Secret Manager API

Name: Secret Manager API API
Brand: Secret Manager API
Availability: InStock

✓ Official Vendor SpecSecuritySecrets Managementoauth215 EndpointsREST

For Agents

Store, version, and retrieve sensitive credentials in Google Cloud with IAM-controlled access and CMEK encryption.

Quickstart

Get started with Secret Manager API in minutes using your preferred integration method.

# Add to your MCP client config (Claude Desktop, Cursor, Windsurf)
{
  "jentic": {
    "url": "https://api.jentic.com/mcp",
    "auth": "oauth"
  }
}

# Then ask your agent:
"store a secret in google cloud secret manager"

# → Jentic returns the GET /events tool with parameter schema, agent executes.

Capabilities

What an agent can do with Secret Manager API API.

Create named secrets with replication policies (automatic, multi-region, or user-managed)

Add new secret versions and roll back by accessing earlier versions

Access decoded secret payloads at runtime via the access endpoint

Disable, enable, and destroy individual secret versions for rotation workflows

GET STARTED

Start building with Secret Manager API API

Explore with Jentic

View OpenAPI Document

Use for: Store a database password as a new secret in Secret Manager, Retrieve the latest version of an API key at runtime, Rotate a secret by adding a new version and disabling the old one, List all secret versions for a given secret

Not supported: Does not handle encryption-key management, certificate issuance, or runtime config files — use for storing and versioning opaque secret payloads only.

Google Cloud Secret Manager stores sensitive data such as API keys, passwords, certificates, and database credentials with versioning, IAM-based access control, and CMEK encryption. The API lets agents create secrets, add new versions, access specific versions, enable, disable, and destroy versions, and manage replication policies across regions. It is a managed alternative to rolling your own secret store on top of GCS or running HashiCorp Vault.

Use Cases

Patterns agents use Secret Manager API API for, with concrete tasks.

★ Application Credential Storage

Replace hard-coded credentials in code, environment variables, or build pipelines with Secret Manager. Applications fetch the latest secret version at startup or on a refresh cycle, and operators rotate credentials by adding new versions without redeploying. IAM controls who or which service account can read each secret, and CMEK lets compliance teams hold the encryption keys.

Create a secret named 'db-password' with automatic replication, add a version with the payload bytes of the new password, and grant secretAccessor role to the app's service account.

Automated Secret Rotation

Build a rotation pipeline that issues a new credential from the upstream system (database, third-party API), adds it as a new version of the secret, switches consumers to the new version, then disables and eventually destroys the old version. The Secret Manager API exposes versioned access plus enable, disable, and destroy actions to make this safe and auditable.

Add a new version to projects/myproj/secrets/api-key with the freshly issued key, then call POST on projects/myproj/secrets/api-key/versions/1:disable to retire the previous version.

Compliance-Grade Secret Storage

Use user-managed replication and CMEK to satisfy data-residency and key-ownership requirements. Secrets can be pinned to specific GCP regions and encrypted with keys that customers control in Cloud KMS. IAM audit logs record every access, supporting SOC 2, ISO 27001, and HIPAA evidence requirements.

Create a secret with replication.userManaged.replicas pinned to us-central1 and europe-west1, each using a customer-managed KMS key.

AI Agent Credential Vault

An AI agent that calls many third-party APIs uses Secret Manager as its credential vault. Through Jentic the agent never touches the raw secret payload — Jentic resolves and injects credentials at execution time. Useful for multi-tenant agent platforms where each tenant brings their own keys.

Call GET on projects/{project}/secrets/{secret}/versions/latest:access to retrieve the decoded payload, then use it as the bearer token for a downstream API call.

Key Endpoints

15 endpoints — google cloud secret manager stores sensitive data such as api keys, passwords, certificates, and database credentials with versioning, iam-based access control, and cmek encryption.

