API reference

secret declares static, random, and generated secrets with version-aware runtime access.

Import

import { secret } from "@layeron/modules"

`secret.static`

Declare a static secret reference.

TypeSpec operation: secretStatic.

secret.static(options: StaticSecretOptions): SecretModule

SecretRetentionOptions

Previous-version retention policy.

Field	Type	Description
`mode`	`SecretRetentionMode`	Retention mode.
`days`	`int32 \| undefined`	Days to retain previous versions when mode is retain_for.

SecretRotationOptions

Rotation policy for random secrets and generated secret metadata.

Field	Type	Description
`everyDays`	`int32 \| undefined`	Rotation interval in days.
`startAt`	`string \| undefined`	RFC3339 time for the first scheduled rotation.
`retain`	`SecretRetentionOptions \| undefined`	Previous-version retention policy.

SecretValueOptions

Runtime value format options.

Field	Type	Description
`format`	`SecretValueFormat \| undefined`	Format used when reading the secret.

SecretConsumeOptions

Runtime consumption settings.

Field	Type	Description
`address`	`string \| undefined`	Typed runtime address used by generated bindings.
`expose`	`”current” \| “versioned” \| undefined`	Whether runtime consumers can see only current or versioned values.

SecretOwnershipOptions

Ownership metadata for product-owned secrets.

Field	Type	Description
`ownerProduct`	`string \| undefined`	Owning product name.
`ownerInstanceId`	`string \| undefined`	Owning product instance id.
`purpose`	`string \| undefined`	Business purpose for this secret.

BaseSecretOptions

Common options accepted by secret constructors.

Field	Type	Description
`name`	`string`	Stable secret name.
`namespace`	`string \| undefined`	Platform namespace for the instance. Defaults to `default`.
`rotation`	`SecretRotationOptions \| undefined`	Rotation policy.
`value`	`SecretValueOptions \| undefined`	Value format settings.
`consume`	`SecretConsumeOptions \| undefined`	Runtime consumption settings.
`ownership`	`SecretOwnershipOptions \| undefined`	Ownership metadata for product-owned secrets.

StaticSecretOptions

Options accepted by secret.static().

Field	Type	Description

RandomSecretOptions

Options accepted by secret.random().

Field	Type	Description
`bytes`	`int32 \| undefined`	Number of random bytes to generate. Defaults to 32.

GeneratedSecretOptions

Options accepted by secret.generated(). The value is generated outside application code and stored in the user’s Cloudflare Secrets Store.

Field	Type	Description
`bytes`	`int32 \| undefined`	Expected generated byte count when known.

SecretGeneratedMetadata

Generated secret metadata recorded in normalized module config.

Field	Type	Description
`type`	`”random” \| “custom”`	Generated value source type.
`bytes`	`int32 \| undefined`	Generated byte count when known.

SecretModuleConfig

Normalized Layeron secret module configuration.

Field	Type	Description
`kind`	`”secret”`	Module config kind.
`name`	`string`	Stable secret name.
`namespace`	`string`	Platform namespace for the instance. Defaults to `default`.
`secretKind`	`SecretKind`	Secret value source kind.
`bytes`	`int32 \| undefined`	Generated byte count when applicable.
`rotation`	`SecretRotationOptions \| undefined`	Rotation policy.
`value`	`SecretValueOptions`	Value format settings.
`consume`	`SecretConsumeOptions`	Runtime consumption settings.
`ownership`	`SecretOwnershipOptions \| undefined`	Ownership metadata for product-owned secrets.
`generated`	`SecretGeneratedMetadata \| undefined`	Generated secret metadata when the declaration creates or expects a generated value.

SecretGetInput

Selector accepted by secret version reads.

Field	Type	Description
`kind`	`”current” \| “version” \| “at” \| “active”`	Selector kind.
`version`	`string \| undefined`	Version id when kind is version.
`at`	`string \| undefined`	RFC3339 timestamp when kind is at or active.

SecretVersionResult

One resolved secret version.

Field	Type	Description
`value`	`string`	Secret value encoded according to the configured value format.
`version`	`string \| undefined`	Version id.
`activeFrom`	`string \| undefined`	Activation timestamp.
`expiresAt`	`string \| undefined`	Expiration timestamp.
`current`	`boolean \| undefined`	Whether this is the current version.

SecretGetResult

Result returned by secret reads.

Field	Type	Description
`values`	`SecretVersionResult[]`	Matching secret versions.

SecretModule

Layeron secret module returned by secret constructors.

Field	Type	Description
`name`	`”secret”`	Module name.
`config`	`SecretModuleConfig`	Normalized module configuration.

SecretRetentionMode

Retention mode for previous secret versions.

Value	Description
`none`	Retire previous versions immediately.
`retain_for`	Retain previous versions for a fixed number of days.
`retain_forever`	Retain previous versions until explicit cleanup.

SecretValueFormat

Secret value serialization format.

Value	Description
`text`	Plain text value.
`json`	JSON value.
`kv`	Key-value shaped JSON value.

SecretKind

Secret value source kind.

Value	Description
`static`	The value is supplied outside the app declaration.
`random`	Layeron creates a random value during controlled secret creation.
`generated`	Layeron records a generated value source that is fulfilled by local CLI or product-specific apply flows.

Operations

`secret.random`

Declare a random generated secret.

TypeSpec operation: secretRandom.

secret.random(options: RandomSecretOptions): SecretModule

`secret.generated`

Declare generated secret metadata for a value produced outside application code.

TypeSpec operation: secretGenerated.

secret.generated(options: GeneratedSecretOptions): SecretModule

`secretGet`

Read one or more secret versions.

secretGet(input: SecretGetInput): SecretGetResult

TypeScript module methods

Method	Description
`hmac()`	Sign a message with the current secret value as an HMAC key.
`verifyHmac()`	Verify an HMAC signature with the current secret value.
`signJwt()`	Sign a JWT with the current secret or an explicit key.
`verifyJwt()`	Verify a JWT with the current secret or an explicit key.