> ## Documentation Index
> Fetch the complete documentation index at: https://docs.servflow.io/llms.txt
> Use this file to discover all available pages before exploring further.

# Secrets Management

> Manage sensitive credentials securely with SQLite storage or environment variables

## Overview

ServFlow Pro provides secure secrets management for storing sensitive data like API keys, database credentials, and authentication tokens. Secrets can be managed through two methods:

* **SQLite Storage** — Encrypted secrets stored in your SQLite database
* **Environment Variables** — Reference secrets directly from your environment

## Using SQLite Storage

When SQLite is configured, secrets are stored encrypted in the database and can be managed through the dashboard or API.

### Prerequisites

Ensure your `config.toml` has SQLite configured:

```docs/references/secrets.mdx#L18-L20 theme={null}
[sqlite]
path = "./data/servflow.db"
```

### Managing Secrets via Dashboard

1. Open the Servflow dashboard at `http://localhost:3000`
2. Navigate to **Settings** → **Secrets**
3. Click **Add Secret** to create a new secret
4. Provide a name and value for your secret

### Using Secrets in Workflows

Reference stored secrets in your workflow configurations using the `$secret` prefix:

```docs/references/secrets.mdx#L32-L36 theme={null}
actions:
  - id: fetch-data
    type: http
    config:
      headers:
        Authorization: "Bearer $secret.API_KEY"
```

## Using Environment Variables

For deployments where you prefer to manage secrets externally (e.g., Kubernetes secrets, Docker secrets, or CI/CD pipelines), you can reference environment variables directly.

### Referencing Environment Variables

Use the `$env` prefix to reference environment variables in your workflow configurations:

```docs/references/secrets.mdx#L47-L51 theme={null}
actions:
  - id: connect-db
    type: sql
    config:
      connection_string: "$env.DATABASE_URL"
```

### Setting Environment Variables

#### Docker

```docs/references/secrets.mdx#L58-L64 theme={null}
docker run -d \
  --name servflow-pro \
  -e DATABASE_URL="postgres://user:pass@host:5432/db" \
  -e API_KEY="your-api-key" \
  -p 8080:8080 \
  -v $(pwd)/config.toml:/app/config.toml \
  servflow/servflow-pro start --config /app/config.toml --dashboard
```

#### Docker Compose

```docs/references/secrets.mdx#L69-L79 theme={null}
services:
  servflow:
    image: servflow/servflow-pro
    environment:
      - DATABASE_URL=postgres://user:pass@host:5432/db
      - API_KEY=your-api-key
    env_file:
      - .env  # Or use an env file
    ports:
      - "8080:8080"
      - "3000:3000"
```

## Comparison

| Feature                  | SQLite Storage | Environment Variables |
| ------------------------ | -------------- | --------------------- |
| Encryption at rest       | ✅ Yes          | Depends on host       |
| Dashboard management     | ✅ Yes          | ❌ No                  |
| Runtime updates          | ✅ Yes          | ❌ Requires restart    |
| External secret managers | ❌ No           | ✅ Yes                 |
| Zero persistence         | ❌ No           | ✅ Yes                 |

## Best Practices

<Tip>
  **Use environment variables for infrastructure secrets** like database connection strings that are managed by your deployment platform.
</Tip>

<Tip>
  **Use SQLite storage for application secrets** that need to be updated frequently or managed by non-technical team members through the dashboard.
</Tip>

<Warning>
  Never commit secrets to version control. Use `.gitignore` to exclude your `.env` files and SQLite database.
</Warning>

### Security Recommendations

1. **Set a strong master key** — The `master_key` in your dashboard config is used for encrypting secrets. Use a long, random string.

2. **Restrict file permissions** — Ensure your SQLite database file and config files have appropriate permissions:
   ```docs/references/secrets.mdx#L114-L115 theme={null}
   chmod 600 ./data/servflow.db
   chmod 600 config.toml
   ```

3. **Use secrets in production** — Avoid hardcoding sensitive values in workflow configurations. Always use `$secret.*` or `$env.*` references.

4. **Rotate secrets regularly** — Update API keys and credentials periodically. SQLite storage makes this easy through the dashboard.

## Next Steps

<CardGroup cols={2}>
  <Card title="Configuration Reference" icon="gear" href="/references/configuration">
    Explore all ServFlow configuration options and environment variables.
  </Card>

  <Card title="Local Development" icon="laptop-code" href="/development">
    Set up your local environment with SQLite and secrets management.
  </Card>

  <Card title="Installation" icon="download" href="/installation">
    Deploy ServFlow to your infrastructure.
  </Card>

  <Card title="Quickstart" icon="rocket" href="/quickstart">
    Build your first API with ServFlow.
  </Card>
</CardGroup>
