SecOps Training / Overview
Welcome ยท Module Overview

Managing API Keys
with Secret Server

This interactive training guide walks you through using Delinea Secret Server to securely store, create, and manage API keys using the Secrets Template framework. Complete all modules to earn your certification.

๐Ÿ“‹

Template Creation

Build a reusable Secrets Template tailored for API key metadata and rotation.

๐Ÿ”‘

Key Management

Create, view, rotate, and revoke API key secrets following security policies.

๐Ÿ›ก๏ธ

Access Control

Configure permissions, approvals, and audit trails for API key access.

๐ŸŽฏ Learning Objectives
After completing this training, you will be able to:
  • Explain what Secret Server Secrets Templates are and why they are used
  • Create a custom Secrets Template for API key storage
  • Add, view, and rotate API key secrets within Secret Server
  • Configure folder permissions and approval workflows
  • Apply security best practices for API key lifecycle management
๐Ÿ’ก Estimated Time: This training takes approximately 25โ€“35 minutes. Each module builds on the previous, so complete them in order for the best experience.
Module 01 ยท Foundations

Secret Server Basics

Before creating templates and secrets, it is essential to understand how Secret Server structures its data and why API keys need special handling.

01

What is Secret Server?

Enterprise Privileged Access Management platform

โ–ผ

Delinea Secret Server is a Privileged Access Management (PAM) solution that provides a centralized, secure vault for managing sensitive credentials โ€” including passwords, certificates, SSH keys, and API tokens.

Core concepts you need to know:

  • Secrets โ€” Individual credential records (e.g., a specific API key)
  • Secret Templates โ€” Blueprints that define the fields a Secret contains
  • Folders โ€” Organizational containers with inherited permissions
  • Policies โ€” Rules controlling access, checkout, and expiration
02

Why Store API Keys in Secret Server?

The risks of unmanaged API credentials

โ–ผ
โš ๏ธ API keys hardcoded in source code or stored in spreadsheets are among the most common causes of data breaches. Secret Server eliminates these risks.

Secret Server provides these protections for API keys:

  • Encrypted at rest (AES-256) and in transit (TLS)
  • Full audit trail of every access and modification
  • Role-based access control โ€” only authorized users can view keys
  • Automated rotation and expiration enforcement
  • Secret checkout with optional approval workflows
03

How Secrets Templates Work

Field definitions and data types

โ–ผ

A Secret Template defines the schema of a secret โ€” what fields it contains, their data types, and which fields are treated as passwords (masked and encrypted separately).

Text Field Password Field URL Field Notes Field

For API keys, you will create a template that captures: the key name, the secret key value, the associated service/environment, expiration date, and other metadata relevant to your organization.

Module 02 ยท Template Setup

Creating a Secrets Template

A Secrets Template is the foundation for every API key you store. This module walks through building a purpose-built template for API key management.

01

Navigate to Template Management

Locate the Secret Templates settings panel

โ–ผ

To access the Secret Templates manager, follow this navigation path:

# Navigation path
Admin (โš™๏ธ top right) โ†’ Secret Templates โ†’ + Create New
โš ๏ธ You must have Administer Secret Templates permission assigned to your role. Contact your Secret Server administrator if this option is not visible.
02

Configure Template Fields

Define the fields your API key template will contain

โ–ผ

Give the template a clear name such as API Key - Generic or API Key - [Service Name]. Then add the following recommended fields:

Field 1
Key Name / Label
Text
Field 2 ยท Protected
API Key / Secret Value
Password
Field 3
Service / Platform
Text
Field 4
Environment
Text
Field 5
API Base URL
URL
Field 6
Expiration Date
Text
Field 7
Owner / Requestor
Text
Field 8
Notes / Usage Context
Notes
๐Ÿ’ก Mark the API Key / Secret Value field as the Password type. This ensures it is masked in the UI, excluded from audit logs, and encrypted separately from other fields.
03

Set Template Expiration & Heartbeat

Configure automated expiration and health checking

โ–ผ

On the Security tab of your template settings, configure these options:

Expiration Interval: 90 days # or per your org policy
Require Check-Out: Yes
Check-Out Interval: 30 minutes
Heartbeat Enabled: Yes # only if API supports validation

Click Save to finalize your template. It will now be available when creating new secrets.

Module 03 ยท Secret Creation

Creating an API Key Secret

With your template defined, you are ready to create actual API Key secrets. This module covers the complete creation workflow.

01

Navigate to the Target Folder

Organize secrets in the correct folder before creation

โ–ผ

Secrets should always be created inside the appropriate organizational folder, not at the root level. Navigate to:

# Recommended folder structure
๐Ÿ“ IT Security
  ๐Ÿ“ API Keys
    ๐Ÿ“ Production
    ๐Ÿ“ Development
    ๐Ÿ“ Third-Party Services

If the folder does not exist, create it and set appropriate permissions before adding secrets to it.

