Secrets Storage
Integration configs can include sensitive values (API keys, tokens, passwords). OpenApp stores these in AWS Secrets Manager instead of the database.
Which fields are stored in Secrets Manager
Section titled “Which fields are stored in Secrets Manager”Each integration provider declares a secrets schema. Fields that belong to this schema are stored in Secrets Manager; all other config fields are stored in the database.
| Provider | Secret fields |
|---|---|
| Shelly Cloud | auth_key |
| Home Assistant | token |
| PalGate Cloud | session_token_hex |
| go2rtc | nvr_username, nvr_password |
| KNX, MQTT, Virtual Budget, Virtual Access, Shelly Websocket, Waveshare | None |
Secrets are never stored in the database
Section titled “Secrets are never stored in the database”- Non-secret config (e.g.
base_url,rate_limit_min_interval_ms) is stored in the database. - Secret values are stored only in AWS Secrets Manager. The database never contains them.
API behavior
Section titled “API behavior”- Create:
POST /integrationsaccepts two separate fields:config: non-secret JSON object (stored in DB)secrets: secret JSON object (stored in Secrets Manager)
- Update:
PUT /integrations/{id}supports independent, tri-state patches for both:config: omitted = unchanged,null= clear, object = replacesecrets: omitted = unchanged,null= clear (delete from Secrets Manager), object = replace
- Read:
GET /integrations/{id}never returns secrets. - Read secrets:
GET /integrations/{id}/secretsreturns the secrets JSON object (authorized). - List: List responses never include secrets.
- Soft delete: Secrets remain in Secrets Manager so the integration can be restored.
- Hard delete: The secret is overwritten with an empty object, then deleted from Secrets Manager, before the DB record is purged.