Stashbase

Secrets

Overview of Stashbase secrets

In each environment you can store secrets like API Keys, database credentials, etc. Each secret consists of a name and a value and optional comment. Every change you make to the secret's name or value will be tracked and persisted in the changelog. You can easily revert those changes later. All secrets are encrypted and securely stored in the database.

Format

Each secret is stored in a name and a value pair and can have an optional comment. The name must be alphanumeric uppercase string with no spaces or special characters (e.g. API_KEY or DB_PASSWORD) and canot start with a digit. Names must be at least 2 characters long amd maximally 255 characters long. The value can be any string, but it must not exceed 16 KB when encoded as UTF-8. Stashbase is smart enough to autoformat the names as you type them.

Here are some examples of valid and invalid secret names:

  • Invalid: db_passsword
  • Invalid: DATABASE-URL
  • Valid: DB_PASSWORD
  • Valid: DATABASE_URL

References

Stashbase also supports secrets referencing so you can easily refer to other secrets in the same environment. You can reference secrets using the following surrounding characters (just like in dotenv files) ${NAME}.

Secrets cannot reference themself. Stashbase is smart enough to warn you about invalid (wrongly formatted) or not found references (in the web dasboard or using the CLI). Our SDKs and CLI support expanding those references to their values or returning the secrets as plain text.

Example

Here is an example of referencing another secrets:

DB_PORT=5432
DB_USER=admin
DB_NAME=postgres
DB_HOST=localhost
DB_PASSWORD=mypassword
DB_URL=postgresql://${DB_USER}:${DB_PASSWORD}@${DB_HOST}:${DB_PORT}/${DB_NAME}

Multiline secrets

Stashbase supports multiline secrets by default. Using the web dasbhoard you can easily create multiline secrets with the Enter key when editing the values. Backslashes that are part of the secret value are escaped automatically as well \\ in the dotenv format.

Dotenv format

When you are editing secrets in the dotenv format (with CLI or using web dasbhoard), multiline secrets must begin with double quotes and end with double quotes. If there are any double quotes inside mutliline secret and not at the end of the line, it will automatically escaped as \".

If you add double quotes at the end of the line, it marks the end of the multiline secret so if you want to preserve them as part of the secret, you need to escape them as well \".

With Stashabse SDKs you can use multiline string literals or use new line character \n to create new lines. Check out example of how to use multiline secrets with CLI.

Examples

Here are some examples of multiline secrets in the dotenv format:

SSL_CERTIFICATE="-----BEGIN CERTIFICATE-----
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA7wvZdf8Y1X+7fHtCxFNh
FsG7DbcCeG6fRro3D9EDQ2WxNs2t6HvOkfFrrqaX52zj3OtGVxFfOd2ZhZ9t7sf+
5l5kgOZHqIbVltEj9HkR9rkNSvud8VfMyV29M8WqF+88oPaoyxKjXExsxtTKnMKX
-----END CERTIFICATE-----"

PRIVATE_KEY="-----BEGIN PRIVATE KEY-----
6HvOkfFrrqaX52zj3OtGVxFfOd2ZhZ9t7sf+5l5kgOZHqIbVltEj9HkR9rkNSvu
d8VfMyV29M8WqF+88oPaoyxKjXExsxtTKnMKXYTO2xtJHyFj69zRU1leHSlD0OH
...
-----END PRIVATE KEY-----"

YAML format

With Stashbase CLI you can also use the YAML format to output/read secrets including multiline ones. To do that, you use the pipe symbol | to mark that the secret is multiline followed by the indented secret value.

If there are any double quotes inside those multiline secrets they will be automatically escaped as \", including the ones at the end of the line.

Examples

Here are some examples of multiline secrets in the YAML format:

SSL_CERTIFICATE: |
  -----BEGIN CERTIFICATE-----
  MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA7wvZdf8Y1X+7fHtCxFNh
  FsG7DbcCeG6fRro3D9EDQ2WxNs2t6HvOkfFrrqaX52zj3OtGVxFfOd2ZhZ9t7sf+
  5l5kgOZHqIbVltEj9HkR9rkNSvud8VfMyV29M8WqF+88oPaoyxKjXExsxtTKnMKX
  -----END CERTIFICATE-----

PRIVATE_KEY: |
  -----BEGIN PRIVATE KEY-----
  6HvOkfFrrqaX52zj3OtGVxFfOd2ZhZ9t7sf+5l5kgOZHqIbVltEj9HkR9rkNSvu
  d8VfMyV29M8WqF+88oPaoyxKjXExsxtTKnMKXYTO2xtJHyFj69zRU1leHSlD0OH
  -----END PRIVATE KEY-----

Comments

Each secret can have an optional comment asssociated with it. The comment can be referred to as a comment in plain text files (dotenv, YAML). Comments can be single line or multiline.

Comments are formatted in the way that empty lines at the beginning and at the end are automatically removed but preserved if they are inside the comment. All trailing whitespace is also automatically removed for each line. Leading whitespaces are preserved.

Maximal length of the comment is 512 characters after formatting.

Changes (history)

All secret changes are tracked and persisted in the changelog for each environment. You can access and manage these changes through:

  1. Environment-wide changes

    • Navigate to the Changes tab in your environment
    • View a complete list of all secret modifications
    • Examine diffs, compare states, and see the full state after each change
    • Rollback to any previous state
  2. Individual secret changes

    • Go to the Secrets tab
    • Click the history option for any specific secret
    • View and manage changes for that particular secret

Dashboard view of secret changes Dashboard view of single secret history

Security

Learn more about security.

On this page