# Passing external credentials at runtime
If you use a secrets store like HashiCorp Vault (opens new window) or AWS Secrets Manager (opens new window), store credentials in a database, or use a service like Nango (opens new window) to manage auth, you can retrieve these secrets at runtime and pass them to any step.
There are two ways to pass external auth at runtime:
- Pass it in an HTTP request
- Fetch credentials from a DB or secrets store within a workflow step
External auth is in beta
Passing external credentials at runtime is in beta, and we're looking for feedback. Please let us know (opens new window) how you're using it, what's not working, and what else you'd like to see.
# Pass credentials via HTTP
- If not already configured, add an HTTP trigger to your workflow.
- From your app, retrieve credentials and send them in an HTTP request to the endpoint with the rest of the payload.
- In the step of your workflow where you'd like to pass these credentials, select the Use external authentication option at the bottom-right of the account selector:
- You'll be prompted for all required credentials for the app, often just an
oauth_access_token
orapi_key
. Find the variable that contains your credentials and pass them to each field:
Most steps require additional, user-specific configuration. For example, the Slack Send a Message action requires a Channel ID, which may be specific to the end user's workspace. You'll need to pass these values in the HTTP request or return them from another step, referencing them here.
Default logging
When you return credentials from workflow steps, Pipedream stores it with the rest of the workflow execution data. Workflow events are retained according to the default retention policy for your plan and any data retention controls you've configured.
You can set the pd-nostore
flag to 1
on requests with credentials to disable logging for those requests only.
# Fetch credentials from a DB or secrets store
- Add a step to your workflow to fetch credentials from your DB or secrets store.
- In the step of your workflow where you'd like to pass these credentials, select the Use external authentication option at the bottom-right of the account selector:
- You'll be prompted for all required credentials for the app, often just an
oauth_access_token
orapi_key
. Find the variable that contains your credentials and pass them to each field:
Most steps require additional, user-specific configuration. For example, the Slack Send a Message action requires a Channel ID, which may be specific to the end user's workspace. You'll need to fetch these values from another step and reference them here.
Default logging
When you return credentials from workflow steps, Pipedream stores it with the rest of the workflow execution data. Workflow events are retained according to the default retention policy for your plan and any data retention controls you've configured.
You can set the pd-nostore
flag to 1
on requests with credentials to disable logging for those requests only.