Skip to main content

Secret input

Learn about making some Actor input fields secret and encrypted. Ideal for passing passwords, API tokens, or login cookies to Actors.


The secret input feature allows you to mark some Actor input fields as secret, causing them to be encrypted when saving an input for an Actor. The input can then be decrypted only inside the Actor.

Setting an input field as secret

To make an input field secret, just add a "isSecret": true setting to the input field in the Actor's input schema, like this:

{
// ...
"properties": {
// ...
"password": {
"title": "Password",
"type": "string",
"description": "A secret, encrypted input field",
"editor": "textfield",
"isSecret": true
},
// ...
},
// ...
}

The editor for this input field will then turn into a secret input, and when you edit the field value, it will be stored encrypted.

Secret input editor

This is only available for string inputs, and the editor type is limited to textfield or textarea.

Reading secret input fields

When you read the Actor input through Actor.getInput(), the encrypted fields are automatically decrypted, without any additional code needed (starting with the apify package version 3.1.0).

> await Actor.getInput();
{
username: 'username',
password: 'password'
}

If you read the INPUT key from the Actor run's default key-value store directly, you will still get the original, encrypted input value.

> await Actor.getValue('INPUT');
{
username: 'username',
password: 'ENCRYPTED_VALUE:Hw/uqRMRNHmxXYYDJCyaQX6xcwUnVYQnH4fWIlKZL2Vhtq1rZmtoGXQSnhIXmF58+DjKlMZpTlK2zN3YUXk1ylzU6LfXyysOG/PISAfwm27FUgy3IfdgMyQggQ4MydLzdlzefX0mPRyixBviRcFhRTC+K7nK9lkATt3wJpj91YAZm104ZYkcd5KmsU2JX39vxN0A0lX53NjIenzs3wYPaPYLdjKIe+nqG9fHlL7kALyi7Htpy91ZgnQJ1s9saJRkKfWXvmLYIo5db69zU9dGCeJzUc0ca154O+KYYP7QTebJxqZNQsC8EH6sVMQU3W0qYKjuN8fUm1fRzyw/kKFacQ==:VfQd2ZbUt3S0RZ2ciywEWYVBbTTZOTiy'
}

Encryption mechanism

The encryption mechanism used for encrypting the secret input fields is the same dual encryption as in PGP.

The secret input field is encrypted using a random key, using the aes-256-gcm cipher, and then the key is encrypted using a 2048-bit RSA key. The RSA key is unique for every user and Actor combination. No Actor can decrypt input meant for runs of another Actor by the same user, and no user can decrypt input runs of the same Actor by a different user.

The decryption keys are passed to the Actor runs as environment variables, so the input decryption happens only inside of the Actor run.

Example Actor

If you want to test the secret input live, check out the Example Secret Input Actor in Apify Console. If you want to dig in deeper, you can check out its source code on GitHub.