Secret store

Secrets written to a secret store are encrypted in transit and at rest. Secret store entries are write-only and plaintext secret values cannot be retrieved via the API. The plaintext values are only available to Compute services during their request processing.

A secret store is a persistent, globally distributed store for secrets accessible to Compute services during request processing. Learn more about secret stores.

Data model

namestringA human-readable name for the store. The value must contain only letters, numbers, dashes (-), underscores (_), or periods (.).
created_atstringDate and time in ISO 8601 format. Read-only.
idstringID of the store.

Client key

A Base64-encoded X25519 public key.

client_keystringA Base64-encoded X25519 public key that can be used with a libsodium-compatible sealed box to encrypt secrets before upload.
expires_atstringDate and time in ISO 8601 format. Read-only.
signaturestringA Base64-encoded signature of the client key. The signature is generated using the signing key and must be verified before using the client key.

Signing key

Used to verify signatures of client keys.

signing_keystringA Base64-encoded Ed25519 public key that can be used to verify signatures of client keys.

Endpoints

Get all secret stores

GET/resources/stores/secret

Create new secret store

POST/resources/stores/secret

Get secret store by ID

GET/resources/stores/secret/store_id

Delete secret store

DELETE/resources/stores/secret/store_id

Create new client key

POST/resources/stores/secret/client-key

Get public key

GET/resources/stores/secret/signing-key