# Secret

URL: https://developers.cloud66.com/v3/models/secret/

Represents a secure configuration value used for sensitive application data such as API keys, database passwords, and authentication tokens. Secrets can be defined at either the stack level or inherited from the account level.

<Model>
<ModelProperty name="key" type="string">
The secret key name used to reference this secret in configurations and applications.
</ModelProperty>

<ModelProperty name="value" type="string">
The encrypted secret value as stored in the system. This is the encrypted form for security purposes.
</ModelProperty>

<ModelProperty name="raw_value" type="string">
The decrypted secret value. Handle with extreme care as this contains the actual sensitive data.
</ModelProperty>

<ModelProperty name="inherited" type="boolean">
Whether this secret is inherited from the account level (true) or defined at the stack level (false).
</ModelProperty>

<ModelProperty name="created_at_iso" type="string">
ISO 8601 formatted timestamp when the secret was created.
</ModelProperty>

<ModelProperty name="updated_at_iso" type="string">
ISO 8601 formatted timestamp when the secret was last updated.
</ModelProperty>
</Model>

## Secret Inheritance

Secrets can be configured at two levels:

### Account-Level Secrets
- **Global scope** - Available to all stacks within the account
- **Centralized management** - Manage common secrets in one place
- **Inherited flag** - Marked with `inherited: true`
- **Examples** - Third-party API keys, organization-wide credentials

### Stack-Level Secrets
- **Stack-specific** - Only available to the specific stack
- **Local overrides** - Can override inherited secrets with stack-specific values
- **Inherited flag** - Marked with `inherited: false`
- **Examples** - Database credentials, environment-specific tokens

## Security Considerations

<Callout type="warning" title="Raw Value Security">
The `raw_value` field contains the actual decrypted secret value. Exercise extreme caution when accessing this field and ensure proper access controls and audit logging are in place.
</Callout>

### Encryption
- **At rest** - All secret values are encrypted when stored
- **In transit** - Secrets are transmitted over encrypted connections
- **Access control** - Limited to authorized users and applications
- **Audit logging** - Secret access and modifications are logged

## Use Cases

- **Database credentials** - Connection strings and passwords
- **API authentication** - Third-party service API keys and tokens
- **Certificate keys** - Private keys for SSL/TLS certificates
- **Encryption keys** - Application-level encryption keys
- **Service credentials** - Authentication for external services

## Best Practices

- **Minimal permissions** - Grant access only to users and applications that need it
- **Regular rotation** - Regularly update secret values, especially for critical systems
- **Environment separation** - Use different secrets for development, staging, and production
- **Secret scanning** - Monitor for accidental secret exposure in code or logs

**Related models:** Stack, User

## Example

```json
{
  "key": "DATABASE_PASSWORD",
  "value": "encrypted:AES256:base64encodedencryptedvalue==",
  "raw_value": "mySecretPassword123!",
  "inherited": false,
  "created_at_iso": "2024-01-15T10:30:00Z",
  "updated_at_iso": "2024-02-10T14:25:00Z"
}
```