Aug 27, 2025
Aug 27, 2025
Starting today, Secrets is moving into Open Beta. This means every ngrok user can create and use secrets, no Early Access required.
Earlier this year we announced Traffic Policy Secrets was entering Early Access. Secrets help you keep sensitive values like API keys and passwords out of your policy YAML by storing them in encrypted vaults and referencing them dynamically at runtime. This separation not only improves the overall security posture of your traffic policies, but also enables easier reuse and rotation of sensitive values that would otherwise be hardcoded in traffic policy.
You can create, update, and delete secrets via the ngrok API and CLI. Support for vaults and secrets will come to the dashboard as part of a future release. After creation, secrets can be used in your traffic policies with the secrets.get() macro.
Here’s a quick example with our CLI:
# Create a vault
ngrok api vaults create --name "vault-o-secrets"
# Store a secret in the vault
ngrok api secrets create --name "password" \
--value "hunter2" \
--vault-id "vault_123456"Reference the secret in a policy with the basic-auth action:
on_http_request:
- actions:
- type: basic-auth
config:
credentials:
- "brian:${secrets.get('vault-o-secrets', 'password')}"In the coming weeks we’re adding support for the Kubernetes External Secrets Operator. The External Secrets Operator is a Kubernetes project that syncs secrets from external stores into your cluster. Once available, this integration will enable you to sync secrets from your Kubernetes environment directly into ngrok vaults for use in your traffic policies.
Stay tuned!
Check out the docs on Traffic Policy Secrets to learn how to create vaults, store secrets, and use them in your policies.
Additional resources to help you get started:
And if you have questions or feedback, join the conversation on Discord!