Documentation
Everything you need to know about RuneSpoke Hub
Credentials Vault
The encrypted store for every secret RuneSpoke needs to call third parties on your behalf. Four kinds of credentials live here, and they're not the same - confusing them is the #1 cause of setup pain. Read this before you start filling things in.
/dashboard?component=admin-credentials has four tabs because four different concepts share that storage. Pick the right tab for the job.The four kinds - at a glance
| Kind | When to use | Direction | Needs secret? |
|---|---|---|---|
| Environment secrets | VERCEL_TOKEN, AWS_DEPLOY_KEY, custom env vars | RuneSpoke → 3rd party | Yes (the value) |
| API tokens | Provider API keys: Anthropic, OpenAI, GitHub PAT, etc. | RuneSpoke → 3rd party | Yes (the key) |
| OAuth apps | Advanced. Only when overriding RuneSpoke's bundled Sign-in apps with your own | 3rd party → user → RuneSpoke | Depends on flow (PKCE = no) |
| Webhooks | Receiver URLs to paste into their webhook config | 3rd party → RuneSpoke | Optional (signing secret stored as an env secret) |
Environment secrets - the day-to-day vault
Free-form NAME=value pairs. Anything you'd otherwise put in a .env file: deploy tokens (Vercel, AWS, Cloudflare), service-specific API keys that aren't tied to a structured provider integration, custom webhook signing secrets you want shared across instances.
Values are encrypted with AES-256-GCM at write time. Plaintext is only decrypted in-memory when an upstream feature needs the value. You can rotate any entry without breaking dependents - the lookup is by name, not by row id.
.env.API tokens - provider-keyed access
Long-lived tokens for calling a specific provider's API. The vault stores them keyed by provider and name so you can have github / production and github / staging side by side.
For AI provider keys (OpenAI, Anthropic, Google) used by the AI Ops gateway, use the AI Ops → Provider keys tab instead. Same encryption, but those rows are scoped per-org so different teams can roll their own keys without colliding.
OAuth apps - almost always skip
RuneSpoke ships with its own GitHub / Slack / Google / etc OAuth apps so users can click "Sign in with X" without anyone configuring anything. This tab is only for enterprise customers who want users redirected to their company's OAuth app instead of ours.
When you do use it:
https://<your-domain>/api/auth/<provider>. That's where the provider sends users back after they consent. It's mandatory for authorization-code flow; required for PKCE too (the provider still needs to know where to redirect)."Doesn't OAuth not need secrets?" - Yes for public clients (SPAs, mobile apps) using PKCE. RuneSpoke is a server-side Next.js app, so the token exchange step has somewhere safe to hold a secret and the classic flow works. If your IdP supports PKCE-only, you can skip the secret entirely - the backend handles both.
Webhooks - incoming events, not auth
Webhooks are the opposite direction from OAuth: the provider POSTs events to us. GitHub fires a webhook when a PR opens, Linear fires when an issue is assigned, Vercel fires on deploy state changes. We process the event and update the relevant RuneSpoke records.
The Webhooks tab is a read-only inventory of every URL RuneSpoke accepts events at. Copy the URL into the provider's webhook configuration screen on their side. For providers that sign their payloads (most of them), the signing secret is stored as an env secret with the name shown in the table.
You do not "register" or "enable" a webhook on this tab - the endpoint is always open, signature-validated. The tab just tells you which URL to paste where.
Encryption & rotation
CREDENTIALS_VAULT_KEY env var (256-bit). Rotate that by re-encrypting all rows offline - there's a script.