A managed secret is a credential that the operator stores in Alter instead of an environment variable or external secret manager. Same vault, sameDocumentation Index
Fetch the complete documentation index at: https://docs.alterauth.com/llms.txt
Use this file to discover all available pages before exploring further.
app.request() surface, no end-user OAuth flow.
Where a connection is a credential the end user authorizes for themselves, a managed secret is a credential the operator already holds — a Stripe API key, a Datadog token, an AWS access key. Alter stores it encrypted, binds it to a principal, and returns a grant_id that the SDK uses the same way it uses any other grant.
When to use a managed secret
- The credential already exists (generated at the provider’s console).
- The credential is per-service or per-tenant, not per-end-user.
- Centralized credential management is preferable to scattering API keys across environments.
Principal binding
A managed secret is stored once and issued as one or more grants, each bound to a different principal. The bindings decide who can use the credential:| Bound to | Who can use it | Typical use |
|---|---|---|
| User | One named user, resolved by their JWT | A per-user Stripe API key |
| Group | Members of an IDP group | A shared Datadog key for everyone in the support group |
| System | The app itself (no user in scope) | A background-job AWS credential |
| Agent | One named agent | An agent-owned Anthropic API key |
Credential types
Managed secrets ship with templates for common header shapes:| Type | What Alter injects |
|---|---|
| Bearer token | Authorization: Bearer <token> |
| API key (custom header) | A configured header name, e.g. X-API-Key: <key> |
| Basic auth | Authorization: Basic <base64(user:pass)> |
| AWS SigV4 | A full AWS Signature Version 4 computed per request |
Rotation
When a credential at the provider rotates, update the stored value in the developer portal. Every existinggrant_id for that secret keeps working — the credential is replaced in place; the grant identity is unchanged.
Write-only storage
Once stored, a managed secret can never be read back from the portal or the SDK. The only path to the plaintext is the outgoing HTTP request Alter makes on behalf of a grant. This eliminates “the operator emailed the API key” as a credential exposure path.What’s next
- Provision secrets for backend services — end-to-end guide.
- Managed secret providers — the catalog.
- Delegation — user → agent delegation on a managed secret.