Passing external credentials at runtime

If you use a secrets store like HashiCorp Vault or AWS Secrets Manager, store credentials in a database, or use a service like Nango to manage auth, you can retrieve these secrets at runtime and pass them to any step.

There are two ways to pass external auth at runtime:

1. Pass it in an HTTP request
2. Fetch credentials from a DB or secrets store within a workflow step

Pass credentials via HTTP

1. If not already configured, add an HTTP trigger to your workflow.
2. From your app, retrieve credentials and send them in an HTTP request to the endpoint with the rest of the payload.
3. In the step of your workflow where you'd like to pass these credentials, select the Use external authentication option at the bottom-right of the account selector:

4. You'll be prompted for all required credentials for the app, often just an oauth_access_token or api_key. Find the variable that contains your credentials and pass them to each field:

Most steps require additional, user-specific configuration. For example, the Slack Send a Message action requires a Channel ID, which may be specific to the end user's workspace. You'll need to fetch these values from another step and reference them here.

Fetch credentials from a DB or secrets store

1. Add a step to your workflow to fetch credentials from your DB or secrets store.
2. In the step of your workflow where you'd like to pass these credentials, select the Use external authentication option at the bottom-right of the account selector:

3. You'll be prompted for all required credentials for the app, often just an oauth_access_token or api_key. Find the variable that contains your credentials and pass them to each field:

Most steps require additional, user-specific configuration. For example, the Slack Send a Message action requires a Channel ID, which may be specific to the end user's workspace. You'll need to fetch these values from another step and reference them here.