# Secrets & Environment Variables

Store API keys and other secrets for use in a workflow's steps.

Secrets are key-value pairs you store per workflow. They are encrypted at rest and exposed to that workflow's code through the global `env` object.

**Secrets are scoped to the workflow they are defined in.** A secret added to one workflow is not accessible from any other workflow.

## Storing a secret

1. Open a workflow in the **code editor**.
2. Click **More actions** (top-right menu).
3. Select **Manage variables**.
4. Enter a name (e.g. `SLACK_BOT_TOKEN`) and its value.
5. Save. It is then available in that workflow's code as `env.YOUR_KEY`.

## Accessing secrets in code

Read any secret by name via the global `env` object:

```js
export class Workflow {
  async start(data, headers, api) {
    const slackToken = env.SLACK_BOT_TOKEN;

    await fetch('https://slack.com/api/chat.postMessage', {
      method: 'POST',
      headers: {
        'Content-Type': 'application/json',
        'Authorization': `Bearer ${slackToken}`,
      },
      body: JSON.stringify({ channel: '#orders', text: 'New order received' }),
    });
  }
}
```

You do not import `env`. It is already available globally in workflow code.

## Platform-injected variables

Two variables are always present on `env` in every workflow, regardless of what you have stored:

| Key | Value |
| --- | --- |
| `env.SHOPIFY_STORE` | Your store's myshopify.com domain, e.g. `"mystore.myshopify.com"` |
| `env.SHOPIFY_API_VERSION` | The latest Shopify API version configured for the app |

## When not to use workflow secrets

- Do not store Shopify Admin API access tokens here. When you call your store's Admin API with `fetch()`, authentication is injected automatically.
- Do not store rotating OAuth access tokens here. For connected OAuth services, use `api.getOAuthToken(handle)` instead.
- Do not store normal non-secret configuration here unless it truly needs to be private. Use template config or regular constants for non-sensitive values.

## Security

- Secrets are encrypted at rest.
- Secrets are scoped to the individual workflow. No other workflow can read them.
- Secret values are not intended to be shown in the editor UI, but your code can still expose them if you log, return, or send them to another system.
- Deleting a secret prevents later workflow invocations from reading it.