Secrets
Encrypted secret store, scoped per project, mounted into functions, pods and workspaces.
What it is
Secrets stores small (≤64 KiB) sensitive values — API keys, DB passwords, certificates. Encrypted at rest with project-scoped keys. Mounted into pods/functions either as env vars or as files; never returned in plaintext through the read API after creation (only references).
When to use it
- Don't put credentials in container images or YAML.
- Rotate without redeploying.
- Audit every read.
Quickstart
asc secrets put DB_PASSWORD --value 's3cr3t'
asc pods run --image my/api --env-from-secret DB_PASSWORDclient.secrets.put('DB_PASSWORD', value='s3cr3t')
client.pods.run(image='my/api', env_from_secrets=['DB_PASSWORD'])await client.secrets.put('DB_PASSWORD', { value: 's3cr3t' });Limits & quotas
| Limit | Default | Burst | Notes |
|---|---|---|---|
| Max value | 64 KiB | — | |
| Per project | 10,000 | — | |
| Audit | Read & write | — | 365 days |
Pricing
See pricing. Pay-as-you-go, billed monthly via Stripe.
API surface
PUT /v1/secrets/{name}POST /v1/secrets/{name}/reveal(admin-scope)
Required scope(s): secrets:read, secrets:write. See Scopes.
Security
All access is authenticated and scoped. See Auth & scopes and Network controls.