Velo: About the Secrets Manager

Visit the Velo by Wix website to onboard and continue learning.

Velo's Secrets Manager lets you securely store secrets such as API keys. The value of each secret is safely stored and encrypted in the Secrets Manager in your site's dashboard so that only you can access it. You choose a name for each secret, which is used in your site's code.

To use the Secrets Manager:

  • Wix Studio: If necessary, click and then Start Coding.
  • Wix Editor: Enable Velo Dev Mode for your site.

To access the Secrets Manager:

Select Developer Tools from the Code sidebar (Wix studio), or the Velo Sidebar (Wix Editor). Under the Security section, select Secrets Manager. Alternatively, you can select Developer Tools in your site's dashboard. Then select Secrets Manager.

Protect Your Secrets

Sometimes you may need to add private information such as an API key to your site's code. For example, Velo allows you to integrate 3rd-party services with your site, such as Stripe and SendGrid. Some 3rd-party services require an API key for authentication. The service provides you with the key, which you add to the code that calls their service.

API keys and other Secrets are a sensitive resource, since they usually allow you to perform restricted operations. Never add secrets to your page, site, and public code, since anyone can access them. Backend code is secured, but you should follow security best practices and store your secrets separately from the code. Here's why:

  • Code Sharing: You may want to collaborate and share your code with others or manage it in a public repository, increasing the potential for accidental leakage of secrets.
  • Code Reuse: Since code is often reused, your hardcoded secrets may be copied, increasing risk of exposure.
  • Public Exposure: Hardcoded secrets are visible on your screen, exposing them to potential passerby.

Instead of hardcoding your secrets, you can use the Secrets Manager and the Velo Secrets API to safely work with secrets in your code.

How It Works

Follow this general procedure for working with API keys or other secrets using the Secrets Manager:

  1. Get private information such as an API key from a 3rd-party service.
  2. Store the private information as a new secret in the Secrets Manager. Assign a name to the secret.
  3. In your backend code, instead of hardcoding the API key, use the getSecret() function with the secret name assigned in the Secrets Manager. When the code runs, the value of the secret is extracted from the Secrets Manager.
Was this helpful?