Secryn supports Public URLs for keys and certificates only, allowing controlled, unauthenticated access to specific cryptographic resources without requiring project or vault permissions. Public URLs are disabled by default and must be explicitly enabled per resource.

What Is a Public URL?

A Public URL is an unguessable, read-only link scoped to a single resource. Anyone with the link can retrieve the resource without authenticating. Public URLs bypass project and vault access checks, never allow modification, and can be revoked instantly.

Supported Resources

• Keys
• Certificates

Secrets are never exposed via public URLs.

Public Keys

“Public” refers to visibility, not cryptographic key properties. Public key URLs expose the stored key material exactly as configured, require no vault context, and are suited for signing or verification workflows. Keys remain immutable, and enabling public visibility does not change how they are stored.

Public Certificates

Certificate URLs expose the active certificate chain for external verification. The link always returns the currently active certificate; when a certificate is rotated, the URL reflects the new version. Disabled or expired certificates stop resolving.

Security Considerations

Treat public URLs as sensitive access links:

• share only with trusted parties
• revoke immediately if exposure is suspected
• avoid enabling public access unless required
• use lifecycle controls and expiration to reduce risk

All access via public URLs is captured in audit logs.

Revoking Public Access

Disable the Public URL toggle, disable the resource, or delete the resource to revoke access. Revocation takes effect immediately.

When to Use Public URLs

• distributing public keys to external systems
• exposing certificates for TLS verification
• integrations requiring read-only access without user accounts
• automation workflows where vault context is unnecessary

For sensitive scenarios, prefer standard vault-based permissions instead.