Skip to main content

Cron Job Variable

Cron Job Variables store configuration values and secrets that your automation scripts need at runtime. Variables are available as env.KEY and secrets as secrets.KEY within your cron job code.

At a Glance

  • Two types: variable (plain text) and secret (encrypted)
  • Keys must be uppercase with underscores (e.g., API_KEY, WEBHOOK_URL)
  • Secrets are encrypted at rest and masked in UI
  • Scoped to individual cron jobs
  • Maximum 10KB per value

Data Shape

// apps/azalt/src/server/db/types/cron-job.ts (simplified)
interface CronJobVariable {
  id: string;
  cronJobId: string;
  key: string;              // Uppercase letters, numbers, underscores
  value: string;            // Plain or encrypted value
  type: "variable" | "secret";
  isEncrypted: boolean;     // True for secrets
}

Variable Types

TypeStorageDisplayAccess in CodeUse Case
variablePlain textVisibleenv.KEYURLs, configuration, non-sensitive data
secretEncryptedMasked (****)secrets.KEYAPI keys, tokens, passwords

Key Naming Rules

Variable keys must follow these rules:
  • Start with an uppercase letter (A-Z)
  • Contain only uppercase letters, numbers, and underscores
  • Examples: API_KEY, WEBHOOK_URL, MAX_RETRIES, S3_BUCKET_NAME
// Valid keys
env.API_URL           // Configuration URL
env.MAX_RETRIES       // Numeric configuration
secrets.API_KEY       // API authentication
secrets.DATABASE_URL  // Connection string

// Invalid keys (will be rejected)
env.apiKey           // Lowercase not allowed
env.api-key          // Hyphens not allowed
env.2FA_SECRET       // Cannot start with number

Usage in Cron Job Code

// Access environment variables
const apiUrl = env.API_URL;
const maxRetries = parseInt(env.MAX_RETRIES || '3');

// Access secrets (automatically decrypted at runtime)
const apiKey = secrets.API_KEY;
const webhookSecret = secrets.WEBHOOK_SECRET;

// Use in API calls
const response = await fetch(apiUrl, {
  headers: {
    'Authorization': `Bearer ${apiKey}`,
    'X-Webhook-Secret': webhookSecret
  }
});

// Use in email notifications
await email.send({
  to: env.ADMIN_EMAIL,
  subject: 'Job Complete',
  body: `Processed data from ${apiUrl}`
});

Security & Permissions

  • Create/Update/Delete: Owner role required (same as parent cron job)
  • View: Organization members can see variable keys and types
  • Secret Values: Never exposed in API responses (always masked)
  • Encryption: Secrets encrypted using organization’s encryption key
  • Decryption: Only occurs at runtime within the sandbox

API Notes

  • cronJobVariable.list: Returns variables with masked secret values
  • cronJobVariable.create: Creates new variable (encrypts if type is “secret”)
  • cronJobVariable.update: Updates value (re-encrypts secrets)
  • cronJobVariable.delete: Removes variable from job

Best Practices

  1. Use secrets for sensitive data: API keys, tokens, passwords should always be secrets
  2. Use variables for configuration: URLs, feature flags, thresholds can be variables
  3. Descriptive naming: Use clear names like SLACK_WEBHOOK_URL not URL1
  4. Document purpose: Add comments in your cron job code explaining each variable
  5. Rotate secrets regularly: Update API keys and tokens periodically
  • CronJob - Parent scheduled automation job
  • CronJobExecution - Execution history and logs