Skip to main content
Secrets in Checkly are a specialized form of data designed specifically for sensitive information that needs to be kept secure while remaining accessible to your monitoring. Secrets allow you to store sensitive data for use in checks. Once saved secrets are never shown in the UI or in logs. The secret value cannot be accessed via the CLI or API. Secrets handle the truly sensitive elements—API keys, passwords, authentication tokens, and any other information that could compromise security if exposed. Both variables and secrets are encrypted at rest and in flight. However, Secrets go further by ensuring that once stored, their values become completely invisible to users, appearing only as masked values in interfaces while remaining fully functional in your monitoring code.

Secrets in Practice

Secrets integrate seamlessly into your monitoring workflow while maintaining security. You reference them in your code using the same syntax as regular environment variables, but they remain protected throughout the entire execution pipeline. This means you can write monitoring logic that authenticates with services, accesses protected endpoints, and performs realistic user scenarios without compromising security. Use secrets in your scripts using standard Node.js syntax: process.env.MY_SECRET or by using {{handlebars}} syntax in applicable API check fields.

Real-World Secrets Examples

Here’s how you might use Secrets in real monitoring scenarios:

API Authentication Example:

Browser Login Flow Example:

Database Connection Example:

Managing Secrets via CLI:

Payment Processing Example:

Secrets as Security Foundation

Secrets represent the foundation of secure monitoring practices. They enable you to test and monitor authenticated workflows, private APIs, and sensitive user journeys while maintaining the security posture that modern applications require. By centralizing secret management within your monitoring platform, you eliminate the risk of credentials being scattered across scripts, configuration files, or team communications. The power of Secrets lies in making security invisible to your monitoring logic—your Checks work exactly the same whether they’re using public endpoints or accessing the most sensitive parts of your application, but the security model ensures that sensitive information never leaves the protected environment.

Alternative: Dynamic Secret Detection

For browser checks and multistep checks, you can also use dynamic secret detection. This approach allows you to retrieve secrets at runtime (from external vaults like Azure Key Vault, AWS Secrets Manager, etc.) and have them automatically scrubbed from logs and traces.
This is particularly useful for organizations that prefer not to store secrets in Checkly and want to maintain their existing secret management infrastructure. Learn more about dynamic secret scrubbing.

Using secrets in alert channels

Secrets also work in alert-channel configurations — webhook URLs, API keys, PagerDuty service keys, and any other literal-secret field accept the same {{NAME}} reference syntax. See Alert channels for details and the inline promote-to-secret affordance.

Security and Usability Balance

Use dedicated test users, test cards etc. These test users should have minimal privileges in your app. Do not use your admin or root user. Make sure you can easily disable or block these users without recourse. Keep secrets separate from your browser scripts and store them as environment secrets in Checkly. This way you can reuse secrets in multiple scripts and rotate them as needed.