Secrets
Secrets are the core resource in FyVault. A secret represents a credential that your application needs.
Secret Types
API Key
For HTTP-based APIs like OpenAI, Stripe, Twilio. FyVault intercepts outbound HTTP requests and injects the key into the specified header.
Injection config:
| Field | Description | Example |
|---|---|---|
target_host | API hostname | api.openai.com |
target_port | API port (usually 443) | 443 |
header_name | HTTP header name | Authorization |
header_template | Header value format | Bearer {{value}} |
proxy_port | Local proxy port | 19001 |
Your .env change:
# Before
OPENAI_API_KEY=sk-proj-real-key
# After
OPENAI_API_KEY=FYVAULT::openai_api_keyDatabase Credential
For PostgreSQL, MySQL, etc. FyVault runs a transparent protocol-aware proxy with native database protocol support.
Injection config:
| Field | Description | Example |
|---|---|---|
db_type | Database engine | postgresql |
target_host | Real DB hostname | mydb.rds.amazonaws.com |
target_port | Real DB port | 5432 |
proxy_port | Local proxy port | 5433 |
username | DB username | myapp |
database | Database name | production |
Your .env change:
# Before
DATABASE_URL=postgres://myapp:secretpassword@mydb.rds.amazonaws.com:5432/production
# After
DATABASE_URL=postgres://myapp@localhost:5433/productionAWS Credential
For AWS SDKs. Uses the standard credential_process mechanism.
Your ~/.aws/config change:
[profile default]
credential_process = fyvault-shim awsGeneric
For any other secret that you want securely stored and available on your device. No automatic injection — your application reads it via the FyVault CLI or SDK.
Secret Versioning
Every update creates a new version. Previous versions are retained for audit purposes. You can view the version history and roll back to any previous version from the secret detail page.
Encryption Modes
When you create a secret, you choose how it is encrypted at rest. Pick the mode that matches how the secret will be used — not one-size-fits-all.
| Scenario | Use this mode |
|---|---|
Backend app, CI, Node SDK, getValueByName, automation | Server-side (KMS) |
| Maximum privacy: encrypt in the browser; decrypt in the dashboard with your vault passphrase | Zero-knowledge (client) |
| Linux servers and the FyVault agent delivering secrets at boot | Either mode may apply; see Devices and device registration. |
Server-side (KMS)
The value is sent over TLS once at creation, then encrypted at rest with AWS KMS envelope encryption. Authorized API keys and the dashboard can retrieve plaintext where the product allows it (for example SDK value endpoints for server-encrypted secrets).
Zero-Knowledge (Client)
Encrypted in your browser before upload. The passphrase stays with you. This mode is not for use cases where a backend must call the API to receive plaintext — use server-side (KMS) for those.