Secrets Management

Create and manage encrypted secrets for your repositories

Create New Secrets

Secret Binding Type *

GitHub RepositoryWASM HashProject

Bind secrets to a GitHub repository (for CodeSource::GitHub)

GitHub Repository *

Examples: alice/project, https://github.com/alice/project

Branch (optional)

Profile *

Profile name for organizing multiple secret sets per repo

Secrets (JSON format, optional)

JSON object with key-value pairs. Keys will be available as environment variables in WASM execution.

⚠️ Cannot use PROTECTED_* prefix (reserved for auto-generated secrets)

Secrets to Generate (optional)

Auto-generate cryptographically secure secrets without seeing their values. Perfect for MASTER_KEY, API tokens, passwords, and ED25519 keys.

✅ Must start with PROTECTED_* prefix (proves secret was generated in TEE)

Access Control *

Rule Type

💡 No restrictions - open for all users

Please connect your wallet to create secrets

💡 How it works

Manual secrets: Encrypted client-side with ChaCha20-Poly1305 AEAD
Generated secrets: Keystore generates inside TEE (you never see values)
Combined flow: Manual secrets encrypted → sent with generation specs → keystore decrypts, generates, merges, re-encrypts
Uses keystore's public key (coordinator never sees plaintext)
Encrypted data is stored on NEAR contract
Only verified TEE workers can decrypt secrets during execution
You can provide manual secrets, generated secrets, or both
Storage costs ~0.01 NEAR per secret set

Your Secrets

Connect wallet to view secrets

🔐 How Repo-Based Secrets Work

Create secrets: Secrets are encrypted with keystore's public key and stored in the contract
Reference in execution: Use secrets_ref: {profile: "production", account_id: "you.near"}
Automatic decryption: Worker fetches secrets from contract and decrypts via keystore
Access validation: Keystore validates access conditions (balance checks, whitelists, etc.)
WASI injection: Decrypted secrets injected as environment variables into WASM
Code access: Your WASM code uses std::env::var("API_KEY")

Example: Request Execution with Secrets

near call outlayer.testnet request_execution '{
  "source": {
    "GitHub": {
      "repo": "https://github.com/alice/myproject",
      "commit": "main",
      "build_target": "wasm32-wasip1"
    }
  },
  "secrets_ref": {
    "profile": "production",
    "account_id": "alice.near"
  },
  "resource_limits": { ... },
  "input_data": "{}"
}' --accountId alice.near --deposit 0.1