Globals & Vault
Global Variables
Global variables are workspace-wide variables available in all collections and all requests. They have the lowest priority in the variable resolution order — environment and collection variables override them.
When to use globals
- Shared API keys used across multiple unrelated collections
- Common configuration that applies to everything (e.g.,
appVersion) - Variables set by scripts that need to be read by requests in different collections
Managing Globals
Click the Globals icon (grid icon) in the sidebar to open the Globals panel.
The globals table has:
| Column | Description |
|---|---|
| ✓ | Enable/disable the variable |
| Key | Variable name |
| Value | Current value (masked if sensitive) |
| 🔒 | Mark as sensitive — value is masked with •••••• |
| Shared Value | Optional initial/default value |
| Description | Optional notes about the variable |
Sensitive Variables
Click the lock icon on any row to mark a variable as sensitive. The value is displayed as •••••• in the UI. Click the eye icon to reveal it temporarily.
When a variable is marked sensitive:
- The Value column masks the input
- The Shared Value column also masks the input
- Values are never logged or included in error reports
Shared Value
The Shared Value is an optional default/initial value — useful when the actual value is a personal secret but you want to document what kind of value goes there.
If you hide the Shared Value column but a shared value exists, an Edited badge appears on the row. Click it to update, reset, or remove the shared value.
Vault
The Vault is a dedicated store for sensitive secrets — API keys, passwords, tokens — that you use across your workspace.
Vault variables work the same as global variables but are always treated as sensitive (masked by default).
Access the Vault from the Vault icon in the sidebar.
Vault vs Globals
| Globals | Vault | |
|---|---|---|
| Scope | Workspace-wide | Workspace-wide |
| Sensitivity | Optional (per variable) | Always sensitive |
| Purpose | General variables | Secrets and credentials |
Permission Prompt
When an AI agent (via MCP) attempts to read, write, or delete a vault secret, Rostyman shows a permission prompt — the same dialog you see when a request accesses the vault. You must approve each access. The AI cannot silently read or modify vault secrets without your confirmation.
Vault secrets are encrypted with AES-256-GCM and the encryption key is stored in your OS keychain (Keychain on macOS, Credential Manager on Windows, libsecret on Linux). They are never synced to any cloud service.
Using Vault Secrets in Requests
Reference a vault secret the same way as any variable:
{{myApiKey}}
Rostyman resolves the value at send time without exposing it in the request editor or history.