Navigation
credential-types
Generic Secrets
When to use generic secrets
The generic-secret type is a catch-all for any sensitive value that does not fit the other five credential types. Use it for encryption keys, license keys, webhook signing secrets, HMAC secrets, JWT signing keys, configuration tokens, or any other value that needs to be encrypted and leased but does not match the API key, OAuth token, SSH key, TLS certificate, or database URL models.
If a credential could fit a more specific type, prefer the specific type. Typed credentials get validation, automatic metadata extraction, and type-aware rotation behavior. Generic secrets get none of these.
Storing a generic secret
await vault.credentials.create({
name: 'webhook-signing-secret',
type: 'generic-secret',
value: 'whsec_abc123xyz...',
metadata: {
service: 'stripe',
purpose: 'Verifying Stripe webhook signatures',
environment: 'production',
},
});Validation
Vault applies minimal validation to generic secrets:
- The value must be a non-empty string.
- The name must be unique within the tenant.
No format validation is performed on the value. Vault trusts the caller to store meaningful data.
Common use cases
Encryption keys — Symmetric keys used for encrypting data at the application level. Store the base64-encoded key and use metadata to track the algorithm and key ID.
await vault.credentials.create({
name: 'data-encryption-key-v3',
type: 'generic-secret',
value: 'base64encodedkey==',
metadata: {
algorithm: 'aes-256-gcm',
keyVersion: '3',
purpose: 'Encrypting PII fields in the users table',
},
});JWT signing keys — Private keys or shared secrets used for signing JSON Web Tokens.
await vault.credentials.create({
name: 'jwt-signing-secret',
type: 'generic-secret',
value: 'a-very-long-random-string',
metadata: {
algorithm: 'HS256',
audience: 'api.example.com',
},
});Webhook secrets — Shared secrets used to verify the authenticity of incoming webhooks from external services.
License keys — Software license keys that need to be stored securely and distributed to build processes.
Metadata conventions
Since generic secrets have no automatic metadata extraction, good metadata practices are especially important:
| Field | Description | Example |
|---|---|---|
purpose | What this secret is used for | Webhook signature verification |
service | The service or system this secret belongs to | stripe |
algorithm | Cryptographic algorithm, if applicable | aes-256-gcm |
environment | Production, staging, or development | production |
rotateEvery | Suggested rotation cadence | 180d |
Leasing
Generic secret leases work identically to other types:
const lease = await vault.leases.create({
credentialName: 'webhook-signing-secret',
ttl: '1h',
identity: {
type: 'agent',
name: 'webhook-processor',
purpose: 'Verifying incoming Stripe webhooks',
},
});Migration path
If you initially store a credential as a generic secret and later realize it should be a specific type, you can create a new credential with the correct type and the same value, update your references, then revoke the old generic secret. Vault does not support changing a credential’s type in place because type changes would alter validation and metadata extraction behavior.