Skip to main content

Overview

Variable substitution is a platform feature that lets you reference secrets from a connected secrets manager instead of pasting raw credentials into Pwnbook. Anywhere the platform accepts a credential or configuration value, you can write a {{provider.name}} reference: 
{{bw.semgrep_api_token}}
{{ssm.prod_api_key}}
{{op.checkmarx_client_secret}}
Pwnbook resolves the reference at runtime by fetching the value from the appropriate secrets manager. The raw secret is never stored in Pwnbook’s database — only the reference string is.
Variable substitution requires at least one secrets manager to be connected to your organization. If no secrets manager is configured, references will fail to resolve and the operation will return an error.

Supported providers

Variable syntaxProviderWhich connection
{{bw.my-secret}}Bitwarden Secrets Manager1st configured account
{{bw1.my-secret}}Bitwarden Secrets ManagerSame as bw
{{bw2.my-secret}}Bitwarden Secrets Manager2nd configured account
{{ssm.my-secret}}AWS Secrets Manager1st configured account
{{ssm1.my-secret}}AWS Secrets ManagerSame as ssm
{{ssm2.my-secret}}AWS Secrets Manager2nd configured account
{{op.my-item}}1Password1st configured account
{{op1.my-item}}1PasswordSame as op
{{op2.my-item}}1Password2nd configured account
The number suffix selects between multiple connected accounts of the same provider. No suffix and 1 are identical — both refer to the oldest configured connection. Additional providers will be added here as they become available.

Where variable substitution works

Integration configuration fields

When connecting an integration (Semgrep, Checkmarx, Snyk, etc.), enter a reference instead of a raw token: 
{{bw.semgrep_api_token}}
{{ssm.checkmarx_client_secret}}
Pwnbook resolves the value each time it calls the integration. Rotating the secret in your secrets manager requires no changes in Pwnbook.

API Tester — headers, query parameters, and body

Use references anywhere in an HTTP request: 
Authorization: Bearer {{bw.target_api_key}}
X-API-Key: {{ssm.internal_service_token}}

{
  "api_key": "{{bw2.staging_api_key}}"
}
References are resolved before the request is sent. The resolved value never appears in execution history — only the {{...}} reference is stored.

Script templates and packet templates

Reference secrets in community scripts and packet templates to avoid hardcoding credentials in shared content: 
curl -H "Authorization: Bearer {{ssm.burp_api_token}}" https://target.example.com/api

Multiple accounts of the same provider

If your organization has connected more than one account of the same provider — for example, a production AWS account and a staging AWS account — use the numeric suffix to target the right one:
SyntaxResolves from
{{bw.secret}} or {{bw1.secret}}Oldest configured Bitwarden account
{{bw2.secret}}2nd configured Bitwarden account
{{ssm.secret}} or {{ssm1.secret}}Oldest configured AWS Secrets Manager account
{{ssm2.secret}}2nd configured AWS Secrets Manager account
{{op.item}} or {{op1.item}}Oldest configured 1Password account
{{op2.item}}2nd configured 1Password account
The numbering follows the order accounts were connected in Organization Settings → Marketplace.

How resolution works

When Pwnbook encounters a {{provider.name}} reference:
  1. It identifies the provider and target account from the prefix.
  2. It fetches the secret value from that provider’s API using the stored credentials.
  3. The resolved value is substituted in-memory for that operation only.
  4. The resolved value is never logged or persisted — only the original reference string is stored.
If a reference cannot be resolved — the secret doesn’t exist, no matching secrets manager is connected, credentials are revoked, or a network error occurs — Pwnbook returns an error rather than proceeding with an unresolved placeholder.

Setting up a secrets manager

Variable substitution only works once at least one secrets manager is connected. See the relevant integration guide: