Secrets store sensitive values such as API keys, tokens, passwords, and configuration values. They are the most commonly used resource in Secryn and are designed to be secure, versioned, and easy to manage across teams and environments.
Every secret belongs to a vault, and access to a secret is always evaluated through the project, vault, and role-based access rules.
Secrets typically store:
Secrets are treated as sensitive data at all times and are never exposed publicly.
A secret consists of:
The name is used to reference the secret programmatically, while the value is securely stored and versioned.
Every time a secret is updated, Secryn automatically creates a new version. All previous versions are preserved and can be reviewed or restored at any time.
Versioning allows you to:
Restoring a previous version creates a new active version rather than deleting history.
By default, secret values are masked in the web interface to reduce the risk of accidental exposure. Authorized users can choose to reveal values when needed. Read-only users can view secret metadata but cannot modify values.
Secrets can have optional expiration dates. When configured, Secryn monitors expiration and sends notifications to administrators, project managers, and the user who created the secret. Expiration reminders help prevent outages caused by expired credentials.
Secrets can be accessed via:
API consumers can fetch full secret values or request only names and IDs to minimize exposure.
Secrets cannot be made public. Unlike keys and certificates, secrets are always protected behind vault access controls and require authentication.
Restricted vault rules apply on top of role permissions.
Secrets form the core of Secryn’s value. Combined with versioning, access control, and audit logging, they provide a secure and reliable way to manage sensitive configuration data across your organization.