Share OAuth Client Secrets Securely

The problem

OAuth client secrets and service credentials control access to third-party APIs, payment processors, and external integrations. These secrets shared in Slack threads or email chains persist in searchable logs, often across multiple teams. A leaked client secret can allow an attacker to impersonate your application and access user data at scale.

How Vaulted helps

Vaulted encrypts your client secrets in the browser with AES-256-GCM and produces a self-destructing link. The zero-knowledge architecture ensures the server never has access to the plaintext credentials. The link expires after viewing, preventing client secrets from lingering in message archives.

How to do it

1. Paste your OAuth client secret or service credentials into Vaulted
2. Set a view limit appropriate for the number of developers who need it
3. Share the encrypted link with the team configuring the integration
4. They copy the credentials into their application config, and the link expires

Share client secrets from the command line

Use the Vaulted CLI to share OAuth client secrets without opening a browser: npx vaulted-cli "client_id:client_secret" --views 1 --expires 1h. Same AES-256-GCM encryption as the web app. Install from npm: npm install -g vaulted-cli.

Share client secrets in GitHub Actions

Use the Vaulted GitHub Action to share service credentials in CI/CD: uses: vaulted-fyi/share-secret@v1 with your client secret as the input. End-to-end encrypted, self-destructing links — no plaintext in workflow logs. Available on GitHub Marketplace.