The Secrets API contains functionality for managing secrets on a site. Secrets managed by this API are available in the Secrets Manager section of a site's dashboard. You can securely store API keys and other secrets on a site. Each secret's value is encrypted and assigned a name of your choice and an ID. You can then use the name or ID to refer to the secret in your backend code rather than hardcoding its value.
Learn more about the Secrets Manager.
With the Secrets API, you can safely:
It's important to note the following:
This article presents possible use cases and corresponding sample flows that your app can support. It provides a useful starting point as you plan your app's implementation.
This use case demonstrates how you can store an API key from a weather service (for example, https://openweathermap.org/), and then use it to fetch the weather information to display on a site.
To get the weather data:
Call Create Secret to store your API key you received after signing up on the OpenWeather site.
Call Get Secret Value, assign the returned value to a variable, and make an OpenWeather API call. For example:
https://api.openweathermap.org/data/2.5/weather?q=London&units=metric&APPID={WEATHER_KEY}
Extract the required values from the returned JSON object and display them on a site.
Secret ID.
A unique, human-friendly name for the secret. Use it to retrieve the secret value easily with the Get Secret Value endpoint.
Note: You can use alphanumeric characters and the following special characters: _+=-@#$
. Spaces are not supported.
An optional text describing the secret's purpose or any other notes about it.
The encrypted confidential value.
Date and time when the secret was created.
Date and time when the secret was updated.
{
"secret": {
"id": "a560ff70-3e9b-41b6-b66d-cf3434085f7d",
"name": "secret_key",
"description": "AWS secret access key",
"value": "Fm8OfflH6bJOwWjenqAtLurLbkiMNvmhQHZV+118"
}
}
Retrieves a secret value by name.
You can only call this method when authenticated as a Wix app or Wix user identity.
Secret name.
The plaintext, unencrypted value of the secret.
curl -X GET 'https://www.wixapis.com/_api/cloud-secrets-vault-server/api/v1/secrets/name/secret_key' \
-H 'Content-Type: application/json' \
-H 'Authorization: <AUTH TOKEN>' \
{
"value": "Fm8OfflH6bJOwWjenqAtLurLbkiMNvmhQHZV+118"
}
Retrieves a list of secrets.
Note: This endpoint doesn't return the secret's value for security reasons. To retrieve the value, call Get Secret Value.
You can only call this method when authenticated as a Wix app or Wix user identity.
A list of secrets with encrypted values.
curl -X GET 'https://www.wixapis.com/_api/cloud-secrets-vault-server/api/v1/secrets' \
-H 'Content-Type: application/json' \
-H 'Authorization: <AUTH TOKEN>' \
{
"secrets": [
{
"id": "a560ff70-3e9b-41b6-b66d-cf3434085f7d",
"name": "secret_key",
"description": "AWS secret access key",
"createdDate": "2024-09-12T12:32:15.000Z",
"updatedDate": "2024-09-12T12:32:15.000Z"
}
]
}
Creates a secret.
You can only call this method when authenticated as a Wix app or Wix user identity.
Details of a secret.
Secret ID.
curl -X POST 'https://www.wixapis.com/_api/cloud-secrets-vault-server/api/v1/secrets' \
-H 'Content-Type: application/json' \
-H 'Authorization: <AUTH TOKEN>' \
-d '{
"secret": {
"name": "secret_key",
"description": "AWS secret access key",
"value": "Fm8OfflH6bJOwWjenqAtLurLbkiMNvmhQHZV+118"
}
}'
{
"id": "a560ff70-3e9b-41b6-b66d-cf3434085f7d"
}
Deletes a secret.
You can only call this method when authenticated as a Wix app or Wix user identity.
ID of the secret to delete.
curl -X DELETE 'https://www.wixapis.com/_api/cloud-secrets-vault-server/api/v1/secrets/a560ff70-3e9b-41b6-b66d-cf3434085f7d' \
-H 'Content-Type: application/json' \
-H 'Authorization: <AUTH TOKEN>' \
{}
Updates 1 or all fields of a secret.
To get the secret ID, call List Secret Info.
You can only call this method when authenticated as a Wix app or Wix user identity.
ID of the secret to update.
Details of a secret.
curl -X PATCH 'https://www.wixapis.com/_api/cloud-secrets-vault-server/api/v1/secrets/a560ff70-3e9b-41b6-b66d-cf3434085f7d' \
-H 'Content-Type: application/json' \
-H 'Authorization: <AUTH TOKEN>' \
-d '{
"secret": {
"name": "updated_secret_key",
"description": "AWS secret access key",
"value": "44aSQCljxL9FLvTVA.9dKbpwueYoQ8isyQhvun19pOT9gHEdgxam39LJ0Ts70"
}
}'
{}
Triggered when a secret is created.
Unique event ID. Allows clients to ignore duplicate webhooks.
Fully qualified domain name of the entity associated with the event. Expected wix.velo.secrets_vault.v1.secret
.
Event name. Expected created
.
