> ## Documentation Index
> Fetch the complete documentation index at: https://qodex.ai/docs/llms.txt
> Use this file to discover all available pages before exploring further.

# How do I keep secrets from leaking into scenarios and findings?

> Keep credentials out of saved content by using variables, encrypted auth profiles, and evidence redaction.

# How do I keep secrets from leaking into scenarios and findings?

Do not put secrets directly in scenarios, chats, findings, memory, or docs.

Store credentials in environments and auth profiles, then reference them with variables. Qodex substitutes the real values only when a test runs.

## Use variables in scenarios

Use variables such as `${API_BASE_URL}`, `${AUTH_TOKEN}`, `${AUTH_EMAIL}`, and `${AUTH_PASSWORD}` instead of literal credentials.

```json theme={null}
{
  "method": "POST",
  "target": "${API_BASE_URL}/login",
  "body": {
    "email": "${AUTH_EMAIL}",
    "password": "${AUTH_PASSWORD}"
  }
}
```

The saved scenario stays portable and does not contain the secret value.

## Store credentials in the right place

Use:

* Environments for base URLs and target-specific values.
* Auth profiles for login credentials, tokens, and OAuth details.
* BYOK settings for provider API keys.

Sensitive values are encrypted at rest before persistence. In the UI, saved secrets should appear masked instead of plaintext.

## Redaction is a safety net

Qodex redacts common secret shapes from captured evidence, including bearer tokens, JWT-like strings, GitHub tokens, AWS-style keys, and high-entropy values.

Redaction helps when a response accidentally echoes a secret. It should not be your first line of defense.

## Avoid secrets in these places

* Scenario JSON.
* Finding titles or descriptions.
* Chat messages.
* Memory files.
* Documentation examples.
* PR comments.

## Self-hosted note

In self-hosted deployments, encrypted credentials depend on `QODECLAW_SECRET_KEY`.

If you lose that key, encrypted secrets cannot be recovered and must be re-entered.

## Next steps

<CardGroup cols={2}>
  <Card title="Secret management" icon="key" href="/self-hosted-secret-management">
    Understand encryption at rest.
  </Card>

  <Card title="Auth profiles" icon="key" href="/api-testing-auth-profiles">
    Store reusable login credentials.
  </Card>

  <Card title="Environment variables" icon="settings" href="/self-hosted-environment-variables">
    Configure self-hosted secrets safely.
  </Card>

  <Card title="Sensitive endpoints" icon="lock" href="/security-testing-sensitive-endpoints">
    Handle risky routes carefully.
  </Card>
</CardGroup>
