Skip to main content

Documentation Index

Fetch the complete documentation index at: https://docs.nexus.westyx.cloud/llms.txt

Use this file to discover all available pages before exploring further.

What are secrets?

Secrets are sensitive values - API keys, database passwords, TLS certificates - that need to be encrypted at rest and tightly access-controlled. In Nexus, secrets are:
  • Encrypted with AES-256-GCM at rest
  • Never returned in plaintext via the audit log
  • Versioned - every write creates a new version; previous versions can be promoted
  • Scoped to a service and an environment
  • Only available to backend services (sk_live_ keys); frontend services (pk_live_) never receive secrets

Key names

Secret keys follow the pattern ^[a-zA-Z]([a-zA-Z0-9_.:-]*[a-zA-Z0-9])?$ - letters, digits, dots, underscores, hyphens, and colons. Examples: stripe.secret_key, db:password, TLS_CERT

Secret types

TypeDescription
textPlain string value - the default
fileBinary or multi-line content (PEM certs, JSON key files). The SDK writes the value to a temp file and returns the path.

Reading secrets

All backend SDKs provide a typed accessor. Calling GetSecret with a pk_live_ key or on a frontend-kind service raises an error - secrets are never sent to frontend services. 
value, err := client.GetSecret("stripe.key")
// file-type:
path, err  := client.GetSecretFilePath("TLS_CERT")
GetSecret raises ErrPublicKeyRestricted (Go) / NexusPublicKeyError (Node) if called with a pk_live_ key. It raises ErrServiceKindMismatch / NexusServiceKindMismatchError on a kind=frontend service regardless of key type.

Using secrets in configs

Configs can reference secrets by key using the {{secret:KEY}} template syntax. The value is resolved server-side at sync time and delivered as the resolved string - the secret value is never stored in plaintext in the config. 
database.url = postgresql://user:{{secret:DB_PASSWORD}}@host:5432/mydb

Versioning

Every write to a secret creates a new version. You can:
  • View version history in the console
  • Promote an older version to become the current value
  • See the diff between versions

Audit log

The following events are recorded for secrets:
EventTrigger
secret.createdNew secret added
secret.updatedValue changed (new version created)
secret.deletedSecret removed
secret.revealVersion history viewed (plaintext revealed to admin)
secret.listSecret list fetched via admin API
secret.get_by_keyIndividual secret fetched via admin API