Overview#
An operations team provisioning a new tenant needs to configure API keys for five external intelligence feeds, a database credential, and webhook signing secrets for three integrations. Storing those values in environment variables or configuration files creates audit gaps and rotation headaches. A departing team member who had access to those files becomes a security liability. The Secrets Management Platform centralises that storage, enforces rotation automatically, and records every access event so the security team always knows who retrieved what and when.
The module provides secure, encrypted storage for API keys, credentials, certificates, and other sensitive configuration data across your organisation. Designed with a zero-trust architecture, it ensures secrets are protected at rest and in transit with strict tenant isolation across all multi-tenant deployments.
Key Features#
- Encrypted storage for API keys, tokens, and credentials with zero-trust architecture
- Automatic secret rotation with zero-downtime updates, keeping services running during credential refresh
- Comprehensive audit logging for all secret access, recording user, time, and context for every retrieval
- Per-tenant isolation ensuring complete data separation between organisations
- Role-based access control for secret management, limiting who can read, write, and rotate each secret type
- Integration with external key management systems for organisations with existing KMS infrastructure
- Version history and rollback support for rapid recovery when a rotation causes an unexpected issue
Use Cases#
Third-Party API Integration#
Store and manage API keys for external services such as intelligence data feeds, notification providers, and analytics platforms. Rotation policies ensure credentials are refreshed on a regular schedule, and audit trails satisfy compliance requirements for regulated data sources.
Webhook Authentication#
Manage signing secrets used to verify inbound and outbound webhook traffic. Rotate keys seamlessly without disrupting active integrations or requiring coordinated deployments across connected systems.
Database Credential Management#
Centralise storage of database passwords and connection credentials. Enforce periodic rotation, monitor access patterns through audit logs, and revoke credentials immediately when a security concern arises.
Certificate and Token Lifecycle#
Track expiration dates for certificates and long-lived tokens. Receive notifications before expiry and use automatic renewal workflows to prevent outages caused by expired credentials.
Open Standards#
- AES-256-GCM (NIST FIPS 197 / SP 800-38D): All secrets are encrypted at rest using 256-bit AES in Galois/Counter Mode, with per-secret Additional Authenticated Data binding the ciphertext to a specific tenant and row so encrypted blobs cannot be transplanted.
- HMAC-SHA-256 (RFC 2104 / FIPS 198-1): Secret integrity hashes and webhook signing secrets are generated and verified using HMAC with SHA-256, with SHA-256 (FIPS 180-4) also used for per-value integrity fingerprints stored alongside each encrypted blob.
- JSON Web Token (RFC 7519): Service-to-service calls to the secrets store are authenticated with signed JWTs; the platform also stores and rotates JWT signing secrets as a named secret type.
- PKCS#11 (OASIS / ISO/IEC 14443): The encryption layer supports Hardware Security Module key wrapping via the PKCS#11 interface, allowing organisations to keep master key-encryption keys in a certified HSM rather than in software.
- FIPS 140-2: The encryption module is designed to operate in a FIPS 140-2 compliant mode, using validated cryptographic primitives throughout the key management and secret storage pipeline.
- OAuth 2.0 (RFC 6749): OAuth tokens are a recognised first-class secret type within the platform, stored with the same encryption, rotation scheduling, and audit logging as other credential classes.
Availability#
This module is included with the Enterprise Plan.
Last Reviewed: 2026-02-23 Last Updated: 2026-04-14