Securely store credentials and secrets.
Reference → Modules → Security → UI → RuntimeUsers | Users | Permissions | Policies | Secrets | Monitor
Security Secrets (Reference): Securely store and manage sensitive credentials such as passwords, API keys, and connection strings without exposing plain-text values in your configuration.
Security Secrets provide:
- Centralized credential storage
- AES-256 encrypted value protection, decrypted server-side only
- Integration with Datasets (DB connections)
- Integration with Devices/TagProviders (MQTT, OPC UA, etc.)
- Administrative control over sensitive values
Configuration Properties
Access at: Security → Secrets
Property | Description | Required | Access Control |
|---|---|---|---|
Name | Unique identifier for the secret. Referenced from other tables as | Yes | All users |
SecretType | Type of credential (Password, APIKey, Token) — currently informational; all three types resolve through the same mechanism. | Yes | All users |
SecretValue | Encrypted credential value (AES-256) | Yes | Administrators only |
Description | Documentation of usage/purpose | No | All users |
Important: Only administrators can view or edit SecretValue. Standard users can reference secrets in configurations but cannot see the actual values.
Secret Reference Syntax
A secret is referenced (never pasted inline) from any password or credential field using a single, platform-wide syntax:
/secret:<Name>
The colon form is the stored syntax that FrameworX resolves at runtime. Older documentation showing a dash form (/secret-<Name>) is stale — use the colon form.
In the Designer, most fields that accept a secret reference render with a dropdown picker that writes the correct /secret:<Name> value for you; the field may also display a friendly label like [Secret: <Name>] — that is the UI label, while the stored value is always /secret:<Name>.
Embedded form (composite strings)
Inside a larger configuration string (such as a connection string that mixes plain text and one or more secrets), the embedded form is used:
#</secret:<Name>/secret>
The same server-side resolver decrypts both forms.
Where it resolves
Resolution happens server-side during value decryption. Password-bearing fields that already flow through the platform's TPassword decryption pipeline get secret resolution automatically — consumer modules (Dataset, Device, TagProvider, Historian) do not implement their own lookup. A missing or misnamed reference silently returns the raw text unchanged, which means the downstream connection attempt will fail as if the password were wrong; check the audit log to diagnose.
Usage in Configurations
Datasets Integration
When configuring database connections:
- Navigate to Datasets → DBs
- In the LogonPassword field, either type the reference directly or click the secret picker
- The field stores
/secret:<Name>; the Designer may display it as[Secret: <Name>] - Connection uses the decrypted value at runtime
Stored value example:
Database: RuntimeUsers Authentication: SQL Server Auth Username: dbuser LogonPassword: /secret:DBRuntimePass
See Datasets DBs Reference for the complete DB-row schema.
Device/TagProvider Integration
For MQTT, OPC UA, and other protocols:
- Navigate to Devices → Channels or TagProviders
- In authentication fields, use the secret reference syntax
- Format:
/secret:<SecretName>
Example:
MQTT Broker Authentication: Username: mqttuser Password: /secret:MQTTBrokerPass
Script Access
For security reasons, there is no access to secrets via script, only through the configuration UI in each scenario where secrets can be applied.
Configuration Examples
Basic Secret Setup
Name | SecretType | SecretValue | Description |
|---|---|---|---|
DBProductionPass | Password | ******** | Production SQL Server |
MQTTBrokerPass | Password | ******** | MQTT cloud broker |
Runtime Users Database Example
- Create secret:
- Name:
RuntimeUsersDBPass - Type:
Password - Value:
[encrypted] - Description:
RuntimeUsers SQL authentication
- Name:
- Use in Dataset:
- Go to Datasets → DBs → RuntimeUsers
- Set the LogonPassword field to:
/secret:RuntimeUsersDBPass
Security Considerations
Access Control Matrix
Action | Administrator | Engineer | Guest |
|---|---|---|---|
Create Secret | Yes | Yes | Yes |
Edit SecretValue | Yes | No | No |
View SecretValue | No | No | No |
Reference in Config | Yes | Yes | Yes |
View Secret List | Yes | Yes | Yes |
Encryption Details
- Values encrypted using AES-256
- Stored encrypted in the solution file
- Decrypted only at runtime, server-side
- Never logged in plain text
- Not included in solution exports — the target system must recreate values
Best Practices
Naming Conventions
Pattern | Example | Use For |
|---|---|---|
|
| Database passwords |
Implementation Guidelines
- Create secrets before configuration
- Define all secrets in the Security module first
- Then reference in other modules using
/secret:<Name>
- Use descriptive names
- Good:
ProductionSQLPass - Bad:
Secret1
- Good:
- Document usage
- Always fill the Description field
- Include where the secret is used
- Note rotation schedule if applicable
- Regular rotation
- Change production secrets periodically
- Update the SecretValue — references stay the same
- Test thoroughly after changes
- Environment separation
- Use different secrets for Dev/Test/Production
- Name accordingly:
DevDBPass,ProdDBPass
Migration and Portability
Exporting Solutions
When exporting solutions:
- Secret names and types are exported
- Secret values are NOT exported
- The target system must recreate values
/secret:<Name>references in consumer fields carry over unchanged — recreate the secrets with the same Names to keep references valid
Import Process
- Import solution to new system
- Navigate to Security → Secrets
- For each secret, enter appropriate value
- Test all connections
Troubleshooting
Common Issues
Issue | Cause | Solution |
|---|---|---|
Connection fails as if password is wrong | Reference uses the older dash form | Use the colon form |
"Access denied" when editing a secret | Insufficient permissions | Use administrator account |
Connection fails after rotation | New SecretValue incorrect or caching | Verify and re-enter value; restart the consuming connector or reload the project |
Secret list empty | Filter applied | Check module filter settings |
Validation
Test secret configuration:
- Create test secret
- Reference in test connection as
/secret:<Name> - Verify connection succeeds
- Check runtime logs for errors
Audit Trail
Secret operations are logged:
- Creation/modification timestamp
- User who made changes
- NOT the actual values
See Also
- Security Module Reference — Complete security documentation
- Datasets DBs Reference — LogonPassword accepts
/secret:<Name> - Security Module How-to — Security guidelines
In this section...