Dashboard
Total Secrets
stored in vault
Total Versions
across all secrets
Last Updated
most recent change
Recent Secrets
NameDescriptionTagsLast Modified
Secrets
NameDescriptionTagsLast Modified
Audit Log
Loading…
Documentation

Overview

SecretVault is an AWS Secrets Manager-compatible secret store built on Cloudflare Workers + D1. Secrets are encrypted with AES-GCM before storage. Every secret maintains a version history with AWSCURRENT and AWSPREVIOUS stages, mirroring AWS Secrets Manager behavior.

  • Secret names support path-based hierarchy: myapp/prod/db-password
  • Each secret can carry arbitrary key-value tags
  • All access is recorded in the audit log
  • SecretString supports plain text or JSON blobs

Authentication

All API requests require the X-API-Key header.

curl https://secret-manager.max-4f3.workers.dev/api/secrets \ -H "X-API-Key: YOUR_KEY"

API Reference

GET/api/secretsList all secrets (metadata)
POST/api/secretsCreate secret
GET/api/secrets/:name/metadataDescribe secret
GET/api/secrets/:name/valueGet current value (AWSCURRENT)
GET/api/secrets/:name/value?versionId=…Get specific version
PUT/api/secrets/:name/valuePut new value → new version
PATCH/api/secrets/:nameUpdate description/tags
GET/api/secrets/:name/versionsList all versions
DELETE/api/secrets/:nameDelete secret + all versions
GET/api/auditLast 100 audit events

Create Secret

POST /api/secrets { "Name": "myapp/prod/database", "SecretString": "postgresql://user:pass@host/db", "Description": "Production DB connection string", "Tags": { "app": "myapp", "env": "prod" } }

Put New Value (rotation)

PUT /api/secrets/myapp%2Fprod%2Fdatabase/value { "SecretString": "new-value" } # Response includes new VersionId # Old AWSCURRENT becomes AWSPREVIOUS automatically

Naming Convention

  • Use / as hierarchy separator: app/env/secret-name
  • Encode slashes as %2F in URLs
  • Examples: payments/prod/stripe-key, shared/jwt-secret