Skip to content
Docs
flero.ai

Managing credentials

The Credentials screen lives at Settings → Credentials (alias: Integrations). Everything you need is in one place: add, search, test, edit, scope, audit, revoke.

📸 Screenshot needed: credentials__list.png, Settings → Credentials view with a table of 6 credentials across various services, filter pills (All / Personal / Workspace / Organization / OAuth / API key) above, and the green Add credential button in the top-right.

The screen

Filter pills (top):

  • All / Personal / Workspace / Organization, scope filter
  • OAuth 2.0 / API key / Basic auth / Custom, type filter

Search field: matches name, service, or notes.

View toggle: grid (cards) or list (table).

Add credential (top-right): opens the credential dialog.

Per-row actions (overflow menu): Edit, Test, Duplicate, Rotate, Revoke, Delete.

Each credential row shows:

  • Service icon and name.
  • Display name (yours; can be anything).
  • Auth type.
  • Scope chip.
  • Last used timestamp.
  • Status (active / expired / failing).

Adding a credential

  1. Click Add credential.

    📸 Screenshot needed: credentials__add-dialog-oauth.png, Enhanced Credential dialog with the Service picker open showing Slack / Salesforce / AWS / Google / Stripe, and the auth type radios visible below.

  2. Service, pick from the dropdown (or type to search). 40+ options including Slack, Salesforce, AWS, Google Workspace, Microsoft 365, Stripe, Shopify, GitHub, …

  3. Display name, what you call it (e.g. "Acme prod Slack"). This is shown in node inspectors when you pick the credential.

  4. Auth type, pre-filled based on the service. Most services support one or two of:

    • OAuth 2.0, browser hand-off (preferred for most consumer SaaS)
    • API key, paste a token
    • Basic auth, username + password
    • Bearer token, paste a long-lived token
    • Custom headers, for unusual schemes

  5. Scope, who can use this credential (see Credential scope)

  6. Fill in the auth-specific fields:

    • OAuth: click Authorize to start the browser flow (OAuth flow)
    • API key: paste the key
    • Basic: username + password

  7. Test connection, Flero makes a no-op call to verify the credential works.

  8. Save.

Editing

Click any credential row → the same dialog opens in edit mode. You can change the display name, scope, and notes freely. Re-authenticating (replacing the underlying token) requires going through the auth flow again, useful when a token has expired.

Testing

Click the Test action. Flero makes a low-impact call to the service (auth.test for Slack, whoami for GitHub, etc.) and reports back:

  • Success, credential works.
  • Failure, error message displayed inline. Common: expired token (re-auth), wrong scope (the service rejects), revoked.

Rotation

Most API keys should be rotated every 90 days. To rotate:

  1. Click the credential → Rotate action.
  2. Generate a new key in the external service's dashboard.
  3. Paste it.
  4. Save.

Flero updates the stored secret without affecting any workflow, node configurations reference credentials by ID, not by token value.

For OAuth, "rotation" is a re-authentication. Click Re-authenticate in the credential's edit view.

Revocation

To remove a credential's ability to act without deleting it:

  • Revoke, marks the credential as revoked locally. Nodes that reference it fail with a clear "credential revoked" error.
  • Delete, permanently removes the credential row. Nodes that reference it fail with "credential not found".

Revoke is reversible (un-revoke from the same action); Delete is not.

For a credential that's been leaked, you also need to revoke the underlying token in the external service's dashboard. Flero's revoke only stops Flero from using it.

Audit

Every credential has an audit log: who created it, who's used it (with timestamps), every edit, every revocation. Open the credential → Audit log tab.

Particularly useful when investigating "what credential was active when this happened?"

Using a credential in a workflow

In a node's inspector, the Credential field is a dropdown. Pick from the credentials your scope grants you access to. + Add new credential opens the dialog inline so you can create one without leaving the editor.

If a credential expires or is revoked, the node's status chip in the editor turns red with a "credential not usable" message.

Tips & gotchas

  • Per-service guidance lives in the connector catalog. Each connector page documents what scopes / permissions are needed in the external service. Some services need an admin to enable an OAuth app first.
  • Avoid duplicate credentials. Two credentials for the same Slack workspace cause confusion; one with workspace scope is better.
  • Don't store secrets in environment variables unless they're not really secrets. $env.STRIPE_PUBLIC_KEY is fine; $env.STRIPE_SECRET_KEY is not. Use credentials.
  • Test before going live. A workflow that fails on its first webhook fire because the credential is wrong is awkward. Always click Test first.

Found something out of date? This page lives in the Flero docs content set.