---
title: Secret store
summary: >-
  A secret store is a persistent, globally distributed store for secrets
  accessible to Compute services during request processing. <a
  href="https://www.fastly.com/documentation/guides/concepts/edge-state/dynamic-config">Learn
  more about secret stores</a>.
url: >-
  https://www.fastly.com/documentation/reference/api/services/resources/secret-store
---

A secret store is a persistent, globally distributed store for secrets accessible to Compute services during request processing. <a href="https://www.fastly.com/documentation/guides/concepts/edge-state/dynamic-config">Learn more about secret stores</a>.

Secrets written to a secret store are encrypted in transit and at rest.
Secret store entries are write-only and plaintext secret values cannot be retrieved via the API.
The plaintext values are only available to Compute services during their request processing.

## Data model

| Field | Type | Description |
|-------|------|-------------|
| `name` | string | A human-readable name for the store. The value must contain only letters, numbers, dashes (<code>-</code>), underscores (<code>_</code>), or periods (<code>.</code>). |
| `created_at` | string | Date and time in ISO 8601 format. (Read-only) |
| `id` | string | ID of the store. |

## Data model

| Field | Type | Description |
|-------|------|-------------|
| `client_key` | string | A Base64-encoded X25519 public key that can be used with a <a href="https://libsodium.gitbook.io/doc/public-key_cryptography/sealed_boxes">libsodium-compatible sealed box</a> to encrypt secrets before upload. |
| `expires_at` | string | Date and time in ISO 8601 format. (Read-only) |
| `signature` | string | A Base64-encoded signature of the client key. The signature is generated using the signing key and must be verified before using the client key. |

## Data model

| Field | Type | Description |
|-------|------|-------------|
| `signing_key` | string | A Base64-encoded Ed25519 public key that can be used to verify signatures of client keys. |

## API endpoints

### Get all secret stores

**GET** `/resources/stores/secret`

Get all secret stores.

**Parameters:**

| Name | Type | In | Required | Description |
|------|------|----|---------|--------------|
| `cursor` | string | query | No | Cursor value from the <code>next_cursor</code> field of a previous response, used to retrieve the next page. To request the first page, this should be empty. |
| `limit` | string | query | No | Number of results per page. The maximum is 200. |
| `name` | string | query | No | Returns a one-element array containing the details for the named secret store. |

### Create new secret store

**POST** `/resources/stores/secret`

Create a new secret store.

### Get secret store by ID

**GET** `/resources/stores/secret/{store_id}`

Get a secret store by ID.

**Parameters:**

| Name | Type | In | Required | Description |
|------|------|----|---------|--------------|
| `store_id` | string | path | Yes | UUID of the store. |

### Delete secret store

**DELETE** `/resources/stores/secret/{store_id}`

Delete a secret store and all of its contents.

**Parameters:**

| Name | Type | In | Required | Description |
|------|------|----|---------|--------------|
| `store_id` | string | path | Yes | UUID of the store. |

### Create new client key

**POST** `/resources/stores/secret/client-key`

Create a new client key for encrypting secrets locally before uploading.

### Get public key

**GET** `/resources/stores/secret/signing-key`

Get the public key used for signing client keys.