About account secrets
Embloy allows you to store sensitive information ("secrets"), such as access tokens, client tokens or 3rd party API keys which are neccessary to enable integrations.
Keep in mind to not share your tokens with anyone. While you can deactivate tokens issued by Embloy, 3rd-party API keys can only be edited and managed using the respective 3rd-party service.
Manage secrets
To list and manage your secrets, you can simply check on the "secrets" tab in your Embloy Genius settings.
You can also use our REST API to create, update, delete, and retrieve information about secrets that can be used in Embloy workflows and integrations.
Deactivate secrets
If you want to deactivate a certain secret, you can do so by selecting the secret in the "secrets" tab of your Embloy Genius settings and pressing on the "deactivate secret" button. If a secret has been deactivated, it can't be used until it is reactivated. You can deactivate and reactivate secrets as many times as you want, as long as they are not expired.
To avoid the unnecessary storage of sensitive information, expired tokens will automatically be deleted one month after expiration.
Upload 3rd-party API keys
To enable certain integrations, you will have to upload an API key issued by the third party service to Embloy. To do so, follow the instructions of the 3rd-party and once generated, simply copy and paste the API key into a new Embloy-secret in the "secrets" tab of your Embloy Genius settings. Make sure to select the name of the 3rd party for the issuer option, as the API key can't be used otherwise.
Only sandbox users or users with a valid Embloy subscription are allowed to create and update tokens.
Rest assured that all secrets are first encrypted and then stored using a symmetric-key algorithm. If you have any concerns, please contact us and we'll do our best to help you.
Embloy secrets
Embloy secrets are structured as follows:
| Field | Allowed Values | Default Value |
|---|---|---|
name | Any string | "Automatically generated token" |
token_type | refresh_token, access_token, request_token, client_token, api_key | (automatically set depending on action) |
issuer | embloy, ashby, lever, softgarden, ... | embloy |
encrypted_token | - | (hashed secret) |
encrypted_token_iv | - | (random initialization vector) |
expires_at | Any valid ISO 8601 date string in the future | (depends on token type, but usually between one hour and one year) |
issued_at | Any valid ISO 8601 date string in the past | (current time) |
last_used_at | Any valid ISO 8601 date string in the past | N/A |
active | true, false | true |
scopes | Any string | N/A |
token | Any string | N/A |
Please note that the unencrypted token value is not saved anywhere and only visible when:
- You explicitly request access to it via the Genius dashboard
or
- when it is required to call a 3rd-party API