Documentation

Using SecretHub

SecretHub stores your team's environment variables and secrets, encrypted at rest, organized by project and environment, with role-based access. This guide covers everything the app does today.

Introduction

SecretHub is a web application for managing API keys, tokens, and environment variables across multiple environments (development, staging, production). Secrets are encrypted with AES-256 and never shown in plaintext until you explicitly reveal them. Access is scoped to a workspace and controlled by roles.

You manage secrets through the web UI. For programmatic access at runtime — from your app, backend, or CI — use scoped remote config keys with the REST endpoint or an official SDK.

Quickstart

  1. Create an account at /register and verify your email.
  2. Create a workspace (your company/team) on first login.
  3. Create a project — one per application to keep secrets isolated.
  4. Add environments — e.g. development, staging, production.
  5. Add secrets — a key (e.g. DATABASE_URL) and value per environment.
  6. Invite your team and assign roles.

Core concepts

Workspace
The top-level container (your company/team). Holds projects and members. Each user can belong to multiple workspaces.
Project
A group of related secrets, usually one per application or service. Has a name and a URL-safe slug.
Environment
A stage within a project (development, staging, production, …). Each environment holds its own set of variables.
Secret / Variable
A key–value pair inside an environment. Marked secret (masked) or plain, with a data type (string, integer, boolean, json, url, …).

Managing secrets

Inside a project you get a table of keys per environment. You can:

  • Reveal per row — values are masked by default; click the eye to reveal one row (independent per row), or Reveal all.
  • Copy — copy a value to the clipboard even while masked.
  • Search — filter by key name (case-insensitive).
  • Groups — keys auto-group by prefix before the first underscore (AZURE_*, KORONA_*), collapsible.
  • Edit — reveal a row to edit its value, then Save.
  • Delete — type-to-confirm the exact key; delete from the current environment or all.

Environments

Environments carry a risk level, shown consistently across the app with a colored dot:

  • Development — safe
  • Staging — caution
  • Production — protected (shown with a lock)

Each environment tab shows its key count. Add a new environment from the New environment button.

Compare environments

The Compare tool diffs two or more environments side by side. Values stay masked by default (reveal per row or all). Rows are highlighted:

  • Different — the key exists in all but values differ.
  • Missing in one — present in some environments only; the empty column shows — not set.
  • Identical rows are not highlighted. Toggle Only show differences to hide them.

Import & export

Import from a .env or JSON file into an environment. Export an environment as:

  • .env — download or copy to clipboard
  • JSON — download or copy to clipboard

Exports include real values plus a metadata watermark (environment, project, workspace, timestamp, source).

Team & roles

Invite members by email and assign a role. Roles today:

OwnerFull control — manage billing, members, and everything below.
AdminManage secrets and members across the workspace.
MemberLimited access to the workspace.

Role changes and removals are done from the member's actions menu. The owner can't be removed.

Security

  • AES-256 encryption at rest — secret values are encrypted; never stored in plaintext.
  • Masked by default — values are hidden in the UI (and in Compare) until explicitly revealed.
  • JWT sessions — authentication uses signed tokens; passwords are hashed (PBKDF2).
  • Email verification and password reset are built in.
  • Audit trail — platform activity is logged for administrators.

Plans & limits

The Free plan includes:

  • 1 workspace
  • Up to 3 projects
  • Up to 5 environments per project
  • Up to 100 secrets per project
  • Up to 10 team members

Higher limits (Pro) are planned.

Remote config API

This is the only API you need for runtime access. Generate scoped, read-only keys under Integrations, then fetch a project's config from your app, backend, or CI — over the REST endpoint or an official SDK. There is no login/JWT flow to wire up: the key is the credential.

Keys & scope

  • Each key is scoped to one project and to specific flavors (environments).
  • sh_live_ server keys read all values, including secrets.
  • sh_pub_ client keys receive non-secret values only and can never be scoped to production.
  • Revoke, rename, or re-scope any key at any time. Every fetch is written to the audit log.

The endpoint

One request returns the whole environment as a flat key–value map. Pass project and flavor (the environment slug).

curl "$API/api/v1/config?project=my-app&flavor=production" \
  -H "Authorization: Bearer sh_live_..."
# -> {
#      "project": "my-app",
#      "flavor": "production",
#      "version": "v42",
#      "generatedAt": "2026-07-11T00:00:00.000Z",
#      "values": { "DATABASE_URL": "...", "API_KEY": "..." }
#    }

Send If-None-Match: "v42" to get a cheap304 Not Modified when the config hasn't changed — cache theversion and revalidate cheaply on each boot.

Flutter SDK

Add the secret_hub package, then init once and read values anywhere. The SDK fetches, caches, and revalidates for you.

# pubspec.yaml
dependencies:
  secret_hub: ^1.0.0
await SecretHub.instance.init(
  apiKey: 'sh_live_...',
  project: 'my-app',
  flavor: Flavor.production,
  // baseUrl defaults to https://api.secrethub.app
);
await SecretHub.instance.fetchAndActivate();

final dbUrl = SecretHub.instance.getString('DATABASE_URL');

Node / JavaScript

Plain fetch — no SDK required.

const BASE_URL = "https://api.secrethub.app";
const res = await fetch(
  `${BASE_URL}/api/v1/config?project=my-app&flavor=production`,
  { headers: { Authorization: "Bearer sh_live_..." } }
);
const { values } = await res.json();

Manage keys and try live requests from Integrations in the dashboard.