You can now manage your application secrets programmatically via a public REST API. The API is availalable on all pricing tiers for both Phase Cloud and Phase Self-hosted users, and allows you to create, fetch, update and delete secrets.
Automate Secret Management workflows
We've designed the Phase API to be simple and flexible to accomodate a wide spectrum of use cases. The API is organized around REST, and uses standard HTTP methods to perform actions like creating, reading, updating, and deleting secrets.
You can fetch secrets from a specific env, and optionally filter by a path or specify a single key:
curl -G https://api.phase.dev/v1/secrets \
-H "Authorization: Bearer {token}" \
-d app_id=72b9ddd5-8fce-49ab-89d9-c431d53a9552 \
-d env=development \
-d path=/backend \
-d key=DEBUG
The API response is in JSON format, and includes each secret's key, value, comment (if any), tags, personal overrides, resolved secret references as well as metadata:
[
{
"id": "36fc2244-47f5-4ff4-8b72-deed1bf876da",
"key": "DEBUG",
"value": "False",
"comment": "Debug mode for the backend app",
"tags": ["config"],
"override": {
"id": "904a64c7-95df-470f-aa58-6beaa55dea3c",
"value": "True",
"isActive": true,
"createdAt": "2024-04-11T15:03:02.029689Z",
"updatedAt": "2024-04-11T15:03:02.032630Z"
},
"path": "/backend",
"keyDigest": "2bba3630bec4829f3f98b9fd7548e4f782df43a24ba5d94c2dd80e1fe618c65e",
"version": 2,
"createdAt": "2024-02-13T13:41:45.551255Z",
"updatedAt": "2024-02-14T07:44:10.926591Z",
"environment": "af6b7a8e-c268-48c2-967c-032e86e26110",
}
]
You can similarly create, edit and delete secrets via the standard HTTP POST, PUT and DELETE methods respectively.
Here's an example of how you might create a new secret with a POST:
curl --location 'https://api.phase.dev/v1/secrets/?app_id=72b9ddd5-8fce-49ab-89d9-c431d53a9552&env=development' \
--header 'Authorization: Bearer {token}' \
--header 'Content-Type: application/json' \
--data '{
"secrets": [
{
"key": "DB_NAME",
"value": "postgres",
"comment": "primary db name",
"tags": ["db"],
"path": "/backend"
}
]
}'
The API responds with status 200 and a message if the secret is created successfully:
{
"message": "Created 1 secret"
}
Check out the Secrets API docs to learn more about the Secret model and available methods and request types.
Phase Cloud users can access the api at https://api.phase.dev, and users self-hosting Phase can access it at {CONSOLE_HOST}/service/public.
Authentication
The API is authenticated via a standard bearer Authorization token. You can create Service Tokens with a granualar scope for automating workflows around specific environments, or use Personal Access Tokens to interact with the API as yourself. Tokens can be created from the Console:
Check out the API authentication docs for details on how to create and use authentication tokens.
App encryption modes
The API accepts and returns key/value pairs in plaintext, so you'll need enable server-side encryption (SSE) for any apps you wish to use it with. The Console has only leveraged SSE for automated syncing of secrets with third-party services thus far, but we have extended the SSE architecture to facilitate secret CRUD in plaintext.
There's an all-new section in the App Settings tab to manage the Encryption mode and opt-in to SSE.
UI Updates
This release also includes several UI improvements to the Console, including a more streamlined general look, better light theme, and miscellaneous updates to various pages and components.
The Phase public REST API as well as all the new updates to the Console are now live on Phase Cloud and available in v2.20.1.
Reach out to us on Slack, GitHub or X for any questions or feedback on this release!