Skip to content

The Secrets module enables the use of secrets in flows. A secret is an object with encrypted property values. It can be created, edited and deleted in Cuesta or via the Secrets module.

Reveal a secret

A secret may be encrypted using one of 4 encryption mechanisms:

  1. Using a globally shared key built into Manatee and Kwanza. All Manatee instances can encrypt and decrypt these secrets.
  2. Using machine-only encryption. The same machine that did the encrypting is the only one that can decrypt again.
  3. Using user-only encryption. Only the user that encrypted the secret may decrypt it again.
  4. Using a password. The same password must be used to encrypt and decrypt the secret. It is up to you to distribute the password.

Once a secret is saved it will automatically be encrypted using of the schemes above. In Manatee you can then use (and decrypt) the secret:

js
// "mySecret" is the name or id of the secret
var s = Secrets.reveal("mySecret");
// if a password is stored in the secret we can now use it
new Field("**/password-input-field").input(s.password);

If you have used password-based encryption for your secret you need to supply the password in order to use it:

js
var s = Secrets.reveal("mySecret", "flsKg023j4e.a10?9");

Secrets saved on the global scope

Secrets left on in the global scope after a flow has been run will be automatically cleared from the scope, i.e. not available in next flow on same application unless revealed again here.

Creating or updating a secret

You can update the content of an existing secret using the keep method.

js
Secrets.keep("mySecret", {
  username: "some-user-name",
  password: "pas5w0rd",
  someOtherSecretProperty: "hello",
});

If no secret called “mySecret” exists it will be created as a “global” secret. You can also update/create “machine”, “user” and “shared secret” encrypted secrets.

js
// For the user that runs this flow
Secrets.keep("only-for-me", { ... }, { type: Secrets.User });
// For all users on the machine that runs this flow
Secrets.keep("only-for-this-machine", { ... }, { type: Secrets.Machine });
// For those who know the "key"
Secrets.keep("only-those-in-the-know", { ... }, { type: Secrets.SharedSecret, key: "aVerySecretPas5w0rd" });

Overwrite

Default behaviour when updating an existing secret is to “merge” the current contents with the new. You need to use the same password of course otherwise old properties will be encrypted with the old password and vice versa with the new. If you want to replace the old contents completely use the overwrite: true option:

js
// Replace the contents of "mySecret"
Secrets.keep("mySecret", { ... }, { overwrite: true });

Valid until

It is possible to indicate a time when the secret is no longer considered valid. It is not possible to use the secret after this time has passed.

js
Secrets.keep("mySecret", { ... }, { validUntil: new Date('December 17, 2025 03:24:00'); });

Delete a secret

To delete a secret you use the forget method:

js
Secrets.forget("mySecret");