Secrets Management
Secure handling of environment variables, API keys, encryption keys, and credentials with validation, rotation, and runtime loading patterns.
What's Included#
- Environment variable validation at startup using Zod with typed access
- Runtime secret loading with pluggable stores (env, AWS Secrets Manager)
- AES-256-GCM encryption and decryption for stored secrets
- API key generation with SHA-256 hashing (never store keys in plaintext)
- Secure token, OTP, and short code generation using crypto.randomBytes
- Secret rotation workflow for re-encrypting data with new keys
Usage#
Via CLI#
Loading code block...
Via AI Assistant#
Ask your AI assistant:
- "Use the secrets management pattern from Bootspring"
- "Apply the Bootspring secrets pattern to my project"
Key Considerations#
- Never commit secrets to version control; use .env.local and .gitignore
- Validate all environment variables at startup to fail fast on misconfiguration
- Hash API keys with SHA-256 before storage; only return the full key once during creation
- Use identifiable prefixes for different key types (sk_, pk_, re_) to aid debugging
- Implement key rotation procedures and audit when secrets are accessed
Related Patterns#
- Input Validation - Validate all input
- Encryption - Data encryption patterns
- Audit Logging - Track secret access