ID of the entity associated with the event.
Event timestamp.
Whether the event was triggered as a result of a privacy regulation application (for example, GDPR).
If present, indicates the action that triggered the event.
Event information.
The data payload will include the following as an encoded JWT:
{
"data": {
"eventType": "wix.velo.secrets_vault.v1.secret_created",
"instanceId": "<app-instance-id>",
"data": "<stringified-JSON>",
// The identity field is sent as a stringified JSON
"identity": {
"identityType": "<identityType>", // ANONYMOUS_VISITOR, MEMBER, WIX_USER, APP
"anonymousVisitorId": "<anonymousVisitorId>", // in case of ANONYMOUS_VISITOR
"memberId": "<memberId>", // in case of MEMBER
"wixUserId": "<wixUserId>", // in case of WIX_USER
"appId": "<appId>" // in case of APP
}
}
}
{
"id": "9aca3895-8c58-48b7-84a5-35bcd431c125",
"entityFqdn": "wix.velo.secrets_vault.v1.secret",
"slug": "created",
"entityId": "aaf51c30-a61c-473e-96be-a42dfa5064c0",
"createdEvent": {
"entity": {
"id": "a560ff70-3e9b-41b6-b66d-cf3434085f7d",
"name": "secret_key",
"description": "AWS secret access key",
"value": "Fm8OfflH6bJOwWjenqAtLurLbkiMNvmhQHZV+118"
}
},
"eventTime": "2023-05-25T11:39:26.278160Z",
"triggeredByAnonymizeRequest": false,
"entityEventSequence": "1"
}
Triggered when a secret is deleted.
Unique event ID. Allows clients to ignore duplicate webhooks.
Fully qualified domain name of the entity associated with the event. Expected wix.velo.secrets_vault.v1.secret
.
Event name. Expected deleted
.
ID of the entity associated with the event.
Event timestamp.
Whether the event was triggered as a result of a privacy regulation application (for example, GDPR).
If present, indicates the action that triggered the event.
Event information.
The data payload will include the following as an encoded JWT:
{
"data": {
"eventType": "wix.velo.secrets_vault.v1.secret_deleted",
"instanceId": "<app-instance-id>",
"data": "<stringified-JSON>",
// The identity field is sent as a stringified JSON
"identity": {
"identityType": "<identityType>", // ANONYMOUS_VISITOR, MEMBER, WIX_USER, APP
"anonymousVisitorId": "<anonymousVisitorId>", // in case of ANONYMOUS_VISITOR
"memberId": "<memberId>", // in case of MEMBER
"wixUserId": "<wixUserId>", // in case of WIX_USER
"appId": "<appId>" // in case of APP
}
}
}
{
"id": "9aca3895-8c58-48b7-84a5-35bcd431c125",
"entityFqdn": "wix.velo.secrets_vault.v1.secret",
"slug": "deleted",
"entityId": "aaf51c30-a61c-473e-96be-a42dfa5064c0",
"deletedEvent": {},
"eventTime": "2023-05-25T11:39:26.278160Z",
"triggeredByAnonymizeRequest": false,
"entityEventSequence": "1"
}
Triggered when a secret is updated.
Unique event ID. Allows clients to ignore duplicate webhooks.
Fully qualified domain name of the entity associated with the event. Expected wix.velo.secrets_vault.v1.secret
.
Event name. Expected updated
.
ID of the entity associated with the event.
Event timestamp.
Whether the event was triggered as a result of a privacy regulation application (for example, GDPR).
If present, indicates the action that triggered the event.
Event information.
The data payload will include the following as an encoded JWT:
{
"data": {
"eventType": "wix.velo.secrets_vault.v1.secret_updated",
"instanceId": "<app-instance-id>",
"data": "<stringified-JSON>",
// The identity field is sent as a stringified JSON
"identity": {
"identityType": "<identityType>", // ANONYMOUS_VISITOR, MEMBER, WIX_USER, APP
"anonymousVisitorId": "<anonymousVisitorId>", // in case of ANONYMOUS_VISITOR
"memberId": "<memberId>", // in case of MEMBER
"wixUserId": "<wixUserId>", // in case of WIX_USER
"appId": "<appId>" // in case of APP
}
}
}
{
"id": "9aca3895-8c58-48b7-84a5-35bcd431c125",
"entityFqdn": "wix.velo.secrets_vault.v1.secret",
"slug": "updated",
"entityId": "aaf51c30-a61c-473e-96be-a42dfa5064c0",
"updatedEvent": {
"entity": {
"id": "a560ff70-3e9b-41b6-b66d-cf3434085f7d",
"name": "updated_secret_key",
"description": "AWS secret access key",
"value": "44aSQCljxL9FLvTVA.9dKbpwueYoQ8isyQhvun19pOT9gHEdgxam39LJ0Ts70"
}
},
"eventTime": "2023-05-25T11:39:26.278160Z",
"triggeredByAnonymizeRequest": false,
"entityEventSequence": "1"
}