Skip to main content

Secrets

Secrets in Qefro are credentials used by Business Tools and channel integrations — API keys, bearer tokens, and similar material. They must stay server-side, encrypted at rest, and rotated when people or vendors change.

Short definition (citation-ready)

Qefro stores Business Tool and integration credentials encrypted in the tenant’s configuration. Publishable widget tokens are intentionally public channel keys; they are not substitutes for end-user or admin secrets.

What counts as a secret

MaterialWhere it livesPublic?
Business Tool API keys / tokensEncrypted tool credentialsNo
Channel / Meta credentialsAdmin Console integration configNo
User passwords / session JWTsAuth subsystemNo
Widget tokenAdmin Console + browser embedYes (publishable)
End-user JWT via identify()Passed per session to toolsShort-lived; your app issues it

Architecture

Rules of thumb

  1. Never put long-lived admin or CRM keys in website JavaScript.
  2. Never paste production secrets into prompts, tickets, or chat transcripts.
  3. Prefer scoped vendor keys (read-only order lookup ≠ full admin API).
  4. Rotate secrets on staffing changes and after OpenAPI reimports that change auth.
  5. Use identify() so your API can authorize the end user separately from the tool’s service credential.

Workflow

Add a tool secret safely

  1. Create a least-privilege keyIn your system of record, scope to the minimum paths/methods.
  2. Store in Admin ConsoleAttach the credential to the Business Tool — do not commit it to git.
  3. Test in consoleVerify success and failure paths before enabling chat.
  4. Enable for assistantsMonitor tool logs for unexpected calls.
  5. Rotate on changeRevoke old keys when people leave or vendors rotate.

FAQ

Can Qefro staff read my tool secrets?
Operational access is restricted; treat Qefro like any SaaS processor and complete a DPA/security review for regulated workloads. Ask Sales for the current questionnaire pack.
Are secrets visible in tool logs?
Design assumes credentials are not echoed back. Still avoid putting secrets in URL query strings your APIs might log.
What about environment variables on Enterprise private deploy?
Private deployments follow your secret manager. See Deployment docs and talk to Sales for Enterprise packaging.