Skip to main content

Documentation Index

Fetch the complete documentation index at: https://docs.alterauth.com/llms.txt

Use this file to discover all available pages before exploring further.

What Are Managed Secrets?

Managed Secrets let you (the developer) store API keys, service tokens, and other credentials for services where you already have the credentials. No end-user OAuth flow is needed — you store the secret in the Developer Portal and get back a grant_id to use with vault.request(). Application code never sees the raw secret. A call to vault.request(..., grant_id=grant_id) is all that is needed and the SDK injects the credential as the correct auth header automatically.

When to Use Managed Secrets

Use managed secrets when:
  • You already have the credential (API key, service token, access key)
  • The credential is per-service, not per-user (shared across the backend)
  • No end-user authorization is needed
  • You want centralized credential management instead of scattering API keys across environment variables

How It Works

1

Store Secret in Developer Portal

Add the API key, service token, or credentials via the Developer Portal’s Managed Secrets tab. Choose the credential type (Bearer Token, API Key, Basic Auth, or AWS SigV4).
2

Get the grant_id

Each stored secret gets a grant_id (UUID). Save this in application code, config, or environment variables.
3

Call vault.request()

Use the same vault.request() method you use for OAuth — just pass the secret’s grant_id.
4

Secret Injected Automatically

Alter Vault retrieves the encrypted credential and injects it as the appropriate header (Authorization: Bearer, X-API-Key, Authorization: Basic, or AWS SigV4 signature).

Quick Example

import os

from alter_sdk import AlterVault, HttpMethod

async with AlterVault(
    api_key="alter_key_...",
    caller="my-agent",
) as vault:
    # grant_id from Developer Portal (stored in your config)
    response = await vault.request(
        HttpMethod.POST,
        "https://api.openai.com/v1/chat/completions",
        grant_id=os.environ["OPENAI_GRANT_ID"],
        json={"model": "gpt-4", "messages": [{"role": "user", "content": "Hello"}]},
        reason="AI model inference",
    )
    result = response.json()

Credential Types

TypeHeader Injected
Bearer TokenAuthorization: Bearer <token>
API KeyCustom header (e.g., X-API-Key: <key>)
Basic AuthAuthorization: Basic <base64(user:pass)>
AWS SigV4AWS Signature Version 4 (computed automatically)

Key Features

  • Write-only storage — secret values can never be read back, only used via vault.request()
  • Same security as OAuth — AES-256-GCM encryption, policy enforcement, full audit logging
  • No token refresh needed — you manage credential rotation by re-storing in the portal
  • Connection cloning — clone connections with optional TTL for time-limited access
  • Policy enforcement — time-based and IP-based access rules, same as OAuth
  • Full audit trail — every secret usage logged with actor identity, method, URL, and reason

Supported Managed Secret Providers

Alter Vault includes pre-configured templates for 30+ services across monitoring, communication, marketing, developer tools, and more. See the Managed Secret Providers section in the sidebar for the full list and setup guides.

Custom Secrets (Any API)

Not limited to pre-configured templates — you can store credentials for any API or service. In the Developer Portal, select Custom when adding a managed secret to configure:
  • Any credential type (Bearer Token, API Key, Basic Auth, or AWS SigV4)
  • Custom header name (e.g., X-Custom-Auth, Api-Token)
  • Custom injection format (e.g., Token {token}, Key {token})
  • Additional injection rules for multi-header or query parameter authentication
This means you can use Alter Vault for internal APIs, proprietary services, or any third-party API that uses key-based authentication — even if there’s no pre-configured template for it.

Next Steps

Setup Guide

Detailed setup, policies, and audit logging

Developer Portal

Store and manage secrets in the portal

OAuth Connections

For end-user authorized third-party access

Quickstart

Step-by-step managed secrets integration