Environments
Store secrets and configuration variables in one place, available across webhook middleware,
cron jobs, and MCP services. Reference them with {{env.KEY_NAME}} syntax.
How It Works
Environment variables are a centralized way to manage configuration that's shared across multiple HookWatch services. Unlike Cron Secrets which are specific to cron jobs, environment variables can be scoped to any service.
- Create a variable with a key, value, scope, and optional description
- Secret values are encrypted with AES-256; non-secret values are stored as-is
- Reference the variable in templates using
{{env.KEY_NAME}} - At runtime, variables are resolved based on the service scope
Service Scopes
Control where each variable is available by setting its scope:
| Scope | Available In |
|---|---|
all | All services: webhooks, cron, and MCP (default) |
webhook | Webhook middleware and routing rules only |
cron | Cron jobs and cron chains only |
mcp | MCP server configurations only |
Template Syntax
Reference environment variables using the {{env.KEY}} syntax in any supported template
field:
Scope Filtering
Only variables matching the current service scope (or all) are available at
runtime. A variable scoped to webhook won't be resolved in a cron job.
Secret vs Plain Values
Variables can be marked as secret or plain:
| Type | Storage | API Behavior |
|---|---|---|
is_secret: true | AES-256 encrypted | Value never returned in API responses |
is_secret: false | Encrypted (same storage) | Value never returned in API responses |
Security Note
All values are encrypted at rest regardless of the is_secret flag. The flag controls
how the value is displayed in the dashboard (masked vs visible).
Base URL
https://api.hookwatch.dev/v1/environmentThe Environment Variable Object
Values are never included in API responses. Only the key, scope, and metadata are returned.
Properties
| Field | Type | Description |
|---|---|---|
id | string | Unique identifier |
user_id | string | Owner user ID |
team_id | string | Team ID (if team-scoped) |
key | string | Variable name (unique per user, e.g., API_SECRET_KEY) |
is_secret | boolean | If true, value is AES-256 encrypted at rest |
scope | string | Where the variable is available: all, webhook, cron, or mcp |
description | string | Optional human-readable description |
Create Variable
Create a new environment variable.
POST /v1/environmentRequest Body
| Field | Type | Required | Description |
|---|---|---|---|
key | string | Yes | Variable name (must be unique per user) |
value | string | Yes | Variable value (encrypted if is_secret is true) |
is_secret | boolean | No | Encrypt the value at rest (default: true) |
scope | string | No | Service scope: all, webhook, cron, or mcp (default: all) |
description | string | No | Optional description for the variable |
Example
List Variables
Retrieve all environment variables for the authenticated user.
GET /v1/environmentResponse
Get Variable
Retrieve a specific environment variable by ID.
GET /v1/environment/:idUpdate Variable
Update a variable's value, description, or scope. The key is immutable.
PUT /v1/environment/:idRequest Body
| Field | Type | Description |
|---|---|---|
value | string | New value (re-encrypted if secret) |
description | string | Updated description |
scope | string | Updated scope: all, webhook, cron, or mcp |
Delete Variable
Permanently delete an environment variable.
DELETE /v1/environment/:idWarning
Any templates referencing this variable via {{env.KEY}} will fail to resolve
at runtime.
Error Codes
| Status | Error | Description |
|---|---|---|
400 | Bad Request | Missing key or value, invalid scope |
401 | Unauthorized | Invalid or missing access token |
404 | Not Found | Variable not found or access denied |
409 | Conflict | A variable with this key already exists |