Secret Dependencies
Map relationships between secrets with rotates_with, derived_from, and used_by so rotations cascade automatically.
Relationship types
| Type | Behavior |
|---|---|
| rotates_with | Both secrets rotate at the same time |
| derived_from | Child re-derives when parent rotates |
| used_by | Informational link for audit trail |
CLI
# Add a dependency fyvault deps add DB_PASSWORD \ --rotates-with DB_CONNECTION_STRING # View the dependency tree fyvault deps tree DB_PASSWORD # Output: # DB_PASSWORD # +-- rotates_with: DB_CONNECTION_STRING # +-- used_by: BACKEND_SERVICE # `-- derived_from: ROOT_DB_CREDENTIAL
Node.js
import { FyVault } from "@fyvault/sdk";
const fv = new FyVault({ accessToken: "fv_live_...", orgId: "org_acme" });
// Add a dependency
await fv.dependencies.add({
secretName: "DB_PASSWORD",
type: "rotates_with",
target: "DB_CONNECTION_STRING",
environment: "production",
});
// List dependencies
const deps = await fv.dependencies.list("DB_PASSWORD", {
environment: "production",
});Python
from fyvault import FyVault
fv = FyVault(access_token="fv_live_...", org_id="org_acme")
fv.dependencies.add(
secret_name="DB_PASSWORD",
type="rotates_with",
target="DB_CONNECTION_STRING",
environment="production",
)
deps = fv.dependencies.list("DB_PASSWORD", environment="production")Auto-cascade
When a secret with dependencies is rotated, FyVault automatically triggers rotation for all rotates_with secrets and re-derives all derived_fromchildren. The cascade is atomic — if any step fails, the entire operation rolls back.
See also: Provider Connect, Secrets