> ## Documentation Index
> Fetch the complete documentation index at: https://docs.controlplane.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Opaque

> Create an opaque secret to store any text-based sensitive data such as API keys, tokens, or configuration values.

Opaque secrets are the most flexible secret type, allowing you to store any text-based data. Use them for API keys, tokens, configuration values, or any sensitive string that doesn't fit into a more specific secret type.

## Use Cases

* **API Keys**: Store third-party API keys (Stripe, Twilio, SendGrid)
* **Tokens**: JWT secrets, session tokens, webhook signing secrets
* **License Keys**: Software license keys and activation codes
* **Configuration Values**: Sensitive configuration that doesn't fit other types
* **Custom Credentials**: Any text-based secret data

## Configuration Options

| Field      | Description                                     | Required |
| :--------- | :---------------------------------------------- | :------- |
| `payload`  | The secret value to store                       | Yes      |
| `encoding` | How the payload is encoded: `plain` or `base64` | Yes      |

<Note>
  When `encoding` is set to `base64`, the payload will be automatically decoded when accessed by workloads. This is useful for storing binary data or pre-encoded values.
</Note>

***

## Create an Opaque Secret

<Tabs>
  <Tab title="Console UI">
    <Steps>
      <Step title="Navigate to Secrets">
        In the [Control Plane Console](https://console.cpln.io), navigate to **Secrets** and click **New**, or use the **Create** dropdown in the top-right corner and select **Secret**.
      </Step>

      <Step title="Enter basic information">
        Enter a **Name** and optional **Description**.
      </Step>

      <Step title="Select secret type">
        Select **Opaque** as the secret type.
      </Step>

      <Step title="Configure secret data">
        Click **Data** in the left pane. Paste the secret content, drag and drop a file, or click to import. If your data is base64 encoded, enable **Base64 Decode at Runtime** to decode it when accessed.
      </Step>

      <Step title="Create the secret">
        Click **Create**.
      </Step>
    </Steps>
  </Tab>

  <Tab title="CLI">
    Create a file named `secret.txt` with your secret content:

    ```text theme={null}
    sk_live_abc123xyz789
    ```

    Then create the secret:

    ```bash theme={null}
    cpln secret create-opaque \
      --name my-api-key \
      --file secret.txt \
      --encoding plain \
      --org my-org
    ```

    <Tip>
      You can also pass the payload directly using `--payload` instead of a file for simple values.
    </Tip>
  </Tab>

  <Tab title="Terraform">
    ```hcl theme={null}
    resource "cpln_secret" "api_key" {
      name        = "my-api-key"
      description = "Third-party API key"

      opaque {
        payload  = "sk_live_abc123xyz789"
        encoding = "plain"
      }
    }
    ```

    For base64-encoded data:

    ```hcl theme={null}
    resource "cpln_secret" "encoded_secret" {
      name        = "my-encoded-secret"
      description = "Base64 encoded secret"

      opaque {
        payload  = base64encode("my-secret-value")
        encoding = "base64"
      }
    }
    ```

    <Warning>
      Avoid hardcoding secrets in Terraform files. Use variables, environment variables, or integrate with a secrets manager like HashiCorp Vault.
    </Warning>
  </Tab>

  <Tab title="Pulumi">
    <Tabs>
      <Tab title="TypeScript">
        ```typescript theme={null}
        import * as cpln from "@pulumiverse/cpln";

        const apiKeySecret = new cpln.Secret("my-api-key", {
          name: "my-api-key",
          description: "Third-party API key",
          opaque: {
            payload: "sk_live_abc123xyz789",
            encoding: "plain",
          },
        });
        ```
      </Tab>

      <Tab title="Python">
        ```python theme={null}
        import pulumiverse_cpln as cpln

        api_key_secret = cpln.Secret("my-api-key",
            name="my-api-key",
            description="Third-party API key",
            opaque={
                "payload": "sk_live_abc123xyz789",
                "encoding": "plain",
            })
        ```
      </Tab>

      <Tab title="Go">
        ```go theme={null}
        package main

        import (
            "github.com/pulumi/pulumi/sdk/v3/go/pulumi"
            "github.com/pulumiverse/pulumi-cpln/sdk/go/cpln"
        )

        func main() {
            pulumi.Run(func(ctx *pulumi.Context) error {
                _, err := cpln.NewSecret(ctx, "my-api-key", &cpln.SecretArgs{
                    Name:        pulumi.String("my-api-key"),
                    Description: pulumi.String("Third-party API key"),
                    Opaque: &cpln.SecretOpaqueArgs{
                        Payload:  pulumi.String("sk_live_abc123xyz789"),
                        Encoding: pulumi.String("plain"),
                    },
                })
                return err
            })
        }
        ```
      </Tab>

      <Tab title="C#">
        ```csharp theme={null}
        using Pulumi;
        using Pulumiverse.Cpln;
        using Pulumiverse.Cpln.Inputs;

        return await Deployment.RunAsync(() =>
        {
            var apiKeySecret = new Secret("my-api-key", new SecretArgs
            {
                Name = "my-api-key",
                Description = "Third-party API key",
                Opaque = new SecretOpaqueArgs
                {
                    Payload = "sk_live_abc123xyz789",
                    Encoding = "plain",
                },
            });
        });
        ```
      </Tab>
    </Tabs>
  </Tab>
</Tabs>

***

## Injecting into Workloads

Reference the secret in your workload as an environment variable:

```yaml theme={null}
env:
  - name: API_KEY
    value: "cpln://secret/my-api-key"
```

Or mount it as a file:

```yaml theme={null}
volumes:
  - uri: "cpln://secret/my-api-key"
    path: /secrets/api-key.txt
```

***

## Next Steps

<CardGroup cols={2}>
  <Card title="Using Secrets in Workloads" icon="cube" href="/guides/create-secret/overview#using-secrets-in-workloads">
    Learn how to grant access and inject secrets
  </Card>

  <Card title="Dictionary Secrets" icon="book" href="/guides/create-secret/dictionary">
    Store multiple related values in one secret
  </Card>
</CardGroup>