METHOD

PATH

DESCRIPTION

GET

/v1/{+parent}/secrets

List secrets in a project

POST

/v1/{+parent}/secrets

Create a new secret

POST

/v1/{+parent}:addVersion

Add a new version to a secret

GET

/v1/{+name}:access

Access a decoded secret version payload

POST

/v1/{+name}:disable

Disable a secret version

POST

/v1/{+name}:destroy

Permanently destroy a secret version

GET

/v1/{+parent}/secrets

List secrets in a project

POST

/v1/{+parent}/secrets

Create a new secret

POST

/v1/{+parent}:addVersion

Add a new version to a secret

GET

/v1/{+name}:access

Access a decoded secret version payload

POST

/v1/{+name}:disable

Disable a secret version

Why though Jentic?

Three things that make agents converge on Jentic-routed access.

Credential isolation

GCP service account keys and OAuth refresh tokens are stored encrypted in the Jentic MAXsystem vault. Agents receive only a short-lived access token to call Secret Manager, and the secret payloads themselves never appear in agent logs or memory beyond the immediate execution.

Intent-based discovery

Agents search Jentic by intent (e.g. 'access the latest secret version') and Jentic returns the matching versions:access operation with its input schema, so the agent never has to navigate the GCP discovery docs.

Time to first call

Direct integration: 1-3 days to set up service accounts, IAM bindings, and a refresh-token cache. Through Jentic: under 30 minutes — search, load, execute.

Related APIs

Alternatives and complements available in the Jentic catalogue.

Complementary

Google Cloud KMS API

Manages the encryption keys that protect secrets stored in Secret Manager when CMEK is enabled.

Choose Cloud KMS when you need to manage the encryption keys themselves. Use Secret Manager when you want a managed store for the values those keys protect.

Complementary

Google Cloud IAM API

Controls which principals can access each secret via IAM bindings.

Use IAM API to manage service accounts and roles. Use Secret Manager to store and retrieve the secret values themselves.

Alternative

Google Cloud API Keys API

Manages Google API keys specifically — narrower than Secret Manager, which holds any opaque secret.

Choose API Keys when the agent needs to mint and restrict Google-specific API keys. Use Secret Manager for arbitrary credentials.

Alternative

HashiCorp Nomad API

HashiCorp's scheduler that pairs with Vault for secrets in non-GCP environments.

Use HashiCorp tooling for multi-cloud or self-hosted environments. Use Secret Manager when the workload is already on GCP.

FAQs

Specific to using Secret Manager API API through Jentic.

What authentication does the Secret Manager API use?

Secret Manager uses OAuth 2.0 with the cloud-platform scope and IAM permissions like roles/secretmanager.secretAccessor on each secret. Through Jentic the OAuth credentials and service account keys are stored encrypted in MAXsystem and injected at execution time.

Can I rotate a secret without downtime using the Secret Manager API?

Yes. Add a new version to the secret, point consumers at the 'latest' alias or the new version number, then call the disable action on the older version once traffic has cut over. Destroy the old version when you no longer need to roll back.

What are the rate limits for the Secret Manager API?

Google enforces a default per-project quota of 90,000 access requests per minute and lower limits for write operations like AddSecretVersion (around 60 per minute per secret). Quotas can be raised via the Cloud Console quota page.

How do I retrieve a secret value at runtime through Jentic?

Run the Jentic search query 'access a secret manager secret', load the GET projects/{project}/secrets/{secret}/versions/{version}:access operation, and execute it. Jentic resolves the underlying GCP credentials so the agent only sees the decoded payload.

Does Secret Manager support customer-managed encryption keys?

Yes. When you create a secret with user-managed replication you can specify a Cloud KMS customerManagedEncryption.kmsKeyName per replica. The key must be in the same region as the replica.

Can I list every version of a secret with this API?

Yes. Use GET on projects/{project}/secrets/{secret}/versions to page through every version, including their state (ENABLED, DISABLED, DESTROYED) and create timestamps.