KlangoRPA logoKlangoRPA
Assets & Vault

Assets & Vault

The Vault stores sensitive values — passwords, API keys, database connection strings — encrypted at rest with AES-256. Bots reference assets by name; the Runner resolves the actual value at runtime without it ever appearing in the script.

How Assets work

An Asset has a Group and a Name. These become an environment variable injected into every bot run in the format:

KLANGO_ASSET_{GROUP}_{NAME}

For the special group GLOBAL, a second variable is also injected without the group prefix:

KLANGO_ASSET_GLOBAL_{NAME}
KLANGO_{NAME}   # convenience alias for GLOBAL group only

In your Python script, read the asset value from the environment:

import os

# Asset group=MYAPP, name=API_KEY
api_key = os.environ["KLANGO_ASSET_MYAPP_API_KEY"]

# GLOBAL group convenience
password = os.environ["KLANGO_PASSWORD"]

In Studio's Map Edit, you can insert asset tokens directly into action value fields using the format {{ASSET.GROUP.NAME}}. Studio resolves the variable name for you — no manual string construction needed.

Creating Assets

Go to Web Console → Assets → New Asset (requires Dev role or above).

  1. Name — identifier within the group (e.g. PASSWORD)
  2. Group — logical namespace (e.g. MYAPP)
  3. Description — optional note for teammates
  4. Values — separate values for Dev, Staging, and Prod environments

Values are encrypted before being written to the database. Only the Runner can decrypt them at job dispatch time — they are never returned to browser clients via the API.

Note — Group and Name become part of the environment variable name. Use only letters, numbers, and underscores. Spaces and special characters are not allowed.

Environments (Dev / Staging / Prod)

Each Asset stores three independent values — one per environment. When dispatching a bot, queue, trigger, or workflow, you choose which environment to use:

Dev

Default. Used during development and testing. Pick this for ad-hoc manual runs.

Staging

Pre-production credentials. Useful for integration testing against a staging server.

Prod

Live credentials. Use for scheduled triggers and production queues only.

The selected environment is shown as a badge in the History view on each execution record, so you always know which credential set was used.

Tip — Leave the Dev value filled for local testing, and only populate Prod when you're ready to run against live systems. An empty value simply resolves to an empty string — it won't throw an error unless your script checks for it.

Bot-Exclusive Assets

By default, all assets in a workspace are injected into every bot run (workspace-wide assets). As your workspace grows, this can pollute the environment with credentials irrelevant to a particular bot.

Bot-exclusive assetsbelong to a single bot. They appear only in that bot's runs and are hidden from the shared Assets list.

Creating bot-exclusive assets:

  • Studio — click the 🔒 Bot Assets button in Map Edit toolbar.
  • Web Console— open a bot's gear menu → Bot Assets.

The asset form is identical to workspace-wide assets. The key difference is that KLANGO_ASSET_{GROUP}_{NAME} will only be injected when that specific bot runs — not for others.

Note — If a bot-exclusive asset has the same Group + Name as a workspace-wide asset, the bot-exclusive value wins for that bot. Useful for overriding a shared config with a bot-specific value.

Using Assets in Data Sources

Data Source connection strings (SQL) and IMAP server credentials (Email) can contain asset tokens. At runtime, the Runner substitutes the token with the actual value before opening the connection.

# SQL connection string in Studio
Server=db.example.com;Database=myapp;Password={{ASSET.DB.PASSWORD}}

# IMAP password field in Email Data Source
{{ASSET.EMAIL.IMAP_PASS}}

This means your connection strings are never stored in plain text in the bot definition or session map — only the token reference is saved.