Skip to main content
Tusky includes a built-in secret manager for storing sensitive key-value data — API keys, database credentials, certificates, and configuration — encrypted on-chain using Sui Seal. Unlike centralized secret managers, Tusky secrets are encrypted client-side and access is controlled by on-chain smart contracts. Tusky never sees your plaintext secrets.

How it works

1

Write a secret

Store a key-value pair at a path (e.g., production/database/password). The SDK encrypts the data client-side using Seal before transmitting it.
2

Seal encrypts on-chain

Seal distributes encryption key shares across a decentralized network of key servers. An on-chain access policy defines which wallet addresses can decrypt.
3

Read a secret

Authorized wallets request decryption. Seal key servers verify the on-chain policy, release key shares, and the secret is decrypted client-side.

API design

The secrets API follows a path-based model inspired by HashiCorp Vault:
OperationMethodPathDescription
PutPUT/secrets/{path}Create or update a secret
GetGET/secrets/{path}Read a secret
ListGET/secrets/{path}?list=trueList keys at a path
DeleteDELETE/secrets/{path}Delete a secret
Paths use / separators for hierarchy: {environment}/{service}/{key}.

Path hierarchy

Organize secrets with a logical path structure: 
production/
  database/          → host, port, username, password
  redis/             → url, password
  api-keys/
    stripe           → secret_key, publishable_key
    sendgrid         → api_key
staging/
  database/          → host, port, username, password
Use GET /secrets/{path}?list=true to browse the hierarchy. Folder entries are suffixed with /.

Global secrets

All secrets are global to your account — they are not scoped to a specific environment. Organize them using path hierarchy to logically group by environment, service, or purpose. 
await tusky.secrets.put("production/stripe", {
  data: { secret_key: "sk_live_abc123" },
});

Managed secrets

Some secrets are managed by Tusky and cannot be deleted. These are stored under the reserved tusky/ path prefix. When you create an encrypted environment, Tusky automatically creates a managed secret at: 
tusky/environments/{environmentId}/encryption
This secret contains the Seal encryption keys used to encrypt and decrypt files in that private environment. It is:
  • Created automatically when an encrypted environment is created
  • Non-deletable — attempting to delete returns 403 Forbidden
  • Readable — you can read the key material via the Secrets API
  • Removed only when the parent environment is deleted
Never attempt to overwrite paths under tusky/ — these are reserved for system-managed secrets. The API rejects writes to managed paths.

Encryption with Sui Seal

Secrets are encrypted using Seal, a decentralized encryption protocol on Sui:

Client-side encryption

Plaintext never leaves your device. Data is encrypted before it reaches Tusky’s servers.

On-chain access policies

Smart contracts on Sui define who can decrypt. Policies are transparent, auditable, and tamper-proof.

Distributed key management

Encryption keys are split across multiple Seal key servers. No single server can reconstruct a key.

Token-gated access

Gate secret access on any on-chain condition: wallet address, NFT ownership, token balance, or custom Move logic.

Versioning

Every PUT to a secret path creates a new version. Read a specific version with ?version=N, or omit to get the latest. 
# Write version 1
curl -X PUT .../secrets/prod/db -d '{"data":{"password":"v1"}}'

# Write version 2
curl -X PUT .../secrets/prod/db -d '{"data":{"password":"v2"}}'

# Read latest (version 2)
curl .../secrets/prod/db

# Read version 1
curl ".../secrets/prod/db?version=1"

What’s next?

Secrets API

Full API reference for managing secrets.

Encryption

How Tusky uses Seal for all encryption, including file and secret encryption.