Generate and encrypt secrets as SOPS YAML. Returns encrypted content for the client to write to disk. Supports three sources: 'generated' (cryptographic randomness), 'external' (user-provided values), and 'derived' (computed from another key in the same file via a transform such as pbkdf2_sha512_authelia). Derived secret plaintexts are returned in the response so they can be copied into config files.

List key names and metadata from a SOPS-encrypted file. No decryption needed — reads key names from encrypted YAML and metadata from the _meta_unencrypted block.

Re-generate 'generated' secrets with new random values while preserving 'external' secrets. Requires SOPS_AGE_KEY env var for decryption.

Add new secrets to an existing SOPS-encrypted file. Decrypts the file, merges in new secrets, and re-encrypts — preserving all existing values and metadata. Rejects keys that already exist in the file. Supports generated, external, and derived sources. Requires SOPS_AGE_KEY env var.

Add _meta_unencrypted metadata to an existing SOPS-encrypted file that lacks it. Decrypts the file, adds metadata, and re-encrypts preserving original plaintext values. Requires SOPS_AGE_KEY env var for decryption.

Delete one or more keys from an existing SOPS-encrypted file. Removes both the encrypted value and the _meta_unencrypted entry. Rejects deletion of keys that other derived secrets depend on unless those dependents are also in the delete list. Requires SOPS_AGE_KEY env var.

Rename a key in an existing SOPS-encrypted file. Preserves the value, source type, and metadata. Updates 'from' references in any derived secrets that depend on the renamed key. Requires SOPS_AGE_KEY env var.

Replace the value of an 'external' secret (e.g. after the user rotated an upstream API key). Rejects attempts to update 'generated' or 'derived' secrets — use sops_rotate_generated for those. Recomputes any derived secrets that reference this key. Requires SOPS_AGE_KEY env var.

Convenience tool: create an Authelia-compatible OIDC client secret. Generates KEY_NAME as a 64-char alphanumeric 'generated' secret AND KEY_NAME_HASH as a 'derived' PBKDF2-SHA512 hash of it, stored together in a new encrypted file. The hash is returned in the response for pasting into Authelia's configuration.yml. Equivalent to calling sops_create_secrets with one generated and one derived (pbkdf2_sha512_authelia) entry.