Skip to main content
The HTTP secret proxy lets a user or service account use a credential without exposing the secret value to the caller.
{api_url}/proxy-request?url={target_url}&secret-id={secret_id}
Add user={email} when the request should use a user-owned secret for a specific user.

Authorization

OAuth callers must own the user secret. If user is supplied, it must match the OAuth subject. API-key callers run as the API key’s service account. The service account must have use_proxy_secrets, and the target secret must grant that service account per-secret use_proxy.

Behavior

The proxy sets the upstream Authorization header from the secret value. OAuth credential secrets are refreshed when needed and saved as a new secret version. The proxy supports normal HTTP requests, WebSocket upgrades, and streaming SSE responses.