Secrets
sdk.secrets resolves named secret keys to their current values at runtime. Secrets are stored in the cPod platform’s encrypted vault and injected into your app on demand — your code only ever holds a key name, never the raw credential.
This is the recommended pattern for all API tokens, passwords, and connection strings used in skills, workflows, and data source configs.
Resolve a Single Secret
import { CpodClient } from '@cpod/sdk'
const sdk = CpodClient.fromEnv()
const token = await sdk.secrets.resolve('OKTA_API_TOKEN')
// token → "00abc123..." (the actual secret value)
// Use immediately — do not store in a variable longer than needed
await sdk.dataSources.create({
name: 'Okta Production',
type: 'okta',
config: {
domain: 'myorg.okta.com',
apiToken: await sdk.secrets.resolve('OKTA_API_TOKEN'),
},
})Resolve Multiple Secrets
// One round trip for multiple keys
const secrets = await sdk.secrets.resolveMany([
'OKTA_API_TOKEN',
'AWS_SECRET_ACCESS_KEY',
'GITHUB_APP_PRIVATE_KEY',
])
// secrets → { OKTA_API_TOKEN: "...", AWS_SECRET_ACCESS_KEY: "...", GITHUB_APP_PRIVATE_KEY: "..." }
const { OKTA_API_TOKEN, AWS_SECRET_ACCESS_KEY } = secretsList Secret Keys
List the keys available to your app — values are never returned by this endpoint.
const keys = await sdk.secrets.list()
for (const key of keys.items) {
console.log(key.name, key.createdAt, key.lastRotatedAt)
}Secret values are returned in plaintext to the calling process. Treat resolved values with the same care as environment variables — do not log them, do not include them in error messages, and release them from memory as soon as they are used.
Managing Secrets
Secrets are created and rotated in the cPod platform console or via the admin API (requires secrets.write admin scope — not available to SDK apps by default):
# Create or update a secret via admin API
curl -X PUT https://api.yourdomain.com/v1/secrets/OKTA_API_TOKEN \
-H "Authorization: Bearer $CPOD_ADMIN_TOKEN" \
-H "Content-Type: application/json" \
-d '{"value": "00newtoken..."}'SDK apps only need secrets.read scope to resolve keys — they cannot create or rotate secrets.