Skip to main content
Version: 3.9.x

Secrets

In this document, you will learn the basic concept of Secrets and Secret Providers in API7 Gateway and why you may need them.

Explore additional resources at the end of the document for more information on related topics.

Overview

A secret object is a piece of sensitive information that needs to be protected from unauthorized access, while a secret provider object is used to set up integration with an external secret manager (HashiCorp Vault, AWS Secret Manager, etc.), so that API7 Gateway can establish connections and fetch secrets from the secret manager dynamically at runtime.

By storing secrets in a dedicated secret management service, you can:

  • Reduce the risk of data breaches: Minimize the exposure of sensitive information within your API7 Gateway.
  • Simplify management: Centralize the storage and retrieval of secrets, streamlining configuration and maintenance.
  • Enhance security: Leverage the advanced security features and auditing capabilities of external secret managers.
  • Improve compliance: Ensure compliance with industry regulations and best practices for data protection.

Use Cases

Secure Consumer Credentials

The following sensitive fields in consumer credentials can be stored in an external secret manager (HashiCorp Vault, AWS Secret Manager, etc.) and referenced in API7 Gateway:

  • key in Key Authentication credential
  • password in Basic Authentication credential
  • secret, public key in JWT Authentication credential
  • secret key in HMAC Authentication credential

For detailed tutorial, please refer to Manage Consumer Credentials.

Secure Sensitive Fields in Plugin Configuration

Starting from version 3.9.11, secret references ($secret://, $env://) are resolved centrally and work with any plugin configuration field automatically. You can store any sensitive value in an external secret manager and reference it in any plugin configuration.

In versions prior to 3.9.11, only the following plugins had explicit secret reference support:

PluginField
Limit Countredis_username, redis_password
Authz-Casdoorclient_id, client_secret
Wolf RBACappid
LDAP Authenticationuser_dn

For example, see Apply Rate Limiting to APIs and use secret in plugin configuration.

Additional Resources

API7.ai Logo

The digital world is connected by APIs,
API7.ai exists to make APIs more efficient, reliable, and secure.

Sign up for API7 newsletter

Product

API7 Gateway
API7 AI Gateway
API7 API Portal

Learn

API Gateway Guide
Plugin Hub
API Gateway Comparison
Customers

Resources

API Gateway Docs
Blog
Demo Hub
APISIX vs Kong

Company

About
Contact
Compliance Standards
Partners
Terms & Privacy
SOC2 Type IIISO 27001HIPAAGDPRRed Herring

Copyright © APISEVEN PTE. LTD 2019 – 2026. Apache, Apache APISIX, APISIX, and associated open source project names are trademarks of the Apache Software Foundation