> ## Documentation Index
> Fetch the complete documentation index at: https://engineering.unkey.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Secrets service

> Secrets decryption RPC and authentication

Krane exposes a SecretsService for workloads. Injected pods call this service to decrypt their secrets blob using Vault.

Service definition: [`svc/krane/proto/krane/v1/secrets.proto`](https://github.com/unkeyed/unkey/blob/main/svc/krane/proto/krane/v1/secrets.proto).

## Authentication

Requests are authenticated with a Kubernetes service account token. Krane validates the token with the TokenReview API, resolves the pod from the token details, and verifies the pod labels match the deployment and environment IDs.

## DecryptSecretsBlob

<RequestField name="DecryptSecretsBlobRequest.encrypted_blob" type="bytes" required>
  JSON-encoded `ctrl.v1.SecretsConfig` bytes containing encrypted values.
</RequestField>

<RequestField name="DecryptSecretsBlobRequest.environment_id" type="string" required>
  Environment ID used as the Vault keyring.
</RequestField>

<RequestField name="DecryptSecretsBlobRequest.token" type="string" required>
  Service account token for validation.
</RequestField>

<RequestField name="DecryptSecretsBlobRequest.deployment_id" type="string" required>
  Deployment ID for token validation.
</RequestField>

<ResponseField name="DecryptSecretsBlobResponse.env_vars" type="map<string,string>">
  Decrypted environment variables.
</ResponseField>

## Decryption flow

The secrets blob contains a map of key names to Vault encrypted values. Krane decrypts each value separately using the environment ID as the keyring, then returns a map of plaintext environment variables.