App Secret

​

What is appSecret?

​

Usage

const client = await EnSyncClient.create({
  appKey: "ensk_prod_xxxxxxxxxxxxx",
  appSecret: "base64-encoded-private-key"
});

client = await EnSyncClient.create(
    app_key="ensk_prod_xxxxxxxxxxxxx",
    app_secret="base64-encoded-private-key"
)

​

How It Works

​

Encryption Flow

1. Publisher encrypts: Event is encrypted with your appId
2. EnSync delivers: Encrypted event is sent to your app
3. Your app decrypts: SDK uses appSecret to decrypt the event

​

Single Recipient (Asymmetric)

Publisher → Encrypt with recipient's appId → EnSync → Decrypt with appSecret

​

Multiple Recipients (Hybrid)

Publisher → Encrypt message with AES key
         → Encrypt AES key with each recipient's appId
         → EnSync delivers
         → Each recipient decrypts AES key with their appSecret
         → Decrypt message with AES key

​

Security

​

Best Practices

• Never commit to version control: Use environment variables or secret managers
• Never log or print: Avoid exposing in logs or error messages
• Rotate carefully: Changing appSecret requires coordination with publishers
• Store securely: Use secret management services (AWS Secrets Manager, HashiCorp Vault, etc.)

# ✅ Use environment variables
export ENSYNC_APP_SECRET="base64-encoded-key"

# ✅ Use secret managers
aws secretsmanager get-secret-value --secret-id ensync/app-secret

# ❌ Don't hardcode
const appSecret = "base64-key"; // Bad!

# ❌ Don't log
console.log("Secret:", appSecret); // Bad!

​

appId vs appSecret

• appId (public key): Share with publishers so they can encrypt events for your app (safe to expose)
• appSecret (private key): Keep secret (never share)

​

Rotating appSecret

1. Create a new app with the same permissions (see Create Access Key)
2. Update your app to use the new appKey and appSecret
3. Notify publishers of your new appId
4. Update service key pair if needed (see Update Service Key Pair)
5. Deprecate the old key after transition period