Credentials & variables
Workflow configs never contain secrets. They contain references, and the values live in the Nucleus vault — encrypted at rest (AES-256-GCM), masked in the UI, and resolved only when a run starts.
References
| Syntax | Resolves to | Example |
|---|---|---|
${credential.<id-or-name>.<field>} | A field of a stored credential | ${credential.telegram-bot.botToken} |
${variable.<id-or-name>} | An org-wide variable (Admin → Variables) | ${variable.alerts-channel} |
References resolve once, at run start — before any {{ }} expression runs — in both the
editor’s test runs and deployed apps. Credentials can be referenced by id or by name.
Credential templates & the picker
Credentials are typed by templates (Telegram bot, Slack bot, SMTP, Postgres, S3, OAuth2
providers, generic bearer/API key, and more). Connection nodes start with a credential picker:
pick a stored credential and the node’s connection fields fill with the right
${credential.<id>.*} placeholders; pick None to enter values manually; create a new
credential inline with + New.
Each credential row shows where it’s used — the workflows that reference it — and deleting one is guarded by that usage.
OAuth2
OAuth2 credentials are first-class: presets for Google, Microsoft, Notion and HubSpot, plus a generic provider (your own auth/token URLs). The flow:
- Create the credential with your OAuth client id + secret.
- Click Connect — the Nucleus builds the consent URL (PKCE, signed single-use state) and the
provider redirects back to
/api/oauth/callback. - Tokens are stored as managed, masked fields. Status shows connected / expiring / error.
Refresh is automatic at resolve time: whenever a credential is resolved for a run and the access token is near expiry, the Nucleus refreshes it synchronously (with a per-credential lock) and serves the fresh token. Long-lived deployed apps re-resolve every run start, which bounds token staleness to one run.
Setting up a Google OAuth client — redirect URIs, API enablement, test users and the 7-day testing caveat — is covered step-by-step in the Google Sheets guide.
How deployed apps get secrets
Compiled artifacts contain no secret values — only the references. At deploy time the
Nucleus mints a resolve token scoped to that deployment. At the start of every run the app
calls home (POST /api/runtime/resolve) with that token, receives exactly the values its
workflow references under a short TTL lease (60 seconds), substitutes them in memory, and never
writes them to disk.
Consequences worth knowing:
- Rotating a credential in the vault takes effect on each app’s next run — no redeploy.
- A copied artifact is useless without its deployment’s resolve token and network reach to your Nucleus.
- Worker process environments are scrubbed; secrets do not leak into child env or logs.
Variables
Org-wide variables (Admin → Variables) hold non-secret config — URLs, channel names, thresholds —
referenced as ${variable.name} anywhere a credential reference works. Same resolution timing,
same “used by” tracking.