Skip to main content
Secrets is a workspace-scoped encrypted store for sensitive values — third-party API keys, signing secrets, webhook tokens, anything you do not want to hardcode. The store is deliberately asymmetric: you can write and rotate values, but you can never read them back. List and fetch responses return names and metadata only.
Secret values are write-only. No endpoint returns a stored value. If you lose access to a secret, rotate it.

A secret in shape

The value is absent on every read. It is supplied on PUT and rotate, then disappears from the API surface.

Endpoints

List secret names and metadata. Set (create or overwrite) a secret value. Permanently delete a secret. Generate a new value, with a brief overlap window. Mint a short-lived proxy URL for runtime access.
secrets:set is a distinct verb from secrets:write. Setting a value is a one-way write with no corresponding read; requiring the explicit scope makes least-privilege grants clearer.

Rotation vs DELETE + PUT

Use rotation rather than a delete-and-recreate. Rotation runs an overlap window during which both the old and new values are accepted, so in-flight requests holding a reference to the old value do not fail. A DELETE + PUT pair has no overlap and is racy.

Proxy URLs

A proxy URL is a short-lived endpoint your tenant runtime can call instead of holding a secret value. The platform resolves the value server-side at the moment the proxied request executes — the secret never appears in client-side code, browser network logs, or agent task definitions. Mint a proxy URL close to the moment you use it. Do not store or cache them — they expire quickly.

How values are stored

Secret values are encrypted at rest under a workspace-specific data key. The data key itself is wrapped by a master key the platform rotates on a schedule, and every wrap/unwrap is logged with the requesting principal — that is what makes the audit trail truthful even when a value is read by a capability rather than a human. The store records a small amount of non-secret metadata alongside the encrypted blob: These metadata fields are returned on list and fetch alongside name, created_at, and updated_at. The encrypted blob is never returned by any endpoint.

Rotation triggers

Rotation happens for three reasons. The endpoint shape is identical for all of them; only the trigger differs.

Common errors

Workspaces

Manage the workspaces secrets belong to.