Skip to main content
Secrets enable you to store sensitive data in encrypted vaults and reference them dynamically in your Traffic Policies. This feature eliminates the need to hardcode passwords, API keys, and other sensitive values directly in policy YAML files. When you update a secret in a vault, it automatically rotates across all Traffic Policies that reference it, streamlining credential management. Secrets are supported in all Traffic Policy actions and fields that support CEL.
Secrets interpolated into certain actions may appear in cleartext in Traffic Inspector when full capture mode is enabled

How it works

Vaults are secure containers that store your secrets. Each vault can contain multiple secrets, which are encrypted key-value pairs. Secrets are stored using AES-256 encryption at rest and transmitted over HTTPS with TLS 1.2+. When you reference a secret in a Traffic Policy, the value is evaluated at runtime and never persisted in policy documents or logs. The ngrok API never returns secret values in response payloads. Reference secrets in your Traffic Policy using the secrets.get() macro:
The macro dynamically retrieves the secret value from the specified vault at runtime.

Using vaults and secrets

To use secrets, you’ll need to create a vault to store them in. REST APIs are provided on the ngrok service for both Vaults and Secrets.

Create a vault

Use the ngrok Agent CLI to create a vault:
The response includes the vault ID, which you’ll need when creating secrets within the vault:

Create a secret

Create a secret within a vault using the vault ID:

Common use cases for secrets

Basic authentication

Webhook verification

Audit events

Secrets and vaults emit the following audit events, all of which include the full resource details in the logs:

Vault events

Secret events

Limits and pricing

Secrets and vaults are currently free to use. This feature will be billed and metered in the future, per the plan details below.
Please contact support to configure limits for the PayGo plan.