Secret Variables
Credentials should never be committed to a .bru file. Vegha gives you two complementary ways to handle sensitive values: masking and secret:// references.
Marking a variable as secret
Section titled “Marking a variable as secret”Any environment variable can be marked as secret. A secret variable behaves like a normal variable when resolved, but its value is masked in the UI so it is not shown on screen or in logs.
| Behavior | Plain variable | Secret (masked) variable |
|---|---|---|
| Resolved into requests | Yes | Yes |
| Value visible in the UI | Yes | Masked |
Value stored in the .bru file | Yes | Yes |
secret:// references
Section titled “secret:// references”For values that must never be stored, use a secret:// URI. It points at an external secret manager instead of holding the value itself:
secret://provider/path#field| Part | Meaning |
|---|---|
provider | The secret manager, for example azure-key-vault |
path | The path or name of the secret in that manager |
field | The specific field within the secret |
The reference is resolved at send time and the real value is never written to disk. This is the safest option for production credentials.
client_secret = secret://azure-key-vault/prod-api#client-secretUse a secret:// reference anywhere a variable works — environment values, auth fields, headers, and bodies.
Masked variable vs secret:// reference
Section titled “Masked variable vs secret:// reference”| Masked variable | secret:// reference | |
|---|---|---|
| Value stored locally | Yes (in .bru) | No |
| Resolved at | Save time | Send time |
| Safe to commit | No | Yes (the URI, not the secret) |
Use a masked variable for low-risk values you do not mind keeping locally; use a secret:// reference for anything that must stay out of version control.
Supported providers
Section titled “Supported providers”secret:// references currently resolve against:
- Azure Key Vault
- AWS Secrets Manager
See the Secret managers overview for setup and per-provider details.