Secrets Management
Secure storage for API keys, credentials, and sensitive configuration with Fernet encryption and namespace isolation
Why do anything?
ML pipelines need API keys for external services (OpenAI, cloud storage, webhooks). Hardcoding credentials creates security risks and makes rotation difficult.
Why now?
SOC 2 compliance requires encrypted credential storage with audit trails. Manual secret management doesn't scale across namespaces.
Why this feature?
Fernet-encrypted secret storage with namespace isolation. Supports API keys (mxp_sk_, ret_sk_ prefixes), OAuth tokens, and vault references. Full audit logging of access patterns.
How It Works
Secrets are encrypted at rest using Fernet symmetric encryption and stored in namespace-isolated MongoDB collections. Access is logged for compliance.
Encryption
Fernet symmetric encryption with organization-specific keys
Storage
Namespace-isolated MongoDB collection with encrypted payloads
Access Control
API key validation with namespace scope verification
Audit Logging
All secret access logged with timestamp, accessor, and action
Why This Approach
Fernet provides authenticated encryption (confidentiality + integrity). Namespace isolation prevents cross-tenant access. Audit logging enables compliance reporting.
Integration
client.secrets.create(name="openai_key", value="sk-...", type="api_key")