Monday, April 15, 2024
console api


You can now manage your application secrets programmatically via a public REST API. The API is availalable on all pricing tiers for both Phase Cloud and Phase Self-hosted users, and allows you to create, fetch, update and delete secrets.

Automate Secret Management workflows

We've designed the Phase API to be simple and flexible to accomodate a wide spectrum of use cases. The API is organized around REST, and uses standard HTTP methods to perform actions like creating, reading, updating, and deleting secrets.

You can fetch secrets from a specific env, and optionally filter by a path or specify a single key:

curl -G \
  -H "Authorization: Bearer {token}" \
  -d app_id=72b9ddd5-8fce-49ab-89d9-c431d53a9552 \
  -d env=development \
  -d path=/backend \
  -d key=DEBUG

The API response is in JSON format, and includes each secret's key, value, comment (if any), tags, personal overrides, resolved secret references as well as metadata:

        "id": "36fc2244-47f5-4ff4-8b72-deed1bf876da",
        "key": "DEBUG",
        "value": "False",
        "comment": "Debug mode for the backend app",
        "tags": ["config"],
        "override": {
            "id": "904a64c7-95df-470f-aa58-6beaa55dea3c",
            "value": "True",
            "isActive": true,
            "createdAt": "2024-04-11T15:03:02.029689Z",
            "updatedAt": "2024-04-11T15:03:02.032630Z"
        "path": "/backend",
        "keyDigest": "2bba3630bec4829f3f98b9fd7548e4f782df43a24ba5d94c2dd80e1fe618c65e",
        "version": 2,
        "createdAt": "2024-02-13T13:41:45.551255Z",
        "updatedAt": "2024-02-14T07:44:10.926591Z",
        "environment": "af6b7a8e-c268-48c2-967c-032e86e26110",

You can similarly create, edit and delete secrets via the standard HTTP POST, PUT and DELETE methods respectively.

Here's an example of how you might create a new secret with a POST:

curl --location '' \
--header 'Authorization: Bearer {token}' \
--header 'Content-Type: application/json' \
--data '{
    "secrets": [
            "key": "DB_NAME",
            "value": "postgres",
            "comment": "primary db name",
            "tags": ["db"],
            "path": "/backend"

The API responds with status 200 and a message if the secret is created successfully:

    "message": "Created 1 secret"

Check out the Secrets API docs to learn more about the Secret model and available methods and request types.

Phase Cloud users can access the api at, and users self-hosting Phase can access it at {CONSOLE_HOST}/service/public.


The API is authenticated via a standard bearer Authorization token. You can create Service Tokens with a granualar scope for automating workflows around specific environments, or use Personal Access Tokens to interact with the API as yourself. Tokens can be created from the Console:

create token

Check out the API authentication docs for details on how to create and use authentication tokens.

App encryption modes

The API accepts and returns key/value pairs in plaintext, so you'll need enable server-side encryption (SSE) for any apps you wish to use it with. The Console has only leveraged SSE for automated syncing of secrets with third-party services thus far, but we have extended the SSE architecture to facilitate secret CRUD in plaintext.

There's an all-new section in the App Settings tab to manage the Encryption mode and opt-in to SSE.

app settings

UI Updates

This release also includes several UI improvements to the Console, including a more streamlined general look, better light theme, and miscellaneous updates to various pages and components.

updated console ui

The Phase public REST API as well as all the new updates to the Console are now live on Phase Cloud and available in v2.20.1.

Reach out to us on Slack, GitHub or X for any questions or feedback on this release!


The fastest and easiest way to get started with Phase. Spin up an app in minutes. Hosted in Frankfurt 🇩🇪


Run Phase on your own infrastructure and maintain full control. Perfect for customers with strict compliance requirements.