Secret Types
QNSP Vault Service (port 8090) stores an opaque secret payload plus metadata. The platform does not enforce a typed secret schema (for example: "database", "certificate", etc.).
Secret Types
QNSP Vault Service (port 8090) stores an opaque secret payload plus metadata. The platform does not enforce a typed secret schema (for example: "database", "certificate", etc.).
Service Configuration
From apps/vault-service/src/config/env.ts:
| Setting | Environment Variable | Default |
|---|---|---|
| Port | PORT |
8090 |
| Default lease TTL | LEASE_DEFAULT_TTL_SECONDS |
3600 (1 hour) |
| Max lease TTL | LEASE_MAX_TTL_SECONDS |
86400 (24 hours) |
| PQC algorithm | PQC_ALGORITHM |
kyber-768 |
| Master key ID | KEY_ID |
vault-master-key |
Rotation Worker
| Setting | Environment Variable | Default |
|---|---|---|
| Enabled | ROTATION_WORKER_ENABLED |
true |
| Poll interval | ROTATION_WORKER_POLL_INTERVAL_MS |
60,000 (1 min) |
| Batch size | ROTATION_WORKER_BATCH_SIZE |
10 |
Secret payload
Create a secret
POST /vault/v1/secrets
Authorization: Bearer <token>
Content-Type: application/json
{
"tenantId": "<tenant_uuid>",
"name": "example-secret",
"payload": "<base64_payload>",
"metadata": {},
"rotationPolicy": {
"intervalSeconds": 86400,
"expiresAt": 1700000000
}
}
Notes:
payloadis a base64-encoded string.metadatais a JSON object and is stored alongside the secret.rotationPolicysupportsintervalSecondsand optionalexpiresAt(unix seconds).
HSM/PKCS#11 Integration
Configure via KMS_PKCS11_CONFIGS_JSON:
[
{
"modulePath": "/usr/lib/softhsm/libsofthsm2.so",
"slot": 0,
"pin": "1234",
"algorithm": "AES-KW",
"profile": "strict"
}
]
Production mode enforces:
profile: "strict"allowPlainImport: falseallowExtractUnwrapped: false
Secret Metadata
All secrets include:
id: Unique identifierversion: Current version numbercreatedAt: Creation timestampupdatedAt: Last update timestamp