Skip to content
Stand with Ukraine flag
Star
 
Pricing Try it now

Secrets Storage

Secrets storage is a secure vault for sensitive data such as API keys, tokens, passwords, and certificates. All values are encrypted at rest using the AES-256 algorithm and are never exposed in plain text to end users.

Instead of hard-coding credentials into integrations or rule chains, you reference a named secret. If the credential changes, you update it once in Secrets storage and all references update automatically — no need to edit each integration individually.

Creating a secret

Section titled “Creating a secret”

Navigate to Security → Secrets storage and click the + icon in the top-right corner to open the Add secret dialog.

ThingsBoard supports two secret types:

TypeUse case
TextPasswords, API keys, tokens — any text value
FileCertificates and other binary or multi-line file content

Procedure

  1. Navigate to Security → Secrets storage.
  2. Click the + icon in the top-right corner.
  3. Select the type: Text or File.
  4. Enter a name for the secret (e.g., Loriot account password).
  5. Enter the value (for Text type) or upload a file (for File type).
  6. Optionally add a description.
  7. Click Add.

ThingsBoard encrypts the value immediately on save. The raw value is never stored or displayed again.

Updating a secret value

Section titled “Updating a secret value”

You can update the value of any existing secret at any time. The secret name and type cannot be changed after creation — only the value.

  1. On the Secrets storage page, locate the secret in the list.
  2. Click the Change value icon (circular arrow) at the end of the row.
  3. Enter the new value.
  4. Click Save.

All integrations and rule chains referencing this secret will automatically use the updated value.

Using secrets in ThingsBoard

Section titled “Using secrets in ThingsBoard”

Secrets can be used in any place that displays a key icon next to an input field — typically credential fields in integrations and rule node configurations.

  1. In a credential field that supports secrets, click the key icon (Use secret).
  2. In the Use secret dialog, select Use storage to reference an existing secret, or Create new to define one inline.
  3. Select the desired secret from the dropdown list.
  4. Click Use.

The field now displays the secret name (not its value). The actual value is resolved by ThingsBoard at runtime and is never sent to the browser.

Managing access to Secrets storage

Section titled “Managing access to Secrets storage”

Access to Secrets storage is controlled via ThingsBoard’s Role-Based Access Control (RBAC).

You can grant or restrict the following operations independently:

  • Read — view the list of secrets (names and descriptions, not values)
  • Write — create new secrets and update existing values
  • Delete — remove secrets from storage

Assign these permissions to custom roles and attach those roles to user groups to implement a least-privilege access model.

Deleting a secret

Section titled “Deleting a secret”
  1. On the Secrets storage page, click the trash bin icon at the end of the row.
  2. Confirm the deletion by clicking Yes in the confirmation dialog.

Deletion is permanent and unrecoverable. All references to the deleted secret in integrations or rule chains will break and must be updated manually.

Best practices

Section titled “Best practices”
  • Always use Secrets storage instead of hard-coding sensitive values in integration configuration forms.
  • Apply the principle of least privilege: grant Write and Delete permissions only to users who need them.
  • Use descriptive names (e.g., Production MQTT broker password) to make secrets easy to identify.
  • Rotate secrets regularly and update their values in Secrets storage — all references update automatically.
  • Before deleting a secret, search for all integrations and rule chains that reference it to avoid broken configurations.
© 2026 The ThingsBoard Authors