search
Ctrlk
Dashboard

Secrets

Secrets are key/value pairs injected into your Transformation code at runtime. Use them for anything you don't want hard-coded — API keys, tokens, pixel IDs, feature flags. Secrets are stored encrypted and are never logged.

You manage secrets from the Secrets tab in the Playground UI. Each secret has a name, a value, and a flag that controls whether it's available in the browser.

hashtag
Edge vs. browser scope

Every secret is always available in edge plugin files (tagRoot, tagChannel, tagInstance). Only secrets with the client flag are available in browser plugin files (clientTagRoot, clientTagChannel, clientTagInstance).

The access path is the same on both sides: params.variables.<NAME>.

// tagRoot (edge) — all secrets are available
const apiKey = params.variables.API_KEY      // ✓ defined
const pixelId = params.variables.PIXEL_ID    // ✓ defined

// clientTagRoot (browser) — only client-flagged secrets are available
const pixelId = params.variables.PIXEL_ID    // ✓ defined (if flagged)
const apiKey = params.variables.API_KEY      // ✗ undefined (edge-only)
circle-exclamation

Client-flagged secrets are shipped to every visitor's browser and are effectively public. Only flag values that are safe to expose — public pixel IDs, feature flags, public URLs. Never flag private API keys, signing secrets, or tokens as client-side.

hashtag
Adding a secret

  1. Open the Secrets tab.

  2. Enter a name and value.

  3. Tick client if your browser plugin files need to read it.

  4. Save.

Secret names are used verbatim — what you type in the UI is what you read in code.

hashtag
Redaction in Simulation

When you run a simulation, Playground redacts sensitive values from the captured output. Any header or body key matching authorization, token, api-key, api_key, secret, password, or cookie is replaced with [REDACTED] before being shown — even when your code legitimately passes a secret through to a third-party API.

PreviousCodeNextSimulation

Was this helpful?