Skip to main content

Version: 3.9.0


In this document, you will learn the basic concept of secrets in APISIX and why you may need them.

Explore additional resources at the end of the document for more information on related topics.


In APISIX, a secret object is used to set up integration with an external secret manager, so that APISIX can establish connections and fetch secrets from the secret manager dynamically at runtime.

The following diagram illustrates the concept of a secret object using an example, where key authentication is enabled for a user, John Doe, and user credentials are stored in an HashiCorp Vault server:

secrets diagram example when using Vault as the external secret manager to store key for key authentication

As demonstrated, when APISIX is used in conjunction with an external secret manager, the field for secret is defined as a variable starting with a fixed prefix $secret://, appended with the name of the secret manager, APISIX secret object ID, username, and other details.

Specifically, if Vault is used as the secret manager, the APISIX secret object should specify:

  • uri: location where Vault server is hosted
  • prefix: path prefix corresponding to a secret engine that Vault should route traffic to
  • token: token for APISIX to authenticate to Vault and establish connection

These configurations ensure that John Doe can send requests to APISIX and access the back-end service with the correct key. Requests from unauthenticated users are rejected by APISIX.

For more details on the secret configurations, please refer to the Admin API.

Additional Resource(s) Logo

API Management for Modern Architectures with Edge, API Gateway, Kubernetes, and Service Mesh.


API7 Cloud

SOC2 Type IRed Herring

Copyright © APISEVEN Ltd. 2019 – 2024. Apache, Apache APISIX, APISIX, and associated open source project names are trademarks of the

Apache Software Foundation