Skip to content
SMTA

Secrets RPC

Secrets are stored in Supabase Vault. Only metadata (name, scope, created_by) is returned by the API — secret values are never returned after creation.

Secrets are scoped by a p_scope value ('organization' or 'user') and a corresponding p_id (the org UUID or user UUID).

create_secret(p_scope, p_id, p_name, p_secret)

Section titled “create_secret(p_scope, p_id, p_name, p_secret)”

Stores a secret in Vault and records its metadata. Returns the UUID of the new secret record.

Signature

public.create_secret(
  p_scope  TEXT,
  p_id     UUID,
  p_name   TEXT,
  p_secret TEXT
)
RETURNS UUID

Parameters

ParameterDescription
p_scope'organization' or 'user'
p_idThe UUID of the org or user this secret belongs to
p_nameA human-readable name for the secret (e.g. 'stripe_api_key')
p_secretThe secret value to store in Vault

Usage

// Store an organization-scoped secret
const { data: secretId, error } = await supabase.rpc('create_secret', {
  p_scope: 'organization',
  p_id: 'org-uuid',
  p_name: 'stripe_api_key',
  p_secret: 'sk_live_...'
});


// Store a user-scoped secret
const { data: secretId, error } = await supabase.rpc('create_secret', {
  p_scope: 'user',
  p_id: 'user-uuid',
  p_name: 'personal_api_key',
  p_secret: 'token_value'
});

list_secrets(p_scope?, p_id?)

Section titled “list_secrets(p_scope?, p_id?)”

Returns metadata for secrets. Both parameters are optional — omit them to list all accessible secrets, or provide both to filter by scope and owner.

Signature

public.list_secrets(
  p_scope TEXT DEFAULT NULL,
  p_id    UUID DEFAULT NULL
)
RETURNS TABLE (
  id              UUID,
  scope           TEXT,
  organization_id UUID,
  user_id         UUID,
  secret_name     TEXT,
  created_at      TIMESTAMPTZ,
  created_by      UUID
)

Security: Secret values are never included in the response. Only metadata is returned.

Usage

// List all secrets for an organization
const { data, error } = await supabase.rpc('list_secrets', {
  p_scope: 'organization',
  p_id: 'org-uuid'
});


// List all secrets for a user
const { data, error } = await supabase.rpc('list_secrets', {
  p_scope: 'user',
  p_id: 'user-uuid'
});


// List all accessible secrets (no filter)
const { data, error } = await supabase.rpc('list_secrets');

delete_secret(p_secret_id)

Section titled “delete_secret(p_secret_id)”

Soft-deletes the secret’s metadata record and hard-deletes the value from Vault. Once deleted, the secret value cannot be recovered.

Signature

public.delete_secret(p_secret_id UUID)
RETURNS VOID

Usage

await supabase.rpc('delete_secret', {
  p_secret_id: 'secret-uuid'
});

Warning: Deletion from Vault is permanent. The metadata record is soft-deleted (is_deleted = true) but the secret value is gone immediately and cannot be recovered.