A secret in shape
The value is absent on every read. It is supplied onPUT and rotate, then disappears from the API surface.
Endpoints
List secret names and metadata. Set (create or overwrite) a secret value. Permanently delete a secret. Generate a new value, with a brief overlap window. Mint a short-lived proxy URL for runtime access.secrets:set is a distinct verb from secrets:write. Setting a value is a one-way write with no corresponding read; requiring the explicit scope makes least-privilege grants clearer.Rotation vs DELETE + PUT
Use rotation rather than a delete-and-recreate. Rotation runs an overlap window during which both the old and new values are accepted, so in-flight requests holding a reference to the old value do not fail. A DELETE + PUT pair has no overlap and is racy.Proxy URLs
A proxy URL is a short-lived endpoint your tenant runtime can call instead of holding a secret value. The platform resolves the value server-side at the moment the proxied request executes — the secret never appears in client-side code, browser network logs, or agent task definitions. Mint a proxy URL close to the moment you use it. Do not store or cache them — they expire quickly.How values are stored
Secret values are encrypted at rest under a workspace-specific data key. The data key itself is wrapped by a master key the platform rotates on a schedule, and every wrap/unwrap is logged with the requesting principal — that is what makes the audit trail truthful even when a value is read by a capability rather than a human. The store records a small amount of non-secret metadata alongside the encrypted blob: These metadata fields are returned on list and fetch alongsidename, created_at, and updated_at. The encrypted blob is never returned by any endpoint.
Rotation triggers
Rotation happens for three reasons. The endpoint shape is identical for all of them; only the trigger differs.Common errors
Related
Workspaces
Manage the workspaces secrets belong to.