps

- [Create workflows](/docs/grafana-cloud/alerting-and-irm/workflows/create-workflows)
- [Load incident data](/docs/grafana-cloud/alerting-and-irm/workflows/load-incident-data)
- [Load alert group data](/docs/grafana-cloud/alerting-and-irm/workflows/load-alert-group-data)
- [Use CEL expressions](/docs/grafana-cloud/alerting-and-irm/workflows/use-expressions)
- [Step types reference](/docs/grafana-cloud/alerting-and-irm/workflows/reference)