Matt Fellows

Most of the data you store in Pactflow is dummy or test data - think of the "Joe" and "Bloggs" you use in the firstName and lastName fields of your User API. Any real customer or sensitive information should be scrubbed or de-identified before adding into a contract. But sometimes, you need to pass in sensitive information - for example, authentication details for a webhook. This is where secrets come in.

How they work

  • Each customer has a unique key generated and assigned to them when created
  • All secrets are encrypted with this key, and stored encrypted in our database
  • Secrets once created, cannot be viewed again - any log file that knows about a given secret will automatically redact it, replacing it with "********"

Creating a new secret

You can find the new Secrets screen by navigating to Settings (the little cog icon) in the top right-hard corner, and choosing "Secrets" from the menu.

Add a new secret
  • Name: the variable name may not have spaces, and contain only alpha-numeric characters
  • Description: giving the secret a memorable description will be helpful when referring to it later on
  • Value: any string value for the secret
Creating a secret

Using secrets

Currently, secrets are supported only in the Webhooks feature. Secrets are now first-class citizens in the system, and will be added to other interfaces in the future as needed.

Once you've created the secret, you can now use it in your Webhooks. You can use the secret, in any location a dynamic variable is supported (currently Headers, Body, and the Basic Authentication username and password).

Using a secret in a Webhook Payload

The secret is also handily loaded into the "Dynamic Variables" help context, so that you can see which variables are available when creating the Webhook:

Using a secret in Webhook Basic Authentication mode

When you run a test, you'll note any secrets are securely redacted:

Available Now

Secrets are available now and you can start using them today. Aside from updating any existing Webhooks to use secret values, you don't need to change anything else on the clients side - it should just work ™️.

Got feedback for us? We'd love to hear from you. Simply drop us a line at or follow us on Twitter

Integrate Deeper with our Developer API 🧿
22 November 2023

Integrate Deeper with our Developer API 🧿

Announcing the launch of PactFlow’s Developer API.

3 min read

Unveiling of the SwaggerHub + PactFlow Integration
17 January 2023

Unveiling of the SwaggerHub + PactFlow Integration

API designers and developers can harness the power the contract testing at scale to deploy with confidence, knowing updates to their API specification will not result in a breaking change.

2 min read

arrow-up icon