Secrets
Secrets in Qefro are credentials used by Business Tools and channel integrations — API keys, bearer tokens, and similar material. They must stay server-side, encrypted at rest, and rotated when people or vendors change.
Short definition (citation-ready)
Qefro stores Business Tool and integration credentials encrypted in the tenant’s configuration. Publishable widget tokens are intentionally public channel keys; they are not substitutes for end-user or admin secrets.
What counts as a secret
| Material | Where it lives | Public? |
|---|---|---|
| Business Tool API keys / tokens | Encrypted tool credentials | No |
| Channel / Meta credentials | Admin Console integration config | No |
| User passwords / session JWTs | Auth subsystem | No |
| Widget token | Admin Console + browser embed | Yes (publishable) |
End-user JWT via identify() | Passed per session to tools | Short-lived; your app issues it |
Architecture
Rules of thumb
- Never put long-lived admin or CRM keys in website JavaScript.
- Never paste production secrets into prompts, tickets, or chat transcripts.
- Prefer scoped vendor keys (read-only order lookup ≠ full admin API).
- Rotate secrets on staffing changes and after OpenAPI reimports that change auth.
- Use
identify()so your API can authorize the end user separately from the tool’s service credential.
Workflow
Add a tool secret safely
- Create a least-privilege key — In your system of record, scope to the minimum paths/methods.
- Store in Admin Console — Attach the credential to the Business Tool — do not commit it to git.
- Test in console — Verify success and failure paths before enabling chat.
- Enable for assistants — Monitor tool logs for unexpected calls.
- Rotate on change — Revoke old keys when people leave or vendors rotate.
Related product surfaces
- Business Tools
- What are Business Actions?
- Secure Business Actions
- Website Widget (publishable token)
FAQ
Can Qefro staff read my tool secrets?
Operational access is restricted; treat Qefro like any SaaS processor and complete a DPA/security review for regulated workloads. Ask Sales for the current questionnaire pack.
Are secrets visible in tool logs?
Design assumes credentials are not echoed back. Still avoid putting secrets in URL query strings your APIs might log.
What about environment variables on Enterprise private deploy?
Private deployments follow your secret manager. See Deployment docs and talk to Sales for Enterprise packaging.