UniteLabs
Concepts

Secrets

Secure and manage credentials like API keys, tokens, and passwords for safe and reusable access in workflows.

UniteLabs Secrets Management

Overview

Secrets in UniteLabs provide a secure way to store sensitive credentials—such as API keys, tokens, and passwords—that are essential for accessing external systems and instruments in your workflows.

Instead of hardcoding credentials or sharing them manually, you can define and manage secrets in a centralized, encrypted environment. This helps ensure security, scalability, and repeatability when running lab automation.

With UniteLabs Secrets, you can:

  • Store environment-specific credentials for APIs, devices, and services
  • Reuse secrets across multiple workflows without exposing sensitive values
  • Rotate or revoke credentials without changing workflow logic
  • Categorize secrets by type (e.g. string, JSON, connection) for structured access

Secrets integrate seamlessly into the workflow engine, letting scientists and engineers focus on automation logic while maintaining compliance and security across labs.


Authentication

All API calls require a bearer token obtained from the UniteLabs identity provider. Replace <tenant-id> with your organization's tenant ID:

curl -X POST \
  "https://auth.unitelabs.io/realms/<tenant-id>/protocol/openid-connect/token" \
  -H "Content-Type: application/x-www-form-urlencoded" \
  -d "grant_type=client_credentials" \
  -d "client_id=<your-client-id>" \
  -d "client_secret=<your-client-secret>"

Use the returned access_token as Authorization: Bearer <token> on every subsequent request.

Inside workflows, use the UniteLabs UniteLabs SDK (unitelabs-sdk) — it handles token acquisition and refresh automatically. See the examples below.

Endpoints

Base URL: http://unitelabs-api.<tenant-id>.svc

MethodPathDescription
GET/v1/secrets/typesList available secret types
GET/v1/secrets/schemas/{slug}Get the JSON schema for a secret type
GET/v1/secretsList secrets (filter by name)
GET/v1/secrets/{id}Get a secret by ID
POST/v1/secretsCreate a new secret
PATCH/v1/secrets/{id}Update an existing secret
DELETE/v1/secrets/{id}Delete a secret

List secret types

Returns the available secret types (e.g. string, json, aws-s3, postgres).

curl -X GET \
  "http://unitelabs-api.<tenant-id>.svc/v1/secrets/types" \
  -H "Authorization: Bearer <token>"

Get schema for a secret type

Returns the JSON schema describing the required fields for a given secret type slug.

curl -X GET \
  "http://unitelabs-api.<tenant-id>.svc/v1/secrets/schemas/aws-s3" \
  -H "Authorization: Bearer <token>"

Create a secret

Creates a new secret. The type field must be a valid slug from /v1/secrets/types. The parameters object must match the schema for that type.

curl -X POST \
  "http://unitelabs-api.<tenant-id>.svc/v1/secrets" \
  -H "Authorization: Bearer <token>" \
  -H "Content-Type: application/json" \
  -d '{
    "name": "datalake-admin",
    "type": "aws-s3",
    "parameters": {
      "minio_root_user": "my-access-key",
      "minio_root_password": "my-secret-key",
      "aws_client_parameters": {
        "endpoint_url": "http://minio.svc:9000",
        "bucket_name": "lab-data"
      }
    }
  }'

Response 201 Created:

{
  "id": "a3bb189e-8bf9-3888-9912-ace4e6543002",
  "name": "datalake-admin",
  "type": "aws-s3"
}

List secrets

Returns all secrets matching the name query parameter. Pass a partial name to search, or an exact name to fetch a specific secret.

# List all secrets with a name starting with "datalake"
curl -X GET \
  "http://unitelabs-api.<tenant-id>.svc/v1/secrets?name=datalake" \
  -H "Authorization: Bearer <token>"

Response 200 OK:

[
  {
    "id": "a3bb189e-8bf9-3888-9912-ace4e6543002",
    "name": "datalake-admin",
    "type": "aws-s3",
    "parameters": {
      "minio_root_user": "my-access-key",
      "minio_root_password": "my-secret-key",
      "aws_client_parameters": {
        "endpoint_url": "http://minio.svc:9000",
        "bucket_name": "lab-data"
      }
    }
  }
]

Get a secret by ID

Fetch a single secret by its UUID.

curl -X GET \
  "http://unitelabs-api.<tenant-id>.svc/v1/secrets/a3bb189e-8bf9-3888-9912-ace4e6543002" \
  -H "Authorization: Bearer <token>"

Update a secret

Partial update — only include fields you want to change. Useful for rotating credentials without recreating the secret or updating any workflow code that references it by name.

curl -X PATCH \
  "http://unitelabs-api.<tenant-id>.svc/v1/secrets/a3bb189e-8bf9-3888-9912-ace4e6543002" \
  -H "Authorization: Bearer <token>" \
  -H "Content-Type: application/json" \
  -d '{
    "parameters": {
      "minio_root_password": "new-rotated-secret-key"
    }
  }'

Response 200 OK — returns the full updated secret object.


Delete a secret

Permanently removes a secret. Workflows that reference it by name will fail until a replacement is created.

curl -X DELETE \
  "http://unitelabs-api.<tenant-id>.svc/v1/secrets/a3bb189e-8bf9-3888-9912-ace4e6543002" \
  -H "Authorization: Bearer <token>"

Response 200 OK.


Common use cases

Load credentials in a workflow

The most common pattern: load all secrets at the start of a Prefect task and extract the ones you need by name.

curl -X GET \
  "http://unitelabs-api.<tenant-id>.svc/v1/secrets?name=warehouse-admin" \
  -H "Authorization: Bearer <token>"

Rotate a credential without touching workflow code

When a key is compromised or expires, update only the secret value. Every workflow that loads credentials at runtime will pick up the new value on its next run — no code changes required.

# 1. Find the secret ID
curl -X GET \
  "http://unitelabs-api.<tenant-id>.svc/v1/secrets?name=benchling-credentials" \
  -H "Authorization: Bearer <token>"

# 2. Update only the API key field
curl -X PATCH \
  "http://unitelabs-api.<tenant-id>.svc/v1/secrets/<secret-id>" \
  -H "Authorization: Bearer <token>" \
  -H "Content-Type: application/json" \
  -d '{"parameters": {"api_key": "<new-api-key>"}}'

Bootstrap secrets for a new environment

Create all required secrets for a fresh deployment in one script:

curl -X POST \
  "http://unitelabs-api.<tenant-id>.svc/v1/secrets" \
  -H "Authorization: Bearer <token>" \
  -H "Content-Type: application/json" \
  -d '{
    "name": "warehouse-admin",
    "type": "postgres",
    "parameters": {
      "host": "postgres.svc",
      "port": 5432,
      "database": "unitelabs",
      "username": "warehouse_user",
      "password": "secure-password",
      "schema_name": "warehouse"
    }
  }'

Next steps