Secrets, OAuth, and service accounts

Learn how to manage secrets, use OAuth for API connections, and configure service accounts within your flows, ensuring secure handling of sensitive information.

Secret slots

Declare a secret slot with an explicit :secret-ref.

{:requires [{:slot :webhook-secret
             :type :secret
             :secret-ref :webhook-secret
             :label "Webhook Secret"}]}

Bind secret values

breyta flows bindings template <slug> --out profile.edn

Edit profile.edn:

{:bindings {:webhook-secret {:secret "YOUR_SECRET_VALUE"}}}

Apply bindings:

breyta flows bindings apply <slug> @profile.edn

Use :generate to create a new value server side.

OAuth connections

Use :oauth on a :http-api slot. The template command prints an activation URL.

{:slot :google
 :type :http-api
 :label "Google"
 :base-url "https://www.googleapis.com"
 :oauth {:provider :google
         :scopes {:required ["drive.readonly"]}}}

Service account JSON

Store the full JSON payload as a secret value, then reference it in :auth.

{:auth {:type :google-service-account
        :secret-ref :google-drive-service-account
        :scopes ["https://www.googleapis.com/auth/drive.readonly"]}}

Reminders

• Never put secrets in flow files
• Keep :secret-ref consistent between slots and triggers