The Ops Platform secrets feature is a key component in building a scalable and secure workflow automation system for your team. For example, running Ops from within Slack is easy, but entering passwords or other types of secrets into the Slack UI is not secure (anything entered into the UI is available on the Slack servers). To solve this problem, the Ops Platform enables you to connect your secrets provider to your Ops. (We currently support Hashicorp Vault, but we will provide more providers in the future.) By integrating with a reputable secrets provider, you can rest assured that your shared secrets are safe.

Registering a Secrets Provider

To set up a secrets provider for your team, you can use HashiCorp Vault. In the future, other secret providers will be supported.

To install Vault locally

  1. Download the Hashicorp Vault binary and run it on your computer. 

  2. From the directory where you downloaded the binary, run: ./vault server -dev

Note: If you’re using Vault on MacOS, you may see an error when you first try to run Vault. If you see this error, you’ll have to allow the executable to run. To do this, open System Preferences > Security and Privacy and choose “Open Anyway” for the error that Vault was blocked. 

  1. Retrieve ROOT_TOKEN from the logs

  2. You can use the returned token to register your vault with the Ops CLI

ops run @vahid/vault --url "http://host.docker.internal:8200" --token [ROOT_TOKEN] --team [YOUR_TEAM_NAME] configure 

This will setup the team structure in the vault and will return a new team token associated with your team.

Note: You can retrieve your current team name by running: ops whoami

You can also use this Op to work with the created team in the vault. For example, you can show the existing secrets: 

ops run vault --url "http://host.docker.internal:8200" --token [TEAM_TOKEN] --team [YOUR_TEAM_NAME] secret list

You can also check the contents of your Vault by viewing the UI in a web browser: the vault UI:

Note: once you have the Vault installed, you will need to create a static URL so that it’s accessible externally. You would not do this for production, it’s only for this exercise and you should turn off the connection after you are done.

Exposing your local vault to the public Internet requires a service such as

To set up ngrok, follow these steps: Essentially, you need to install the application and then add your authentication token. After that, you can add your internal Vault as a public URL by running: ./ngrok http 8200. When you run this command, ngrok will open a terminal UI that shows the URL in use for your Vault.

Once you have your Vault set up and it’s accessible publicly via the Internet, you can add a secret. To add a secret to your team run ops secrets:register, then enter the URL (your public Vault URL from ngrok plus the team name, e.g., and token you received when you set up the provider for your team.

Adding a Secret

To add a new secret to the provider you’ve registered for your team, use this command ops secrets:set. You will be prompted for the key and the value to store.

Note: there seems to be a bug in the current build that prevents secrets:set from working on an empty provider. You can work around this bug by running the Vault Op:

ops run @vahid/vault --url "baseProviderUrl" --token teamToken --team teamName secret add key1 value1

After you have registered your secret, run ops secret:list to see the results.

Using a Secret

To make use of a stored secret in one of your Ops or Workflows, you can use the SDK prompt for a password:

const inputPrompts = [


    type: 'secret',

    name: 'keyName’',

    message: 'Enter your secret here',




const { keyName } = await ux.prompt(inputPrompts)
Did this answer your question?