A Secret is a real credential: an OpenAI key, a Stripe key, a database password. You give it to Latch once. Latch encrypts it, and never gives it back. Not to you, not to the dashboard, not to a caller. From that point on you refer to it by name.
This is the whole trick. Everything else in Latch exists to let something use a credential without holding it.
Binding a credential
Secrets → New secret opens "Bind a credential".
| Field | What it is |
|---|---|
| Name | How you will refer to it. Must be unique. |
| Type | api_key, bearer_token, oauth_token, oauth_client, oauth_refresh, webhook, or custom. Descriptive; it does not change behaviour. |
| Credential | The secret itself. Write-only: once saved you cannot read it back. |
| Inject as | How Latch presents it to the upstream. See below. |
Inject as
The upstream expects the credential in a particular place. This tells Latch where to put it when it forwards a request.
| Mode | What Latch sends |
|---|---|
bearer |
Authorization: Bearer <credential> |
api_key_header |
An API-key header, e.g. X-API-Key: <credential> |
custom_header |
A header you name, carrying the credential |
query_param |
A query parameter you name |
body |
A field injected into the request body |
custom_header and query_param take a key: the header name, or the parameter
name.
Get this wrong and the upstream will reject your calls with its own 401, which is a confusing failure because the pipeline allowed the request. If a latch is returning the upstream's 401, check the injection mode before you check the policy.
Viewing a secret
The Secrets page lists each credential and the latches derived from it. There is no "reveal" button, because there is nothing to reveal: the plaintext left the building when you saved it.
Deleting a secret cascades to every latch derived from it, and the dashboard warns you before it does.
Rotating a credential
Rotation is a property of the secret, not the latches. Update the credential, and
every latch that derives from it immediately forwards the new one. Nothing that
holds a lat_ token needs to change, because no lat_ token ever contained the
credential in the first place.
The inverse is also true and is the point: revoking a latch does not require rotating the credential. Delete the latch, and the agent holding it is cut off while every other consumer keeps working.
Next
- Latches: the scoped tokens you actually hand out.
- Filter reference: what you can restrict.