API Documentation

Fetch secrets at runtime with one HTTP call. No SDK required.

Quick Start

Get up and running with Kevorax in under 3 minutes.

Create a project and add secrets

Sign in to Kevorax, create a project, and add your API keys with memorable aliases like STRIPE_SECRET_KEY or OPENAI_API_KEY.

Generate a project token

Go to your project settings and generate an access token. This token starts with kev_proj_ and authenticates your API requests.

Fetch secrets at runtime

bash

curl -H "Authorization: Bearer kev_proj_your_token_here" \
  https://kevorax.com/api/runtime/secrets/STRIPE_SECRET_KEY

Authentication

All API requests require a project token passed in the Authorization header.

bash

Authorization: Bearer kev_proj_xxxxxxxxxxxxxxxxxxxx

Security Note: Project tokens should be stored as environment variables, never committed to source control. Each token only has access to secrets assigned to its specific project.

API Endpoints

Base URL: https://kevorax.com/api/runtime

GET/secrets

Retrieve all secrets assigned to the project.

Response

json

{
  "success": true,
  "data": [
    {
      "alias": "STRIPE_SECRET_KEY",
      "value": "sk_live_xxxxx",
      "provider": "stripe",
      "expires_at": null
    },
    {
      "alias": "OPENAI_API_KEY", 
      "value": "sk-xxxxx",
      "provider": "openai",
      "expires_at": "2025-12-31T23:59:59Z"
    }
  ]
}

GET/secrets/{alias}

Retrieve a single secret by its alias.

Path Parameters

aliasrequired

string—The alias of the secret (e.g., STRIPE_SECRET_KEY)

Response

json

{
  "success": true,
  "data": {
    "alias": "STRIPE_SECRET_KEY",
    "value": "sk_live_xxxxx",
    "provider": "stripe",
    "expires_at": null
  }
}

POST/resolve

Resolve multiple secrets in a single request.

Request Body

json

{
  "aliases": ["STRIPE_SECRET_KEY", "OPENAI_API_KEY", "DATABASE_URL"]
}

Response

json

{
  "success": true,
  "data": {
    "STRIPE_SECRET_KEY": "sk_live_xxxxx",
    "OPENAI_API_KEY": "sk-xxxxx",
    "DATABASE_URL": "postgres://user:pass@host:5432/db"
  },
  "missing": []
}

Code Examples

Copy-paste examples for popular languages. No SDK needed — just HTTP.

JavaScript / Node.js

javascript

// Using fetch (Node.js 18+ or browser)
async function getSecret(alias) {
  const response = await fetch(
    `https://kevorax.com/api/runtime/secrets/${alias}`,
    {
      headers: {
        'Authorization': `Bearer ${process.env.KEVORAX_TOKEN}`
      }
    }
  );
  
  if (!response.ok) {
    throw new Error(`Failed to fetch secret: ${response.status}`);
  }
  
  const { data } = await response.json();
  return data.value;
}

// Usage
const stripeKey = await getSecret('STRIPE_SECRET_KEY');
const stripe = new Stripe(stripeKey);

Python

python

import os
import requests

def get_secret(alias: str) -> str:
    """Fetch a secret from Kevorax by alias."""
    response = requests.get(
        f"https://kevorax.com/api/runtime/secrets/{alias}",
        headers={
            "Authorization": f"Bearer {os.environ['KEVORAX_TOKEN']}"
        }
    )
    response.raise_for_status()
    return response.json()["data"]["value"]

# Usage
stripe_key = get_secret("STRIPE_SECRET_KEY")
openai_key = get_secret("OPENAI_API_KEY")

Go

package main

import (
    "encoding/json"
    "fmt"
    "net/http"
    "os"
)

type SecretResponse struct {
    Success bool `json:"success"`
    Data    struct {
        Value string `json:"value"`
    } `json:"data"`
}

func getSecret(alias string) (string, error) {
    url := fmt.Sprintf("https://kevorax.com/api/runtime/secrets/%s", alias)
    
    req, _ := http.NewRequest("GET", url, nil)
    req.Header.Set("Authorization", "Bearer "+os.Getenv("KEVORAX_TOKEN"))
    
    resp, err := http.DefaultClient.Do(req)
    if err != nil {
        return "", err
    }
    defer resp.Body.Close()
    
    var result SecretResponse
    json.NewDecoder(resp.Body).Decode(&result)
    
    return result.Data.Value, nil
}

cURL

bash

# Get a single secret
curl -H "Authorization: Bearer $KEVORAX_TOKEN" \
  https://kevorax.com/api/runtime/secrets/STRIPE_SECRET_KEY

# Get all secrets
curl -H "Authorization: Bearer $KEVORAX_TOKEN" \
  https://kevorax.com/api/runtime/secrets

# Resolve multiple secrets
curl -X POST \
  -H "Authorization: Bearer $KEVORAX_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"aliases": ["STRIPE_SECRET_KEY", "OPENAI_API_KEY"]}' \
  https://kevorax.com/api/runtime/resolve

Framework Integrations

Next.js / Vercel

Fetch secrets in getServerSideProps or API routes.

javascript

// pages/api/charge.js
export default async function handler(req, res) {
  const stripeKey = await getSecret('STRIPE_SECRET_KEY');
  const stripe = new Stripe(stripeKey);
  // ... process payment
}

AWS Lambda

Fetch secrets at cold start or per-invocation.

javascript

// handler.js
let cachedSecrets = null;

export async function handler(event) {
  if (!cachedSecrets) {
    cachedSecrets = await fetchAllSecrets();
  }
  // Use cachedSecrets.STRIPE_KEY
}

Cloudflare Workers

Works with Workers fetch API.

javascript

// worker.js
export default {
  async fetch(request, env) {
    const secret = await getSecret('API_KEY', env.KEVORAX_TOKEN);
    // ... use secret
  }
}

Docker

Pass token as environment variable.

bash

# docker-compose.yml
services:
  app:
    environment:
      - KEVORAX_TOKEN=kev_proj_xxx

Error Handling

The API returns standard HTTP status codes and JSON error responses.

Status	Meaning	Solution
`401`	Unauthorized	Check your project token is valid and not expired
`403`	Forbidden	Token doesn't have access to this secret/project
`404`	Not Found	Secret alias doesn't exist in this project
`429`	Rate Limited	Too many requests — implement caching
`500`	Server Error	Contact support if persistent

Error Response Format

json

{
  "success": false,
  "error": {
    "code": "SECRET_NOT_FOUND",
    "message": "No secret found with alias 'INVALID_KEY'"
  }
}

Best Practices

Cache secrets in memory

Fetch once at startup or cold start, not on every request. Secrets rarely change.

javascript

// Good: Cache at startup
let secrets = null;
async function getSecrets() {
  if (!secrets) {
    secrets = await fetchAllSecrets();
  }
  return secrets;
}

Use environment variables for the token

Never hardcode your project token. Use KEVORAX_TOKEN environment variable.

bash

# .env (local development)
KEVORAX_TOKEN=kev_proj_dev_xxxxx

# Production: Set via your platform's secrets/env UI

Handle errors gracefully

Always have fallback behavior if secret fetching fails.

javascript

try {
  const apiKey = await getSecret('OPENAI_API_KEY');
} catch (error) {
  console.error('Failed to fetch secret:', error);
  // Fallback or graceful degradation
}

Rotate tokens periodically

Generate new project tokens every 90 days and revoke old ones.

Use separate projects for environments

Create separate projects for dev, staging, and production. Each gets its own token with its own secrets.

Ready to secure your secrets?

Start your 7-day free trial. No credit card required.

Get Started Free