Secrets & Environment Variables

Store API keys and other secrets for use in a workflow's steps.

Secrets are key-value pairs you store per workflow. They are encrypted at rest and exposed to that workflow's code through the global env object.

Secrets are scoped to the workflow they are defined in. A secret added to one workflow is not accessible from any other workflow.

Storing a secret

1. Open a workflow in the code editor.
2. Click More actions (top-right menu).
3. Select Manage variables.
4. Enter a name (e.g. SLACKBOTTOKEN) and its value.
5. Save. It is then available in that workflow's code as env.YOURKEY.

Accessing secrets in code

Read any secret by name via the global env object:

export class Workflow {
  async start(data, headers, api) {
    const slackToken = env.SLACKBOTTOKEN;

    await fetch('https://slack.com/api/chat.postMessage', {
      method: 'POST',
      headers: {
        'Content-Type': 'application/json',
        'Authorization': Bearer ${slackToken},
      },
      body: JSON.stringify({ channel: '#orders', text: 'New order received' }),
    });
  }
}

You do not import env. It is already available globally in workflow code.

Platform-injected variables

Two variables are always present on env in every workflow, regardless of what you have stored:

 |  Key  |  Value  |

 |  env.SHOPIFYSTORE  |  Your store's myshopify.com domain, e.g. "mystore.myshopify.com"  |
 |  env.SHOPIFYAPIVERSION  |  The latest Shopify API version configured for the app  |

When not to use workflow secrets

- Do not store Shopify Admin API access tokens here. When you call your store's Admin API with fetch(), authentication is injected automatically.
- Do not store rotating OAuth access tokens here. For connected OAuth services, use api.getOAuthToken(handle) instead.
- Do not store normal non-secret configuration here unless it truly needs to be private. Use template config or regular constants for non-sensitive values.

Security

- Secrets are encrypted at rest.
- Secrets are scoped to the individual workflow. No other workflow can read them.
- Secret values are not intended to be shown in the editor UI, but your code can still expose them if you log, return, or send them to another system.
- Deleting a secret prevents later workflow invocations from reading it.