We launched new developer portal. For the latest documentation visit developer.cloudentity.com

Using Secrets in Scripts and Policies

Using Cloudentity's secrets you can safely store confidential data within Cloudentity, access protected resources from within your scripts, and validate policies in your authorization server.

Create Secret

Secrets represent any information that you want to keep confidential. They are encrypted after creation, meaning that their value cannot be retrieved in any way outside of a scripted function or a policy validator.

ACP allows you to define secrets which can be used in JavaScript function calls and policies. The video below shows how to add and manage secrets.

  1. Go to Extensions > Secrets in the left-hand menu. The Secrets page opens.

    Secrets in Scripts Page

    You can also manage secrets from the contextual menu in the Extensions page.

  2. Select Create Secret. Provide the secret name and value in the pop-up window when prompted.


    You won’t be able to see the secret value after it’s saved. It can be only retrieved by an extension script or a policy validator.

  3. Select Create. Your secret is added to the list.

You can manage your secrets from the workspace settings page. Go to Settings -> Secrets to edit secret values, delete secrets, or create new secrets.

Use Secret in Extension

To use your secret in an extension script, provide the secret name within a function via the context.secrets.SCRIPT_NAME reference:

module.exports = async function(context) {
    return {
          secret: context.secrets.SCRIPT_NAME

Such reference is ready out of the box if you create a script from the Sample with secret template.

Use Secret in Policy

To use your secret in Cloudentity policy editor, refer to it in a policy validator by selecting Secrets as the source or target and providing the secret name. The secret value is then used for comparison in the validator. For more information, read Creating a policy in Cloudentity editor.

To use your secret in a Rego policy, see Rego secret check policy.