← Back to Overview

SECRET VAULT

Managing Secrets

Add, view, edit, and delete secrets in the encrypted vault. Automatic scrubbing ensures secret values never leak to persisted files on disk.

Adding a new secret to the vault

Adding Secrets

The vault must be unlocked before you can add secrets. Once unlocked, click + Add Secret to create a new entry.

Enter a key (the secret's name/identifier)
Enter the value (the actual secret)
Click Save — the secret is encrypted immediately to vault.enc

Example secrets:

api_key       = sk-live-abc123
db_password   = p@ssw0rd
stripe_secret = sk_test_...

Viewing Secrets

Secrets are listed with their key names visible. Values are masked by default for security.

Values shown as •••••• by default
Click the show icon to reveal a value temporarily
Values are never shown in logs or persisted anywhere outside the encrypted vault

Editing

Click a secret to edit its value. The key name can also be changed.

Changes are encrypted and saved immediately
Old value is overwritten — there is no version history

Deleting

Click the × button to delete a secret.

A confirmation dialog appears before deletion
Secret is removed from vault.enc permanently
Secret sets referencing this key will show as unresolved

Automatic Secret Scrubbing

Vault secret values are automatically scrubbed from all persisted data before writing to disk. This prevents secrets from leaking into files that may be committed to git.

Scrubbed locations:

FileScrubbed fields
history.jsonRequest headers, response body, cookies, script logs
snapshots.jsonResponse body, headers
session.jsonTab responses, auth-injected headers
config.jsonCollection run results

How it works:

Literal string replacement — every occurrence of a secret value is replaced with its {{variable_name}} placeholder before the file is written.

Live UI shows real values. The response displayed in the webview is never scrubbed — you always see resolved secrets. Only on-disk persistence is protected.

Scope: Only vault secrets from the active Secret Set are scrubbed. Plain environment variables are not scrubbed — they are not designated as secrets.

CLI Commands

Manage vault secrets from the command line:

CommandDescription
openpost vault createCreate a new vault
openpost vault unlockUnlock the vault for the current session
openpost vault add-secret <key> <value>Add or update a secret
openpost vault list-secretsList secrets (values masked)
openpost vault list-secrets --jsonList secrets with revealed values (JSON output)

Next

Ko-fi