Guardian

Platform Docs

Secrets & Keys

Store sensitive values, manage encryption keys, and inject both into every Forge Metal sandbox workload.

Overview

Forge Metal ships two related services for handling sensitive material. Secrets store values your code needs but shouldn't commit to source control — API tokens, database passwords, webhook signing secrets, TLS private keys. Keys hold cryptographic material your code uses for encrypt, decrypt, sign, and verify operations. If you've used AWS Secrets Manager and AWS KMS, most of the vocabulary on this page is the same.

Both services share one access-control model, one audit trail, and one injection path into sandbox workloads, so what you learn about one applies to the other.

Shared responsibility

Forge Metal is responsible for how secrets and keys are stored, delivered, and isolated. You are responsible for what your code does with the values after it receives them.

Forge Metal's responsibility
  • Values stored encrypted at rest.
  • Values delivered to sandboxes only through the process environment and a RAM-only tmpfs mount.
  • Values never written to logs, traces, telemetry, audit payloads, error messages, or shared sandbox images.
  • Values never cross organization boundaries, regardless of how scopes or names overlap between organizations.
  • Every read, write, and key use recorded in a tamper-evident audit trail.
Your responsibility
  • What your application code does with values after reading them.
  • Whether your code writes values to files, logs, or persistent volumes inside your sandbox.
  • Whether your code forwards values into outbound API calls, webhook bodies, or crash reports.
  • If you save a snapshot of a sandbox after your code has written a secret to disk, the snapshot carries that secret. Snapshots are scoped to your organization and never shared across tenants, but treat them accordingly.

Secrets

A secret is a named value plus its version history. Updating a secret creates a new version; older versions remain addressable within the retention window, so a workload already running on the previous version can finish cleanly while new workloads pick up the new value.

Scopes

Every secret belongs to one of four scopes. Reads resolve from most specific to least specific, so you can use the same name across scopes and let context decide the value.

  1. Branch — one branch of one repository. Useful for short-lived preview and dev work.
  2. Environment — one environment such as production or staging.
  3. Source — one code repository.
  4. Organization — available everywhere in your organization.

A read for STRIPE_KEY on the main branch of the checkout repository in the production environment checks branch first, then environment, then source, then organization, and returns the first match.

Versions

Every secret has a current version and retains its previous versions for a configurable retention window. Reads return the current version by default; callers can request a specific version by label (current, previous) or by version number.

Rotation never takes effect mid-request. A workload that reads STRIPE_KEY at start gets one consistent value for the lifetime of that read.

Operations

Create or update a secret with PUT /api/v1/secrets/{name}, read the current version with GET, list organization secrets with GET /api/v1/secrets, and delete with DELETE. Mutating calls require an Idempotency-Key header; retrying with the same key is safe and returns the original result without double-writing. The full surface is documented in the API reference.

Keys

Keys are cryptographic material your code uses for encryption and signing. A secret holds a value you read as-is; a key is never read as-is. Your code sends data to Forge Metal and receives back ciphertext, plaintext, a signature, or a data key.

Key types

  • Symmetric keys — AES-256-GCM for encrypt and decrypt.
  • Asymmetric signing keys — Ed25519 or ECDSA P-256 for sign and verify. The public key is fetchable and can be handed to external verifiers.
  • MAC keys — HMAC-SHA256 for sign and verify when both producer and verifier are yours and a shared secret is acceptable.
  • Data keysgenerate-data-key returns a fresh symmetric key encrypted under your key, for envelope encryption of large payloads you store yourself.

Key type is fixed at creation. A key created for HMAC cannot later produce asymmetric signatures.

Versions and rotation

Keys are versioned. Rotating a key creates a new version and makes it current; previous versions remain available for decryption and verification of material produced while they were current. Ciphertexts and signatures carry an explicit version prefix, so rotation never invalidates data at rest.

Set a rotation schedule per key (common choices are 90, 180, or 365 days) or rotate on demand through the API or the dashboard. Schedules can be paused and resumed without losing rotation history.

