#319 Add API Endpoint to Retrieve Secret Values (with extra auth)

closed medium Created 2025-12-08 14:40 · Updated 2025-12-08 16:38

Description

Edit
## Current State - API never returns secret values (by design) - Only workflow tools.secrets.get_secret returns values ## Problem Legitimate admin use cases require viewing secret values: - Verifying a secret was set correctly - Debugging integration issues - Rotating credentials (need to see old value) ## Solution Add optional secure endpoint with extra authentication: GET /tenant/secrets/<path>/value Requirements: - Requires manage_secrets permission PLUS explicit confirmation - Rate limited (max 10 value reads per hour per user) - Audit logged with full details - Optional: Require MFA/2FA confirmation - Response includes warning about sensitivity ## Alternative: Keep values invisible - Force users to use Vault CLI directly for value access - This is more secure but less convenient ## Acceptance Criteria - New endpoint with enhanced security - Strict rate limiting - Full audit logging - UI shows warning before value reveal

Comments

Loading comments...

Context

Loading context...

Audit History

View All
Loading audit history...
Quick Actions
Edit
Status
Priority
Danger Zone