CipherStash Docs
StackLatestSecretsClasses

Secrets

The Secrets client provides a high-level API for managing encrypted secrets stored in CipherStash. Secrets are encrypted locally before being sent to the API...

@cipherstash/stack

Class: Secrets

Defined in: .tmp-stack/packages/stack/src/secrets/index.ts:169

The Secrets client provides a high-level API for managing encrypted secrets stored in CipherStash. Secrets are encrypted locally before being sent to the API, ensuring end-to-end encryption.

Constructors

Constructor

new Secrets(config): Secrets;

Defined in: .tmp-stack/packages/stack/src/secrets/index.ts:178

Parameters

config

SecretsConfig

Returns

Secrets

Methods

set()

set(name, value): Promise<Result<SetSecretResponse, SecretsError>>;

Defined in: .tmp-stack/packages/stack/src/secrets/index.ts:292

Store an encrypted secret in the vault. The value is encrypted locally before being sent to the API.

API: POST /api/secrets/set

Parameters

name

string

The name of the secret

value

string

The plaintext value to encrypt and store

Returns

Promise<Result<SetSecretResponse, SecretsError>>

A Result containing the API response or an error

get()

get(name): Promise&lt;Result&lt;string, SecretsError&gt;>;

Defined in: .tmp-stack/packages/stack/src/secrets/index.ts:345

Retrieve and decrypt a secret from the vault. The secret is decrypted locally after retrieval.

API: GET /api/secrets/get?workspaceId=...&environment=...&name=...

Parameters

name

string

The name of the secret to retrieve

Returns

Promise<Result<string, SecretsError>>

A Result containing the decrypted value or an error

getMany()

getMany(names): Promise&lt;Result&lt;Record&lt;string, string&gt;, SecretsError>>;

Defined in: .tmp-stack/packages/stack/src/secrets/index.ts:413

Retrieve and decrypt many secrets from the vault. The secrets are decrypted locally after retrieval. This method only triggers a single network request to the ZeroKMS.

API: GET /api/secrets/get-many?workspaceId=...&environment=...&names=name1,name2,...

Constraints:

  • Minimum 2 secret names required
  • Maximum 100 secret names per request

Parameters

names

string[]

The names of the secrets to retrieve (min 2, max 100)

Returns

Promise<Result<Record<string, string>, SecretsError>>

A Result containing an object mapping secret names to their decrypted values

list()

list(): Promise&lt;Result&lt;SecretMetadata[], SecretsError&gt;>;

Defined in: .tmp-stack/packages/stack/src/secrets/index.ts:504

List all secrets in the environment. Only names and metadata are returned; values remain encrypted.

API: GET /api/secrets/list?workspaceId=...&environment=...

Returns

Promise<Result<SecretMetadata[], SecretsError>>

A Result containing the list of secrets or an error

delete()

delete(name): Promise&lt;Result&lt;DeleteSecretResponse, SecretsError&gt;>;

Defined in: .tmp-stack/packages/stack/src/secrets/index.ts:534

Delete a secret from the vault.

API: POST /api/secrets/delete

Parameters

name

string

The name of the secret to delete

Returns

Promise<Result<DeleteSecretResponse, SecretsError>>

A Result containing the API response or an error

secrets

API reference for secrets

DecryptedSecretResponse

API reference for DecryptedSecretResponse

On this page

Class: SecretsConstructorsConstructorParametersconfigReturnsMethodsset()ParametersnamevalueReturnsget()ParametersnameReturnsgetMany()ParametersnamesReturnslist()Returnsdelete()ParametersnameReturns