Aliases

An alias is a human-friendly pointer to a key. Your application references alias/payments-signer; operations can repoint the alias to a new key during a planned rotation without code changes. Aliases are organization-scoped and follow the same access-control rules as the key they reference.

Using secrets in sandboxes

Sandbox workloads — CI jobs, one-off scripts, scheduled tasks, long-running development environments — consume secrets without touching storage paths, credentials, or Forge Metal APIs directly. You declare what the workload needs; Forge Metal wires it up at sandbox start.

Secret profiles

A secret profile is a named collection of secret references — not the values themselves. A dev-env profile might bundle GITHUB_TOKEN, STRIPE_TEST_KEY, and OPENAI_API_KEY. Create the profile once; attach it to every sandbox that should receive those secrets.

Profiles carry their own access-control grants. A member can be allowed to launch sandboxes with the dev-env profile without being granted direct read on the underlying secrets.

Injection surfaces

Two surfaces, both materialized at sandbox start:

  • Environment variables — process-local. Your code reads process.env.STRIPE_KEY, os.environ["STRIPE_KEY"], or the equivalent in any language. No SDK required.
  • /run/secrets/* — files on a RAM-only tmpfs. Use this for SSH private keys, TLS certificates, JSON service-account files, and anything that doesn't fit neatly in an environment variable. The tmpfs never persists and is never written to the sandbox's durable volume.

Certain environment variable names are reserved and cannot be overridden by profiles, including HOME, PATH, runtime-controlled variables used by the sandbox runner, and any name beginning with FORGE_METAL_.

Live rotation in long-running sandboxes

Short-lived workloads pick up the current value at start and run to completion on that value. Long-running sandboxes, including development environments, receive rotation events from Forge Metal and refresh environment variables and tmpfs files in place. Your code can watch for file changes or re-read environment variables on demand; rotation never takes effect mid-request for a read already in progress.

Isolation guarantees

  • Secret values are never written to platform state on the sandbox host. Execution records store only secret references, never resolved values.
  • Secret values never appear in audit payloads, telemetry, traces, or error messages.
  • Workloads from one organization never reach secrets belonging to another, regardless of scope or name overlap.
  • Platform-curated sandbox images — the shared base snapshots every customer clones from — never contain customer secrets.

Access control

Access to secrets and keys is controlled by three organization roles plus per-resource grants. Members do not receive blanket read access to everything in the organization.

Owner
Read, write, delete, rotate, and use any secret or key in the organization. Can grant and revoke access for others. Can change organization-level policies.
Admin
Everything an owner can do on secrets and keys, except changing organization-level policies.
Member
Read secrets and use keys only on resources explicitly granted to the member, their team, or a service account they hold. No blanket access.

Grants

Owners and admins grant specific operations (read, use, rotate) on specific resources to specific actors — members, teams, or service accounts. Grants can be time-boxed and are audited on every use. Revoking a grant takes effect on the next read.

For automated callers such as CI jobs and service accounts, issue API credentials with the exact operations the caller needs. API credentials never inherit blanket role permissions.

Audit trail

Every public operation on secrets and keys, and every injection read into a sandbox, emits a structured audit record. Records include actor, organization, operation, target resource, version, outcome, request ID, client IP, route, and timestamp.

Audit records are stored by Forge Metal's governance service: written to a durable primary store on the request path, chained with a keyed HMAC so that tampering with any row invalidates the chain from that point forward, and projected to a long-term analytics store for querying and dashboards. Retention follows your organization's data-retention policy.

Secret values never appear in audit records. Secret paths are stored only as keyed HMAC hashes, so names like PROD_STRIPE_KEY do not become searchable data in your audit store. High-risk events — key rotation, grant changes, production secret reads — are surfaced on a dedicated risk feed in the governance dashboard.

Limits

  • Secret value size: up to 64 KB per version.
  • Secret name: up to 256 characters; alphanumeric with -, _, and / for path segments.
  • Key name: up to 256 characters; alphanumeric with - and _.
  • Versions retained per resource: the last 100 versions, or every version within the rotation retention window — whichever is greater.
  • Data key size: 128, 192, or 256 bits for symmetric data keys.
  • Rate limits are documented per operation in the API reference.