Secrets Management

Narakim provides an encrypted secrets vault for storing sensitive credentials like API keys, bot tokens, and webhook signing secrets. Secrets are never stored or transmitted in plaintext after initial entry.

How Secrets Work

1. You enter a secret value in the UI.
2. Narakim encrypts it using AES-256-GCM before storing it in the database.
3. When a bot is deployed, the Automation Engine retrieves and decrypts the required secrets at runtime.
4. Secrets are injected into extension calls—they are never exposed in logs or execution outputs.

Secret Scopes

Required Secrets

When you install an extension, its requiredSecrets list determines which secrets must be configured before the bot can deploy. In the Configurations tab, any missing required secret is flagged with a warning.

Common required secrets by extension:

Configuring Secrets

Bot Secrets

1. Go to Bot Dossier → Configurations tab → Extension Secrets.
2. Enter the value for each required secret field.
3. Click Save. The value is encrypted and stored immediately.

Team Secrets

1. Go to Studio → Settings → Secrets.
2. Click Add Secret.
3. Provide a key name and value.
4. Click Save.

Security Model

• Secrets are encrypted at rest with AES-256-GCM.
• The encryption key is stored separately from the database.
• Secret values are masked after initial entry — you cannot retrieve the plaintext from the UI after saving.
• To update a secret, overwrite the existing value with a new one.
• Deleting a bot also deletes its associated secrets.

Secret Rotation

To rotate a compromised secret:

1. Go to the Configurations tab for the affected bot.
2. Find the secret field and enter the new value.
3. Save. The new value takes effect on the next execution.

For production bots, you may want to temporarily pause the bot during secret rotation to avoid execution failures with stale credentials.