Dynamiq
Deploy & Integrate

Variables

Configuration values and secrets for deployments — environment variables on Service Deployments, and where workflow Apps get their configuration instead.

Deployments need configuration that doesn't belong in code: API keys, feature flags, log levels. On Dynamiq, Service Deployments take environment variables — plain or secret — declared at deploy time. Workflow Apps don't use environment variables at all; their configuration flows through platform primitives instead. This page covers both.

Where configuration lives, by deployment type

Deployment typeConfiguration mechanism
Workflow AppPer-request input (the workflow's Input node fields), Connections for credentials, and Prompts for templated text. There is no environment-variable tab for workflow Apps.
Service DeploymentEnvironment variables (env) declared with each deployment — the rest of this page.

If you're tempted to put a provider API key in an environment variable for a workflow, use a Connection instead — secrets stay server-side, are encrypted at rest, and every node that needs them references the Connection by ID.

Declare variables on a Service Deployment

Environment variables are part of the deployment configuration you send to POST /v1/services/{service_id}/deploy. Each entry has a name, a value (both required), and an optional secret flag:

namestringrequired
Variable name as the process will see it (for example LOG_LEVEL).
valuestringrequired
Variable value. Always a string.
secretboolean
true stores the value in a Kubernetes Secret instead of the pod spec. Defaults to false.

The dynamiq CLI takes repeatable --env and --env-secret flags, each with a NAME VALUE pair:

dynamiq service deploy --id <service-id> \
  --source ./ \
  --env LOG_LEVEL info \
  --env FEATURE_FLAGS "reports,exports" \
  --env-secret OPENAI_API_KEY "$OPENAI_API_KEY" \
  --env-secret DATABASE_URL "$DATABASE_URL"

When deploying a prebuilt image, send the same configuration as JSON:

curl -X POST "https://api.getdynamiq.ai/v1/services/$SERVICE_ID/deploy" \
  -H "Authorization: Bearer $DYNAMIQ_PAT" \
  -H "Content-Type: application/json" \
  -d '{
    "image": "registry.example.com/qa-service:1.0.0",
    "resources": {
      "requests": {"cpu": "100m", "memory": "256Mi"},
      "limits": {"cpu": "200m", "memory": "512Mi"}
    },
    "env": [
      {"name": "LOG_LEVEL", "value": "info"},
      {"name": "FEATURE_FLAGS", "value": "reports,exports"},
      {"name": "OPENAI_API_KEY", "value": "'"$OPENAI_API_KEY"'", "secret": true},
      {"name": "DATABASE_URL", "value": "'"$DATABASE_URL"'", "secret": true}
    ]
  }'

Variables are per deployment: they're part of the deployment record, and changing a value means starting a new deployment with the updated env list. There is no separate variables-edit endpoint.

How secrets are stored

Plain and secret variables both reach your process as ordinary environment variables, but they travel differently:

  • Plain variables (secret omitted or false) are set directly on the container spec.
  • Secret variables ("secret": true) are written to a Kubernetes Secret object for the deployment and loaded into the container from there. They never appear in the pod's plain env list.

Your code reads both the same way:

import os

log_level = os.environ.get("LOG_LEVEL", "info")
openai_api_key = os.environ["OPENAI_API_KEY"]
database_url = os.environ["DATABASE_URL"]

Reserved platform variables

The platform injects two variables into every Service Deployment, delivered through the same secret mechanism:

NameValue
DYNAMIQ_SERVICE_IDThe ID of the service this container belongs to
DYNAMIQ_SERVICE_TOKENA platform-issued identity token for the service, valid for one year from deployment

These names are reserved — if you pass your own DYNAMIQ_SERVICE_ID or DYNAMIQ_SERVICE_TOKEN, the platform's values win and yours are ignored.

Good practices

  • Pass secrets from your own environment or CI secret store into --env-secret — never commit values into scripts.
  • Treat a deploy as the unit of change: rotating a secret is a redeploy with the new value, which also restarts the pods so the new value takes effect everywhere at once.
  • Keep workflow credentials in Connections, not in service variables, even when a Service Deployment and a workflow App cooperate — Connections are shared, auditable, and editable without redeploys.

Next steps

Service Deployments

Deploy custom containers — builds, resources, autoscaling, and endpoints.

CLI reference

Every dynamiq service command, including deploy flags.

Connections overview

The right home for workflow credentials and service configs.

Webhooks & Events

How deployed Apps push results to your systems — the async callback delivery contract, receiver requirements, and the event surfaces you can stream or poll.

Runtime Connection Overrides

How a deployed App resolves node Connections at run time — server-side credential resolution, and per-user substitution through connection requirements.

On this page

Where configuration lives, by deployment typeDeclare variables on a Service DeploymentHow secrets are storedReserved platform variablesGood practicesNext steps