agentrouter.secret.v1.SecretService

SecretService provides secure key management for LLM provider keys, BYOK (Bring Your Own Key) scenarios, and other sensitive configuration.

Security model:

• All secrets are encrypted at rest using envelope encryption (KEK + DEK)
• KEK (Key Encryption Key) is stored in external KMS (GCP Secret Manager or local file)
• DEK (Data Encryption Key) is generated per secret and encrypted with KEK
• Secrets are scoped to user_id and realm for multi-tenancy

📄️Introduction

📄️ListSecrets

ListSecrets lists all secrets for the authenticated user.

📄️CreateSecret

CreateSecret creates or updates a secret.

📄️GetSecret

GetSecret retrieves a secret by name.

📄️DeleteSecret

DeleteSecret deletes a secret by name.

📄️RotateSecret

RotateSecret rotates a secret by creating a new version.

📄️ValidateSecret

ValidateSecret validates that a secret can be decrypted.

📄️GetSecretValue

GetSecretValue retrieves the plaintext value of a secret.