Skip to main content
Dynamic secret scrubbing automatically removes sensitive values from logs, traces, screenshots with text, and report trees. Set environment variables with the CHECKLY_SECRET_* prefix and the runtime will scrub those values from all output.

How it works

Assign values to process.env.CHECKLY_SECRET_* in your check code: 
// Direct assignment
process.env.CHECKLY_SECRET_API_KEY = 'your-secret-value'

// From external sources
process.env.CHECKLY_SECRET_PASSWORD = await getFromAzureKeyVault('db-password')
process.env.CHECKLY_SECRET_TOKEN = await fetchFromVault('auth-token')
The runtime automatically detects these variables and scrubs their values from:
  • Check logs
  • Trace files
  • Screenshots containing text
  • Report trees

Supported patterns

// Bracket notation
process.env['CHECKLY_SECRET_DATABASE_URL'] = connectionString

// Direct assignment
process.env.CHECKLY_SECRET_AUTH_TOKEN = token

// Dynamic retrieval
process.env.CHECKLY_SECRET_PAYMENT_KEY = await vault.get('payment-api-key')

Limitations

  • Check types: Only works in browser checks and multistep checks
  • Value format: Must be a string (empty strings, null, undefined, numbers, objects, and arrays are ignored)
  • Size limit: Values cannot exceed 128KB (~128,000 characters)
// This works ✅
const apiKey = process.env.CHECKLY_SECRET_API_KEY

// This doesn't work ❌
const key = 'CHECKLY_SECRET_' + 'API_KEY'
const apiKey = process.env[key]

Example usage

import { test } from '@playwright/test'

test('API call with scrubbed credentials', async ({ page }) => {
  // Set secrets at runtime
  process.env.CHECKLY_SECRET_API_TOKEN = await getTokenFromVault()
  process.env.CHECKLY_SECRET_USER_ID = await getCurrentUserId()
  
  // Use in your test - values will be scrubbed from results
  await page.request.post('/api/data', {
    headers: {
      'Authorization': `Bearer ${process.env.CHECKLY_SECRET_API_TOKEN}`,
      'X-User-ID': process.env.CHECKLY_SECRET_USER_ID
    }
  })
})

Runtime compatibility

This feature is available from runtime 2024.09 onwards. For private locations running older agent versions, contact support for access.