# Secrets Management For Connection Credentials


Secrets Management is an advanced capability of Workato. Reach out to your Workato Customer Success Manager for more info.

To simplify the management of your connection credentials, you can use an external secrets manager to securely store and retrieve sensitive information like passwords and API tokens.

The Secrets Management feature in Workato allows you to use secrets in place of hardcoded connection credentials. Centralizing credential management can help you adopt security best practices like password rotation without needing to manually update credentials wherever they're in use.

In this guide, we'll cover:

# How It Works

With a secrets manager, you can use a secret instead of directly entering information into Workato. Secrets contain sensitive info like a password.

When you set up a connection, you need to manually retrieve and enter your credentials. Any time those credentials change - for example, when you reset your password - you'll need to update the password in every application that uses it.

However, if you use an external secrets manager instead, you'll only need to update the password in the secrets manager and refresh the connection in Workato. Applications using the reference will retrieve the secret's updated value, thus minimizing manual work, interruptions, and most importantly, security risk.

Remember to Refresh the Connection in Workato

Refresh the Connection by disconnecting and reconnecting in Workato. This will update the connection with the latest credentials in your secrets manager

At a high level, here's how using a secrets manager works with Workato for connection credential management:


You create a vault and secret in your external secrets manager. The secrets manager encrypts the credentials.


You grant Workato access to the secrets manager.


In Workato, you configure connections using the secrets in place of credentials.

The following image demonstrates a Jira connection configured with a secret from Amazon Web Services (AWS) Secrets Manager:

Jira connection in Workato configured with an AWS secret


When Workato uses the connection:


Request secret: Workato requests the secret from the secrets manager.


Retrieve and decrypt: The secrets manager retrieves the secret and returns the decrypted secret value to Workato.


Authentication: Workato uses the decrypted value to authenticate to the application.


Access: If authentication is successful, the application grants access to Workato.

# Supported Secrets Managers

Workato's Secrets Management feature currently supports the following secrets managers:

# Using Secrets To Configure Connections

How secrets are used in Workato connections depends on the type of secrets manager you're using. Refer to the guide for your secrets manager for more info: