Sharing Secrets
Share a secret with an external party the way you’d share a password in 1Password — but with three things a password manager can’t do:- They never see the value. By default the recipient can use the secret (KnoxCall injects it into their API calls) but can never read the raw key.
- It’s locked to approved destinations. The secret can only be sent to hosts you choose (e.g.
api.stripe.com). It cannot be exfiltrated to a URL the recipient controls. - You can stop instantly. Revoke a share and the recipient loses access on their very next request — no rotation, no waiting.
How it works
- From a secret’s Sharing tab, you invite someone by email and pick:
- an access level (below),
- the destination domains the secret may be used against,
- which environment’s value to share.
- The recipient gets an email with a claim link. They are never added to your workspace — instead they sign up for (or sign in to) their own KnoxCall workspace, where a linked secret appears.
- In their workspace, the linked secret behaves like any other secret in their routes — but it holds no value of its own. At request time KnoxCall resolves it to your canonical value, injects it, and (if it’s a
use onlyshare) never exposes it.
Access levels
| Level | Can inject into routes | Can reveal the value | Can edit the value |
|---|---|---|---|
| Use only (default) | ✅ | ❌ | ❌ |
| Can view | ✅ | ✅ (with step-up verification) | ❌ |
| Can manage | ✅ | ✅ | ✅ (edits your canonical secret) |
Use only is the headline capability — grant the ability to use a credential without ever handing over the credential itself.
Domain-locking
Domain-locking is required by default. When you share a secret you choose the destinations it may be injected toward:- exact hostnames —
api.stripe.com - a single wildcard label —
*.example.com(matchesa.example.com, not the apex)
use only share it removes the only thing preventing the recipient from forwarding the value to themselves, so we don’t recommend it.
Revoking
Open the Sharing tab and choose Stop sharing on any recipient. Access ends immediately — the check happens on every request, uncached. Deleting a secret that is actively shared prompts you to revoke those shares first (or to revoke-and-delete in one step).What “never see the value” actually means (the honest version)
This is important to state plainly. Linked secret sharing is recipient-opaque, platform-trusted, and destination-constrained — it is not zero-knowledge:- Recipient-opaque: the value is never revealed to the recipient through any product surface, and it never leaves KnoxCall toward a destination you didn’t approve.
- Platform-trusted: KnoxCall’s control plane decrypts your secret server-side to inject it (exactly as it does for your own routes today). The “never reveal” guarantee is an authorization + destination boundary, not a cryptographic one.
- Your kill-switch: if you use customer-managed keys (BYOK), sealing your KMS revokes every share instantly and cryptographically — nothing can be injected.
Linked secrets work with the classic proxy (Routes). Sharing string, OAuth2, and certificate secrets is supported. Live and Test are isolated: a Live share never resolves a Test secret.