Skip to main content
The System Secret Vault is a secure storage mechanism provided by HookPulse to store sensitive values that are used during webhook execution. These secrets are hidden and get recalculated (computed) at the time of webhook call.

How It Works

System secrets are stored securely in the HookPulse vault and can be accessed in your webhook templates using a special syntax. When a webhook is executed, HookPulse automatically retrieves and injects the secret values into your webhook requests.

Template Syntax

To access a system secret in your webhook templates, use the following syntax: 
{{ #key }}
Where:
  • # is required to indicate this is a system secret
  • key is the variable name of the secret stored in the vault

Usage Examples

In Request Headers

{
  "headers_json": {
    "Authorization": "Bearer {{ #api_key }}",
    "X-API-Key": "{{ #service_api_key }}"
  }
}

In Request Body

{
  "request_body_json": {
    "api_token": "{{ #external_service_token }}",
    "client_secret": "{{ #oauth_client_secret }}"
  }
}

In Query Parameters

{
  "query_params_json": {
    "api_key": "{{ #third_party_api_key }}",
    "access_token": "{{ #service_access_token }}"
  }
}

In URL Path

{
  "path": "/api/{{ #service_id }}/webhook"
}

Security Features

  • Encrypted Storage: All secrets are stored encrypted in the HookPulse vault
  • Runtime Injection: Secrets are only retrieved and injected at the time of webhook execution
  • No Exposure: Secret values are never exposed in logs, responses, or documentation
  • Access Control: Only authenticated users with proper API credentials can manage secrets

Best Practices

  1. Use Descriptive Names: Choose clear, descriptive names for your secret keys (e.g., stripe_api_key instead of key1)
  2. Rotate Regularly: Update secret values periodically for enhanced security
  3. Separate Environments: Use different secrets for development, staging, and production
  4. Never Hardcode: Always use the vault instead of hardcoding sensitive values in your webhook templates