Assets & Vault
The Vault stores sensitive values — passwords, API keys, database connection strings — encrypted at rest with AES-256. Bots reference assets by name; the Runner resolves the actual value at runtime without it ever appearing in the script.
How Assets work
An Asset has a Group and a Name. These become an environment variable injected into every bot run in the format:
KLANGO_ASSET_{GROUP}_{NAME}For the special group GLOBAL, a second variable is also injected without the group prefix:
KLANGO_ASSET_GLOBAL_{NAME}
KLANGO_{NAME} # convenience alias for GLOBAL group onlyIn your Python script, read the asset value from the environment:
import os # Asset group=MYAPP, name=API_KEY api_key = os.environ["KLANGO_ASSET_MYAPP_API_KEY"] # GLOBAL group convenience password = os.environ["KLANGO_PASSWORD"]
In Studio's Map Edit, you can insert asset tokens directly into action value fields using the format {{ASSET.GROUP.NAME}}. Studio resolves the variable name for you — no manual string construction needed.
Creating Assets
Go to Web Console → Assets → New Asset (requires Dev role or above).
- Name — identifier within the group (e.g.
PASSWORD) - Group — logical namespace (e.g.
MYAPP) - Description — optional note for teammates
- Values — separate values for Dev, Staging, and Prod environments
Values are encrypted before being written to the database. Only the Runner can decrypt them at job dispatch time — they are never returned to browser clients via the API.
Environments (Dev / Staging / Prod)
Each Asset stores three independent values — one per environment. When dispatching a bot, queue, trigger, or workflow, you choose which environment to use:
Dev
Default. Used during development and testing. Pick this for ad-hoc manual runs.
Staging
Pre-production credentials. Useful for integration testing against a staging server.
Prod
Live credentials. Use for scheduled triggers and production queues only.
The selected environment is shown as a badge in the History view on each execution record, so you always know which credential set was used.
Bot-Exclusive Assets
By default, all assets in a workspace are injected into every bot run (workspace-wide assets). As your workspace grows, this can pollute the environment with credentials irrelevant to a particular bot.
Bot-exclusive assetsbelong to a single bot. They appear only in that bot's runs and are hidden from the shared Assets list.
Creating bot-exclusive assets:
- Studio — click the 🔒 Bot Assets button in Map Edit toolbar.
- Web Console— open a bot's gear menu → Bot Assets.
The asset form is identical to workspace-wide assets. The key difference is that KLANGO_ASSET_{GROUP}_{NAME} will only be injected when that specific bot runs — not for others.
Using Assets in Data Sources
Data Source connection strings (SQL) and IMAP server credentials (Email) can contain asset tokens. At runtime, the Runner substitutes the token with the actual value before opening the connection.
# SQL connection string in Studio
Server=db.example.com;Database=myapp;Password={{ASSET.DB.PASSWORD}}
# IMAP password field in Email Data Source
{{ASSET.EMAIL.IMAP_PASS}}This means your connection strings are never stored in plain text in the bot definition or session map — only the token reference is saved.