# Secrets API

The Secrets API manages encrypted tenant-local secret material such as upstream API keys.

All routes require a valid Abbotik bearer token with root or full tenant access.

Plaintext secret values are accepted on create and update, encrypted before storage, and never returned by the API.

## Endpoint Summary

| Method | Path | Description |
|--------|------|-------------|
| GET | [`/api/user/secrets`](GET.md) | List tenant secrets without exposing secret material. |
| POST | [`/api/user/secrets`](POST.md) | Create a new encrypted tenant secret. |
| PUT | [`/api/user/secrets/:secret_name`](:secret_name/PUT.md) | Replace the value or metadata for one tenant secret. |
| DELETE | [`/api/user/secrets/:secret_name`](:secret_name/DELETE.md) | Delete one tenant secret by name. |

## Notes

- The API requires `ABBOTIK_SECRETS_MASTER_KEY` to be configured as a 32-byte hex or base64 key.
- When that key is missing or invalid, the entire secrets surface returns `503 SECRETS_UNAVAILABLE`.
- Secret names are tenant-scoped and unique.
- This surface returns metadata only. Use internal platform code to resolve plaintext values.

## LLM Navigation Notes

Use the exact router-shaped docs paths:

- `/docs/api/user/secrets/GET`
- `/docs/api/user/secrets/POST`
- `/docs/api/user/secrets/secret_name/PUT`
- `/docs/api/user/secrets/secret_name/DELETE`