Home / Features / Apps / Per-app secrets
Per-app secrets vault on osFoundry
osFoundry stores per-app secrets in an encrypted vault. Secrets are injected at runtime as env vars or via the app SDK — never baked into source code, never in build artefacts, never in logs. Rotation policies, overlap windows, and audit trail are built in.
Quick answer
- Per-app encrypted secrets vault.
- Injected at runtime — never in source or builds.
- Rotation with overlap windows.
- Per-secret audit log.
Frequently asked questions
Are secrets encrypted at rest?
Yes — workspace-controlled keys with KMS-backed encryption.
Can I rotate without downtime?
Yes. Overlap windows let old + new versions coexist briefly.
Related features