Use this path if you want to modify the source code and run from your workstation.
AUTH_TOKEN_EXPIRATION_SECONDSdefault is14400(4 hours)RATE_LIMIT_ENABLEDdefault istrue(per authenticated client)RATE_LIMIT_TOKEN_ENABLEDdefault istrue(per IP onPOST /v1/token)CORS_ENABLEDdefault isfalse
These defaults were introduced in v0.5.0 with token-endpoint rate limiting added in v0.7.0 .
- Go 1.25+
- Docker (for local database)
git clone https://github.com/allisson/secrets.git
cd secrets
go mod downloadmake buildKMS mode is required as of v0.19.0. For local development, use the localsecrets provider:
# Generate a KMS encryption key (32 random bytes, base64-encoded)
KMS_KEY=$(openssl rand -base64 32)
# Create master key with KMS encryption
./bin/app create-master-key --id default \
--kms-provider=localsecrets \
--kms-key-uri="base64key://${KMS_KEY}"
# Copy example environment file
cp .env.example .envThe command output will include:
KMS_PROVIDERandKMS_KEY_URI(already set if you used the command above)MASTER_KEYS- paste this into your.envfileACTIVE_MASTER_KEY_ID- paste this into your.envfile
Your .env file should look like:
KMS_PROVIDER=localsecrets
KMS_KEY_URI=base64key://<generated-key>
MASTER_KEYS=default:<kms-encrypted-value>
ACTIVE_MASTER_KEY_ID=defaultmake dev-postgresDefault connection in .env can be:
DB_DRIVER=postgres
DB_CONNECTION_STRING=postgres://user:password@localhost:5432/mydb?sslmode=disable./bin/app migrate
./bin/app create-kek --algorithm aes-gcm./bin/app serverIn another terminal, create your first API client and policy set:
./bin/app create-client \
--name bootstrap-admin \
--active \
--policies '[{"path":"*","capabilities":["read","write","delete","encrypt","decrypt","rotate"]}]' \
--format jsonSave the returned client_id and one-time secret securely.
curl -X POST http://localhost:8080/v1/token \
-H "Content-Type: application/json" \
-d '{"client_id":"<client-id>","client_secret":"<client-secret>"}'curl http://localhost:8080/health