Skip to main content

Secrets Quick Reference

Store sensitive credentials securely and inject them into requests without exposing them to clients.

What is a Secret?

A secret is an encrypted credential (like an API key or password) that KnoxCall injects into your backend requests server-side. Why use secrets?
  • ✅ Credentials never exposed to clients
  • ✅ Centrally managed and encrypted
  • ✅ Easy to rotate without code changes

Real-World Example

Without secrets (❌ Insecure): 
// Frontend code - API key exposed!
const stripeKey = "sk_live_abc123";
fetch("https://api.stripe.com/charges", {
  headers: { "Authorization": `Bearer ${stripeKey}` }
});
With secrets (✅ Secure): 
// Frontend code - Safe!
fetch("https://your-app.knoxcall.com/api/payments", {
  headers: { "Authorization": "Bearer YOUR_KNOXCALL_KEY" }
});
// KnoxCall injects Stripe key server-side

Create a Secret

Step 1: Navigate to Secrets

  1. Click Resources in sidebar
  2. Select Secrets
  3. Click Add Secret

Step 2: Fill in Details

Secret Name: 
stripe_api_key
Use lowercase with underscores Secret Value: 
sk_live_abc123...
Paste your actual API key Description: (optional) 
Stripe production API key - rotate every 90 days

Step 3: Save

Click Save. The value is encrypted immediately and you’ll never see it again!

Use the Secret in a Route

Inject as Header

  1. Edit your route
  2. Scroll to Header Injection
  3. Add:
{
  "Authorization": "Bearer {{stripe_api_key}}"
}
Use {{secret_name}} syntax

Inject in Body

For POST/PUT requests: 
{
  "api_key": "{{stripe_api_key}}",
  "other_field": "value"
}

Test It

Make a request through your route: 
curl https://your-domain.knoxcall.com/api/payments \
  -H "Authorization: Bearer YOUR_KNOXCALL_KEY"
KnoxCall automatically adds: 
Authorization: Bearer sk_live_abc123...
Your Stripe key is injected but never exposed to the client!

Security Best Practices

Do:
  • Use descriptive names: stripe_production_key
  • Rotate every 90 days
  • Delete unused secrets
  • Use different secrets for dev/staging/prod
Don’t:
  • Use generic names: secret1, key
  • Reuse secrets across services
  • Share secrets via email/chat
  • Use production secrets in development

Common Use Cases

Third-party APIs: 
stripe_api_key
sendgrid_api_key
twilio_auth_token
Databases: 
database_password
redis_url
postgres_connection_string
OAuth: 
google_oauth_token
github_access_token

Next Steps

  • Learn about secret rotation for security
  • Set up environment-specific secrets
  • Configure multiple secrets in one route
Questions? Use the support chat!

📊 Statistics

  • Views: 1
  • Helpful: 0 👍
  • Level: beginner

🏷️ Tags

secrets, security, credentials, quickstart