Managing Environment Variables and Secrets

Synthetic monitoring often requires credentials to test authenticated user flows—login forms, API endpoints, payment pages. supaguard's Organization Variables let you store sensitive values securely and inject them into your scripts at runtime.

Why Use Environment Variables?

Hardcoding credentials in monitoring scripts is a security risk:

// ❌ Bad — credentials exposed in the script
await page.getByLabel("Email").fill("admin@company.com");
await page.getByLabel("Password").fill("P@ssw0rd123!");

// ✅ Good — credentials injected securely at runtime
await page.getByLabel("Email").fill(process.env.TEST_USER_EMAIL!);
await page.getByLabel("Password").fill(process.env.TEST_USER_PASSWORD!);

Environment variables are:

• Encrypted at rest — AES-256 encryption
• Never logged — Automatically scrubbed from traces and logs
• Never visible — Cannot be viewed after creation (only updated or deleted)
• Injected at runtime — Available as process.env.* in your scripts

Setting Up Variables

Step 1: Navigate to Settings

1. Open your Organization Settings
2. Go to the Variables tab
3. Click Add Variable

Step 2: Create Variables

[!IMPORTANT] Variable keys must be uppercase with underscores (e.g., API_TOKEN, TEST_USER_PASSWORD). This follows the standard process.env convention.

Step 3: Use in Scripts

Access variables in your Playwright scripts using process.env:

import { test, expect } from "@playwright/test";

test("authenticated dashboard access", async ({ page }) => {
  await page.goto("https://app.example.com/login");

  // Credentials injected from Organization Variables
  await page.getByLabel("Email").fill(process.env.TEST_USER_EMAIL!);
  await page.getByLabel("Password").fill(process.env.TEST_USER_PASSWORD!);
  await page.getByRole("button", { name: "Sign In" }).click();

  await expect(page.getByText("Dashboard")).toBeVisible();
});

Common Use Cases

Login Credentials

await page.getByLabel("Email").fill(process.env.TEST_USER_EMAIL!);
await page.getByLabel("Password").fill(process.env.TEST_USER_PASSWORD!);

API Keys

const response = await request.get("/api/v1/status", {
  headers: {
    Authorization: `Bearer ${process.env.API_MONITOR_TOKEN}`,
  },
});

Base URLs

Use variables to switch between environments:

const baseUrl = process.env.MONITOR_BASE_URL || "https://app.example.com";
await page.goto(`${baseUrl}/dashboard`);

Feature Flags

if (process.env.ENABLE_CHECKOUT_TEST === "true") {
  await page.getByRole("button", { name: "Checkout" }).click();
}

Best Practices

1. Use a dedicated test account — Create a specific user for monitoring (e.g., synthetic-monitor@company.com) and exclude it from marketing emails and analytics
2. Rotate credentials regularly — Update variables when passwords change. Set a calendar reminder
3. Use descriptive key names — TEST_USER_EMAIL is better than EMAIL or USER
4. Disable MFA on test accounts — MFA codes change every 30 seconds and break automated flows
5. Minimize scope — Give test accounts the minimum permissions needed for the monitored flow

[!CAUTION] Never store production admin credentials in monitoring variables. Use a dedicated test account with limited permissions. If the test account is compromised, the impact should be minimal.

Security

Organization Variables are protected by multiple security layers:

• Encrypted with AES-256 at rest, with a per-organization encryption key
• Automatically scrubbed from video recordings, network traces, and logs via Dynamic Secret Scrubbing
• Write-only after creation — Values cannot be read back, only updated or deleted
• Scoped to organization — Variables are never shared between organizations

Next Steps

• Writing Playwright Tests — Use variables in your scripts
• CI/CD Integration — Environment-specific setups
• Security & Privacy — How we protect your data
• Multi-Environment Monitoring — Staging vs production patterns