Skip to Content
Engineering11 Documentation 🔥
BackendServer API PackagesSecrets

Secrets API

Secure credential management with Google Cloud Secret Manager and Cloud KMS integration.

What It Does

The Secrets API provides a high-level interface for securely managing secrets and cryptographic signing keys in Google Cloud Platform. It wraps GCP Secret Manager for credential storage and Cloud KMS for asymmetric signing operations, with intelligent caching, automatic retries, and type-safe access patterns.

Key Capabilities

CapabilityDescription
Secret ManagementStore, retrieve, update, and delete secrets in GCP Secret Manager
Process CachingAutomatic in-memory caching for performance optimization
JSON Secret SupportParse and type JSON secrets into TypeScript objects
Binary Data SupportStore and retrieve non-text data via buffering
Asymmetric SigningRSA-2048 digital signatures with SHA-256 hashing
Key ManagementAutomatic key ring creation and key lifecycle management
Data IntegrityCRC32C checksums for signature validation
Retry LogicExponential backoff for resilient secret access
Auto Project DiscoveryMultiple strategies to find GCP project ID
Type SafetyFull TypeScript support with generic types

Configuration

Project ID Discovery

  • Automatic detection from multiple sources
  • Fallback chain for reliability
  • Manual override via constructor

Cache Configuration

  • Default: Enabled (process.env caching)
  • Disable: skipCaching: true option
  • Per-secret cache control

Retry Configuration

  • Max attempts: 5
  • Exponential backoff
  • Configurable via constants

Exports

Services

  • SecretsService - Secret management
  • SigningKeyManager - Key management and signing

Models

  • ISigningKey - Public key interface
  • IEncryptionKey - Key reference interface
  • ISigningKeyManagerOptions - Manager configuration

Types

  • AccessSecretOptions - Secret access options

Constants

  • Error types (secrets/corrupted-request)

Common Use Cases

  • API credentials: Store API keys, tokens, passwords securely
  • Database credentials: Manage connection strings and passwords
  • Certificate storage: Store TLS certificates and private keys
  • JWT signing: Create and manage signing keys for JWTs
  • Configuration secrets: Store environment-specific configs
  • Encryption keys: Manage encryption key material
  • Third-party integrations: Store OAuth tokens and secrets
  • Audit trail signing: Digital signatures for non-repudiation

Roadmap

Multi-Cloud Support

This API currently supports Google Cloud Platform. Future versions will add support for additional cloud providers and container-based deployment options, enabling greater flexibility in infrastructure choices.

What Customers Don’t Have to Build

  • GCP Secret Manager integration
  • Process-level secret caching
  • Project ID discovery logic
  • JSON secret parsing
  • Binary data handling
  • Exponential backoff retry
  • Secret lifecycle management (CRUD)
  • RSA asymmetric signing
  • Cloud KMS integration
  • CRC32C checksum validation
  • Key ring management
  • Automatic key creation
  • Public key retrieval
  • SHA-256 hashing for signatures
  • Error classification and wrapping
  • Type-safe secret access
  • Version management
  • Graceful error handling
Last updated on
OrganizationTenant Bootstrap