Secrets

Secrets let you inject real credentials into replays and signing config without ever exposing them. They are project-scoped, encrypted at rest, and referenced by name.

Adding and referencing a project secret in FlurryPORT

Creating a secret

In the Secrets section choose Add secret, then enter a Secret Name and Secret Value. The value is shown once, at creation, and is never returned by any API afterward. Copy it if you need it elsewhere, because FlurryPORT cannot show it to you again.

Using a secret

Reference a secret anywhere substitution is supported with $secrets.NAME. Two common places:

Replay-target headers. Set a target header like X-Api-Key: $secrets.STRIPE_KEY. FlurryPORT substitutes the real value when it forwards.
Signing config. Point an endpoint signing secret at $secrets.NAME for signature validation.

Rotating a secret

Use Rotate secret to replace the stored value. References by name keep working, so you do not have to touch every target that uses it.

Destination-echo redaction

If a destination echoes a secret back in its response, FlurryPORT scrubs it to [REDACTED:NAME] before storing the captured response. Secrets reach the destination but never leak back into your stored data.

Verify it end to end

Use the CLI echo receiver to watch substitution and redaction work together. Set a target header to X-Api-Key: $secrets.STRIPE_KEY, run flurryport echo and flurryport listen, and send a webhook. The stored response shows X-Echo-X-Api-Key: [REDACTED:STRIPE_KEY]. See the CLI echo example.

Encryption

Secrets use the same AES-256-GCM envelope encryption as your payloads.

Limits

The free Deckhand tier includes one secret per project. Secret count scales with your plan.