Nov 14, 2025

Secrets for Traffic Policy debuts in the dashboard and goes GA

•

594 words

•

Secrets for Traffic Policy is now generally available.

Earlier this year, we announced Secrets for Traffic Policy as an API-first feature to separate sensitive values like API keys and passwords out of your policy YAML by storing them in encrypted vaults and referencing them dynamically at runtime. This separation not only improves the overall security posture of your traffic policies, but also enables easier reuse and rotation of sensitive values you would otherwise hard-code.‍

The GA launch includes:

Dashboard integration for managing vaults and secrets
Kubernetes External Secrets Operator support to sync secrets into ngrok while keeping existing secret stores as the source of truth
Stability and API improvements from early feedback and testing

How to use a Secret in your Traffic Policy

When you have a sensitive secret string, like a webhook verification key, create a secret for it. You’ll put the secret in a vault and give the secret a unique name.

Then use the secret by referencing the secret in your Traffic Policy with the secrets.get() macro. Here’s an example with the verify-webhook action:

on_http_request:
  - actions:
      - type: verify-webhook
        config:
          provider: github
          secret: "${secrets.get('webhooks-vault', 'github-secret')}"

Manage your Vaults and Secrets in the dashboard

As part of the GA launch, we’ve shipped a brand new secrets management experience in the dashboard. Use the new interface to manage your vaults and secrets. We’ve also made it easy to integrate secrets into your traffic policies with copy/pastable snippets.

Viewing all Vaults in the ngrok
dashboard — View and edit Vaults and Secrets in the ngrok dashboard

Viewing the secrets within a single vault in the ngrok
dashboard — View Vault contents in the ngrok dashboard

Create (or sync) a secret, paste the macro into your policy, and you’re done. After that, rotate the secret from the dashboard, CLI, API, or External Secrets Operator without touching the policy.

Viewing a new secret and copying its related
macro — Create, update, or delete Secrets in the ngrok dashboard

Other ways to manage your Vaults and Secrets

In addition to the ngrok dashboard, we also support working with vaults and secrets via our API or through the CLI.

If you're part of a Kubernetes-native team, the Kubernetes External Secrets Operator (ESO) integration to continuously syncs secrets from external managers (e.g., Vault, AWS Secrets Manager, GCP Secret Manager.) into ngrok vaults and secrets. Your external stores remain the source of truth, while ngrok gets always-fresh, referenceable secrets (including seamless rotation). For more information, see our announcement on the ESO integration.

When should you use Vaults and Secrets?

Secrets are a great fit for Traffic Policy actions that depend on sensitive strings—separating the secret from the policy makes them easy to reuse and rotate, reduces noise, and shifts credential management out of the policies themselves.

We recommend you use secrets whenever you use actions like:

Get started with Vaults and Secrets

Vaults and secrets are available today for all users. Start by creating a vault, adding your first secret, and dropping the secrets.get() macro into a policy.

Need more info? Check out the overview docs on Traffic Policy Secrets or consult the API docs linked below:

Have questions or want to request a new feature? We’d love to hear from you, file an issue in our ngrok Community Repo or hit us up at support@ngrok.com.