Secrets API
List, reveal, upsert, and delete workspace-scoped secrets.
Base path: /v1/workspaces/{workspace_id}/secrets
Secrets are stored in Infisical by default (pluggable SecretBackend per D-040). Reveal is audited on every call.
See also: Customer Portal — Secrets
List secrets
GET /v1/workspaces/{workspace_id}/secretsReturns keys and descriptions — values are redacted.
Permission: read
curl -s -H "Authorization: Bearer $TOKEN" \
"$CP_URL/v1/workspaces/$WORKSPACE_ID/secrets" | jq .Response 200
{
"secrets": [
{ "key": "STRIPE_API_KEY", "description": "Payments" },
{ "key": "DATAPLANE_SERVICE_API_KEY", "description": "Platform-managed" }
]
}Reveal secret
GET /v1/workspaces/{workspace_id}/secrets/{key}Returns the plaintext value. Emits audit event secret.revealed.
Permission: read
curl -s -H "Authorization: Bearer $TOKEN" \
"$CP_URL/v1/workspaces/$WORKSPACE_ID/secrets/STRIPE_API_KEY" | jq .Response 200
{
"key": "STRIPE_API_KEY",
"value": "sk_live_…",
"description": "Payments"
}Upsert secret
PUT /v1/workspaces/{workspace_id}/secrets/{key}Create or update a secret. Response returns metadata only — never echoes the value.
Permission: write
curl -s -X PUT -H "Authorization: Bearer $TOKEN" \
-H "Content-Type: application/json" \
-d '{"value":"sk_live_…","description":"Payments"}' \
"$CP_URL/v1/workspaces/$WORKSPACE_ID/secrets/STRIPE_API_KEY" | jq .Request body
| Field | Type | Required |
|---|---|---|
value | string | Yes |
description | string | No |
Delete secret
DELETE /v1/workspaces/{workspace_id}/secrets/{key}Permission: delete
Returns 204 No Content.
Platform-managed keys
DATAPLANE_SERVICE_API_KEY is provisioned by Control Plane for Dataplane access. It cannot be upserted or deleted via this API — use the Dataplane provision endpoint instead.
Errors
| Status | Meaning |
|---|---|
| 403 | Missing permission, or platform-managed key mutation |
| 404 | Secret not found |
| 502 | Secret backend (Infisical) error |