Credentials

Manage secrets, API keys, and OAuth connections for your workflows

Credentials provide a secure way to manage API keys, tokens, and third-party service connections across your workflows. Instead of hardcoding sensitive values into your workflow, you store them as credentials and reference them at runtime.

Sim supports two categories of credentials: secrets for static values like API keys, and OAuth accounts for authenticated service connections like Google or Slack.

Getting Started

To manage credentials, open your workspace Settings and navigate to the Secrets tab.

Settings modal showing the Secrets tab with a list of saved credentials

From here you can search, create, and delete both secrets and OAuth connections.

Secrets

Secrets are key-value pairs that store sensitive data like API keys, tokens, and passwords. Each secret has a key (used to reference it in workflows) and a value (the actual secret).

Creating a Secret

Create Secret dialog with fields for key, value, description, and scope toggle

Click + Add and select Secret as the type

Enter a Key name (letters, numbers, and underscores only, e.g. OPENAI_API_KEY)

Enter the Value

Optionally add a Description to help your team understand what the secret is for

Choose the Scope — Workspace or Personal

Click Create

Using Secrets in Workflows

To reference a secret in any input field, type {{ to open the dropdown. It will show your available secrets grouped by scope.

Typing {{ in a code block opens a dropdown showing available workspace secrets

Select the secret you want to use. The reference will appear highlighted in blue, indicating it will be resolved at runtime.

A resolved secret reference shown in blue text as {{OPENAI_API_KEY}}

Secret values are never exposed in the workflow editor or logs. They are only resolved during execution.

Bulk Import

You can import multiple secrets at once by pasting .env-style content:

  1. Click + Add, then switch to Bulk mode
  2. Paste your environment variables in KEY=VALUE format
  3. Choose the scope for all imported secrets
  4. Click Create

The parser supports standard KEY=VALUE pairs, quoted values, comments (#), and blank lines.

OAuth Accounts

OAuth accounts are authenticated connections to third-party services like Google, Slack, GitHub, and more. Sim handles the OAuth flow, token storage, and automatic refresh.

You can connect multiple accounts per provider — for example, two separate Gmail accounts for different workflows.

Connecting an OAuth Account

Create Secret dialog with OAuth Account type selected, showing display name and provider dropdown

Click + Add and select OAuth Account as the type

Enter a Display name to identify this connection (e.g. "Work Gmail" or "Marketing Slack")

Optionally add a Description

Select the Account provider from the dropdown

Click Connect and complete the authorization flow

Using OAuth Accounts in Workflows

Blocks that require authentication (e.g. Gmail, Slack, Google Sheets) display a credential selector dropdown. Select the OAuth account you want the block to use.

Gmail block showing the account selector dropdown with a connected account and option to connect another

You can also connect additional accounts directly from the block by selecting Connect another account at the bottom of the dropdown.

If a block requires an OAuth connection and none is selected, the workflow will fail at that step.

Workspace vs. Personal

Credentials can be scoped to your workspace (shared with your team) or kept personal (private to you).

WorkspacePersonal
VisibilityAll workspace membersOnly you
Use in workflowsAny member can useOnly you can use
Best forProduction workflows, shared servicesTesting, personal API keys
Who can editWorkspace adminsOnly you
Auto-sharedYes — all members get access on creationNo — only you have access

When a workspace and personal secret share the same key name, the workspace secret takes precedence.

Resolution Order

When a workflow runs, Sim resolves secrets in this order:

  1. Workspace secrets are checked first
  2. Personal secrets are used as a fallback — from the user who triggered the run (manual) or the workflow owner (automated runs via API, webhook, or schedule)

Access Control

Each credential has role-based access control:

  • Admin — can view, edit, delete, and manage who has access
  • Member — can use the credential in workflows (read-only)

When you create a workspace secret, all current workspace members are automatically granted access. Personal secrets are only accessible to you by default.

Sharing a Credential

To share a credential with specific team members:

  1. Click Details on the credential
  2. Invite members by email
  3. Assign them an Admin or Member role

Best Practices

  • Use workspace credentials for production so workflows work regardless of who triggers them
  • Use personal credentials for development to keep your test keys separate
  • Name keys descriptivelySTRIPE_SECRET_KEY over KEY1
  • Connect multiple OAuth accounts when you need different permissions or identities per workflow
  • Never hardcode secrets in workflow input fields — always use {{KEY}} references
工作流变量概览

On this page

Getting Started
Secrets
Creating a Secret
Using Secrets in Workflows
Bulk Import
OAuth Accounts
Connecting an OAuth Account
Using OAuth Accounts in Workflows
Workspace vs. Personal
Resolution Order
Access Control
Sharing a Credential
Best Practices
Start building today
Trusted by over 60,000 builders.
Build Agentic workflows visually on a drag-and-drop canvas or with natural language.
Get started