Managed Variables & Secrets
The Air Pipe platform allows you to store common variables and encrypted variables or secrets to be used across your hosted and self-hosted configurations.
Usecases
- Common variables such as endpoint addresses eg.
https://commonThirdPartyService.com/api/ - Database connection strings (encrypted mode)
- Credentials (encrypted mode)
How
Adding
- Login to the platform -> https://app.airpipe.io
- Select the appropriate organization
- Click on
Variablesin the menu - Click
Add New- Enter a name and description (it is recommended to avoid overlapping names)
- The
Valueis the content of your variable - Only select
Encryptif you are storing a sensitive variable eg. secret- Note: as with all encryption related tasks they will carry a performance overhead when used during the access and decryption process
- Select the appropriate permission
- If you are using role based permissions note that the hosted
configurationorapi keybeing used must also have the matching role to access this variable
- If you are using role based permissions note that the hosted
Accessing
To substitute a managed variable the following convention is followed a|ap_var::<NameOfTheVariable>|.
-
Assume we have stored a variable called
MyThirdPartyServicewith the value ofhttps://something.com/api/. -
This means we can access the variable with
a|ap_var::MyThirdPartyService| -
We can place this for substitution in nearly any area of your configuration file
-
If you selected
Encrypt, the value is decrypted seamlessly at runtime.Access a query parameteractions:
name: doSomething
http:
url: a|ap_var::MyThirdPartyService|/someroute?id=a|params::id|
# ^^ access the value of `MyThirdPartyService` to build the complete url ^^
How it works
var:: vs ap_var:: vs secret::
Air Pipe has three ways to reference stored values — don't confuse them:
| Marker | Source | Scope |
|---|---|---|
a|var::NAME| | global.variables in the config itself | This config |
a|ap_var::NAME| | Managed variables stored on the platform | Organization (shared across configs) |
a|secret::NAME| | global.secrets in the config (local/Vault/AWS KMS/command — see Secrets) | This config |
This page covers ap_var:: — the platform-managed variables.
Encryption
Encrypted managed variables use AES-256-GCM envelope encryption: a master key (held by the platform) protects a per-organization key, which in turn protects each value with its own nonce. Decryption happens only at runtime, at the moment of interpolation — the list/UI never returns decrypted values. Encryption adds a small per-access overhead, so only encrypt genuinely sensitive values.
Environments
A managed variable can hold a single value, or separate staging and
production values. When both are set, Air Pipe picks the right one based on
the environment the request runs under. When you set per-environment values you
must provide both staging and production (or just the single base value) —
not one on its own.
Permissions
Each variable has a permission: PUBLIC, USER_PRIVATE, USER_WITH_PUBLIC_READ
(default), ROLE_PRIVATE, or ROLE_WITH_PUBLIC_READ. For the ROLE_* levels,
the hosted configuration or api key accessing the variable must carry the
matching role.
Variable names are not enforced to be unique — lookups match by organization + name and take the first result, so avoid reusing a name for different values.