Variables in Enterprise
KeyRunner supports three types of environment variables. These are designed to fit both local development and enterprise-grade, secure environments. Here's how they work:
1. Non-Sensitive Variables
- Stored locally on the user’s machine and encrypted at rest
- Visible in the UI and logs
- Ideal for values like:
BASE_URL- Headers
- Timeouts, etc.
{
"env": {
"BASE_URL": "https://api.example.com"
}
}2. Sensitive Variables
- Also stored locally, and encrypted at rest
- Masked in UI and logs
- Great for use cases like:
- API keys
- Session tokens
- Local dev secrets
These are still local, but treated securely.
{
"env": {
"API_TOKEN": "••••••••••"
}
}3. KCSV (KeyConnector Secret Variables)
- Enterprise-only, designed for high-trust environments
- Secrets are never stored, displayed, or accessible by any user or developer
- Managed and fetched at runtime by KeyConnector, a lightweight, Docker-based agent deployed in your own infrastructure
KeyConnector integrates seamlessly with secret stores:
- AWS Secrets Manager
- HashiCorp Vault
- Google Secret Manager
- Azure Key Vault
Execution Flow:
- User references a variable like
{kcsv:prod_api_key} - KeyConnector authenticates the request using an access token
- If authorized, it pulls the secret securely from your store
- Executes the API request inside your infrastructure
- Returns only the response (no secret ever leaves your boundary)
Why It Matters:
✅ Designed for:
- Zero trust and least privilege: Secrets are never exposed to users or client machines
- Machine-to-machine automation: Ideal for CI/CD, production tests, or internal tooling
- Auditability: Every request is logged, and execution requires a valid identity token
- Compliance-friendly: Secrets remain within your regulated environment, supporting SOC2, ISO27001, HIPAA, etc.
In this model, even if someone has UI access, they cannot retrieve or view secrets. Secrets are resolved and executed in a black-box manner.
KCSV can be used across local, staging, and production environments. Since it's attached at the project level, any workspace or user within that project can utilize the same secret references — ensuring consistency without compromising security
How It Resolves at Runtime
When a request is executed:
- KeyRunner first checks local non-sensitive/sensitive variables
- If unresolved and KCSV is configured, KeyConnector is queried
- If no match found, request fails with
Unresolved Variable
This enables one request definition to run:
- On a dev machine using local env vars
- In dev,staging or production using KCSV — without modifying a single line
Variable Auto-Completion in UI
When you type { in any input field, KeyRunner shows autocomplete with variable types:
| Prefix | Type |
|---|---|
E | Local Environment Variable |
R | Random Variable |
HV | HashiCorp Vault |
AWSV | AWS Secrets Manager |
KCSV | KeyConnector Secret Variable |
GCPV | GCP Secrets Manager |
AZV | Azure Key Vault |
This instant feedback reduces error, boosts consistency, and makes switching between environments frictionless.
Example
GET {{E:BASE_URL}}/user
Authorization: Bearer {{KCSV:api_key_patients_portal}}- Local/dev:
E:BASE_URLis a sensitive variable stored on the dev machine - Prod/CI:
KCSV:api_key_patients_portalis a KCSV — KeyConnector fetches from Vault/AWS/etc. and executes securely
KeyRunner is built to scale with your team — from solo devs to regulated enterprises. Whether you're running local tests or deploying through secure pipelines, the same request structure works safely and consistently.
Need help integrating KeyConnector or enforcing least privilege in your org? Reach out — we’re happy to guide you.