search
BlogXSlackSignup/Login
githubEdit

keySecrets

Manage app secrets via API

Secrets are encrypted environment variables that can be used in your app's spicepod configuration. They are stored securely and never exposed in plain text through the API.

hashtag
List Secrets

GET https://api.spice.ai/v1/apps/{appId}/secrets

Returns a list of secrets for the specified app. Secret values are always masked.

Required scope: secrets:read

hashtag
Path Parameters

Parameter
Type
Description

appId

integer

The app ID

hashtag
Response

{
  "secrets": [
    {
      "id": 789,
      "name": "DATABASE_URL",
      "value": "**********",
      "created_at": "2024-01-15T10:00:00.000Z",
      "updated_at": "2024-01-15T10:00:00.000Z"
    },
    {
      "id": 790,
      "name": "API_KEY",
      "value": "**********",
      "created_at": "2024-01-15T11:00:00.000Z",
      "updated_at": "2024-01-15T11:00:00.000Z"
    }
  ]
}

Response Fields:

Field
Type
Description

id

integer

Unique secret identifier

name

string

Secret name (environment variable name)

value

string

Always masked with asterisks

created_at

string

ISO 8601 timestamp when secret was created

updated_at

string

ISO 8601 timestamp when secret was last updated

hashtag
Example

hashtag
Get Secret

GET https://api.spice.ai/v1/apps/{appId}/secrets/{secretName}

Returns a specific secret by name. The value is always masked.

Required scope: secrets:read

hashtag
Path Parameters

Parameter
Type
Description

appId

integer

The app ID

secretName

string

The secret name

hashtag
Response

hashtag
Example

hashtag
Create or Update Secret

POST https://api.spice.ai/v1/apps/{appId}/secrets

Creates a new secret or updates an existing one with the same name. This is an upsert operation.

Required scope: secrets:write

hashtag
Path Parameters

Parameter
Type
Description

appId

integer

The app ID

hashtag
Request Body

Request Fields:

Field
Type
Required
Description

name

string

Yes

Secret name (must start with letter or underscore, alphanumeric and underscores only)

value

string

Yes

Secret value (will be encrypted)

hashtag
Response

Returns the created or updated secret with the value masked.

hashtag
Examples

Create a database connection string:

Create an API key:

Update an existing secret:

Python:

Node.js:

hashtag
Delete Secret

DELETE https://api.spice.ai/v1/apps/{appId}/secrets/{secretName}

Deletes a secret by name.

Required scope: secrets:write

hashtag
Path Parameters

Parameter
Type
Description

appId

integer

The app ID

secretName

string

The secret name

hashtag
Response

Secret deleted successfully. No response body.

hashtag
Example

circle-exclamation

Deleting a secret cannot be undone. If your app depends on this secret, it may fail until you create a new one.

hashtag
Using Secrets in Spicepods

Secrets are automatically available as environment variables in your Spice runtime. Reference them using the standard ${} or env: syntax:

hashtag
Example Spicepod with Secrets

hashtag
Secret Naming Conventions

Valid secret names:

  • Must start with a letter (a-z, A-Z) or underscore (_)

  • Can contain letters, numbers, and underscores

  • Typically use UPPER_SNAKE_CASE for environment variables

Examples:

  • DATABASE_URL

  • AWS_ACCESS_KEY_ID

  • _internal_api_key

  • stripe_api_key_v2

  • 123-invalid (starts with number)

  • my-secret (contains hyphen)

  • api.key (contains dot)

hashtag
Security Best Practices

hashtag
Secret Management

  1. Rotate Regularly - Update secrets periodically, especially for production apps

  2. Least Privilege - Only grant secrets:write scope to trusted automation

  3. Never Log - Ensure secrets are not logged or printed in your application

  4. Audit Access - Monitor who creates/updates secrets using the Management API

hashtag
Storage and Transmission

  • Secrets are encrypted at rest in the database using AES-256

  • Secrets are encrypted in transit using TLS 1.3

  • Secrets are never returned in plain text through the API

  • Secret values are only available to the Spice runtime

hashtag
Development vs Production

hashtag
Common Secrets

hashtag
Cloud Providers

AWS:

Azure:

GCP:

hashtag
Databases

PostgreSQL:

MySQL:

hashtag
AI/ML Services

OpenAI:

Anthropic:

hashtag
Bulk Operations

Bulk create secrets:

hashtag
Terraform

Use the spiceai_secret resource to manage secrets. See Terraform Provider for full documentation.

See also:

Last updated

Was this helpful?