Security

Secrets Management

How Meridian handles API keys, tokens, and sensitive configuration so your recipes stay secure without slowing you down.

The problem

Recipes often need API keys, database passwords, or third-party tokens. Hard-coding them into source files leaks credentials into version control, logs, and build artifacts. Meridian treats secrets as a first-class concept — never stored in plaintext, never shipped in the recipe bundle.

How it works

When you define a secret in your recipe manifest, Meridian encrypts it with AES-256-GCM before it touches disk. At runtime, the loader decrypts secrets into a guarded memory region that self-zeroes after the recipe completes. No secret ever appears in environment variables or child process arguments.

Key hierarchy

Each workspace has a root key derived from your hardware fingerprint and a recovery phrase. Recipe secrets are wrapped with per-recipe data keys, which are themselves wrapped by the workspace root. Rotating the root re-wraps data keys without re-encrypting every secret.

Audit & rotation

Every secret access is logged with the recipe run ID and timestamp. Meridian can detect stale secrets — keys older than your configured rotation window — and surface them in the dashboard. One-click rotation generates a new data key and re-encrypts in place.

Best practices

Never paste secrets into recipe code — use the manifest secrets block.
Set a rotation window of 30–90 days for production credentials.
Use separate secrets for staging and production environments.
Store your recovery phrase offline; it is the only way to restore access.

← Back to docs Recipe manifest reference →