Skip to main content

Overview

Servflow provides secure secrets management for storing sensitive data like API keys, database credentials, and authentication tokens. Secrets can be managed through two methods:
  • SQLite Storage — Encrypted secrets stored in your SQLite database
  • Environment Variables — Reference secrets directly from your environment

Using SQLite Storage

When SQLite is configured, secrets are stored encrypted in the database and can be managed through the dashboard or API.

Prerequisites

Ensure your config.toml has SQLite configured: 
[sqlite]
path = "./data/servflow.db"

Managing Secrets via Dashboard

  1. Open the Servflow dashboard at http://localhost:3000
  2. Navigate to SettingsSecrets
  3. Click Add Secret to create a new secret
  4. Provide a name and value for your secret

Using Secrets in Workflows

Reference stored secrets in your workflow configurations using the $secret prefix: 
actions:
  - id: fetch-data
    type: http
    config:
      headers:
        Authorization: "Bearer $secret.API_KEY"

Using Environment Variables

For deployments where you prefer to manage secrets externally (e.g., Kubernetes secrets, Docker secrets, or CI/CD pipelines), you can reference environment variables directly.

Referencing Environment Variables

Use the $env prefix to reference environment variables in your workflow configurations: 
actions:
  - id: connect-db
    type: sql
    config:
      connection_string: "$env.DATABASE_URL"

Setting Environment Variables

Docker

docker run -d \
  --name servflow-pro \
  -e DATABASE_URL="postgres://user:pass@host:5432/db" \
  -e API_KEY="your-api-key" \
  -p 8080:8080 \
  -v $(pwd)/config.toml:/app/config.toml \
  servflow/servflow-pro start --config /app/config.toml --dashboard

Docker Compose

services:
  servflow:
    image: servflow/servflow-pro
    environment:
      - DATABASE_URL=postgres://user:pass@host:5432/db
      - API_KEY=your-api-key
    env_file:
      - .env  # Or use an env file
    ports:
      - "8080:8080"
      - "3000:3000"

Comparison

FeatureSQLite StorageEnvironment Variables
Encryption at rest✅ YesDepends on host
Dashboard management✅ Yes❌ No
Runtime updates✅ Yes❌ Requires restart
External secret managers❌ No✅ Yes
Zero persistence❌ No✅ Yes

Best Practices

Use environment variables for infrastructure secrets like database connection strings that are managed by your deployment platform.
Use SQLite storage for application secrets that need to be updated frequently or managed by non-technical team members through the dashboard.
Never commit secrets to version control. Use .gitignore to exclude your .env files and SQLite database.

Security Recommendations

  1. Set a strong master key — The master_key in your dashboard config is used for encrypting secrets. Use a long, random string.
  2. Restrict file permissions — Ensure your SQLite database file and config files have appropriate permissions: 
    chmod 600 ./data/servflow.db
chmod 600 config.toml
  3. Use secrets in production — Avoid hardcoding sensitive values in workflow configurations. Always use $secret.* or $env.* references.
  4. Rotate secrets regularly — Update API keys and credentials periodically. SQLite storage makes this easy through the dashboard.