02

Create a New Secret

Fill in the template fields with your API key data

โ–ผ

Click the + Create Secret button and select your API Key - Generic template. Fill in all fields:

Key Name: Stripe Production API Key
API Key: โ€ขโ€ขโ€ขโ€ขโ€ขโ€ขโ€ขโ€ขโ€ขโ€ขโ€ขโ€ขโ€ขโ€ขโ€ขโ€ข # paste actual key, will be masked
Service: Stripe
Environment: Production
API Base URL:https://api.stripe.com
Expiration: 2025-12-31
Owner: jane.doe@company.com
Notes: Used by payment-service microservice
๐Ÿšซ Never paste the API key into a Notes or Text field. Always use the designated Password-type field so the value is masked, encrypted, and excluded from audit log display.
03

Save and Verify

Confirm the secret was created correctly

โ–ผ

After clicking Save, verify the secret was created correctly by checking:

  • Secret appears in the correct folder with proper name
  • API Key field shows as masked (โ€ขโ€ขโ€ขโ€ขโ€ขโ€ขโ€ขโ€ข) in the view
  • All template fields are populated with correct data
  • Expiration date is set and visible in the secret header
  • Audit log shows the creation event under Secret Audit tab
Module 04 ยท Day-to-Day Operations

Managing API Keys

Effective API key management goes beyond creation. This module covers viewing, editing, rotating, and revoking API keys across their full lifecycle.

01

Viewing & Checking Out a Secret

Accessing a key with proper checkout controls

โ–ผ

If checkout is required on the secret's folder or policy, you must check it out before viewing the API key value:

# Checkout process
1. Open the Secret โ†’ Click Check Out
2. Optionally enter a reason (required if configured)
3. Click the ๐Ÿ‘ eye icon next to the API Key field
4. Use the key value for your task
5. Click Check In when done
โš ๏ธ The checkout timer auto-expires based on the folder policy. If you need more time, extend the checkout before it expires โ€” the key will auto-check-in when the timer runs out.
02

Rotating an API Key

Updating the key value when a new key is issued

โ–ผ

API key rotation should occur on a schedule or whenever a key is suspected of being compromised. To rotate a key:

# Manual rotation steps
1. Generate a new API key from the third-party service
2. Open the Secret in Secret Server
3. Click Edit โ†’ update the API Key password field
4. Update Expiration Date to reflect new key lifetime
5. Add a rotation note in the Notes field
6. Click Save
7. Revoke/delete the old key from the third-party service
๐Ÿ’ก Secret Server keeps a version history of all changes. You can view previous key values under the Secret Audit tab if a rollback is ever needed (subject to your organization's retention policy).
03

Deactivating or Deleting a Secret

Retiring keys that are no longer needed

โ–ผ

When an API key is no longer needed or has been revoked at the source:

  • Deactivate โ€” Hides the secret from active views but retains it for audit purposes. Preferred for compliance.
  • Delete โ€” Permanently removes the secret. Only use if retention policies allow it.
# To deactivate a secret
Open Secret โ†’ Edit โ†’ Scroll to bottom โ†’ Toggle Active to OFF โ†’ Save
๐Ÿšซ Always revoke the API key from the source service before or at the same time as deactivating it in Secret Server. An inactive Secret Server record does not revoke the key at the service level.
Module 05 ยท Access Control

Access & Permissions

Controlling who can see and use API keys is just as important as storing them securely. This module covers folder permissions, approval workflows, and audit access.

๐Ÿ—‚ Folder Permission Levels
  • View โ€” Can see the secret exists, but cannot view field values
  • Edit โ€” Can modify metadata and non-password fields
  • Owner โ€” Full control: edit, delete, share, and view all fields
  • List โ€” Can see the folder/secret in navigation only
  • Inherit โ€” Permissions cascade from parent folder (recommended)
01

Setting Folder Permissions

Grant access at the folder level for inherited control

โ–ผ
# To configure folder permissions
Right-click Folder โ†’ Edit Folder โ†’ Folder Permissions tab

# Add a group
+ Add Group/User โ†’ Search for group โ†’ Select permission level

# Example setup
DevOps-Team: View # can read keys
SecOps-Admins: Owner # can manage all secrets
Auditors: List # can see structure only
02

Configuring Approval Workflows

Require manager sign-off before access is granted

โ–ผ

For high-sensitivity API keys (production credentials, financial APIs), enable approval workflows on the secret or folder policy:

# Enable approval on a secret policy
Admin โ†’ Secret Policies โ†’ Edit Policy
โ†’ Requires Approval for Access: Enabled
โ†’ Approvers: [Security Team group]
โ†’ Approve for: 1 hour

Users who need access will submit an access request. Designated approvers receive an email notification and can approve or deny in the web UI.

03

Reading the Audit Trail

Monitor who accessed your API keys and when

โ–ผ

Every secret has its own audit log. To view it:

Open Secret โ†’ Audit tab

The audit log captures: views, edits, failed access attempts, checkout events, and approval requests โ€” with user, timestamp, and IP address for each event.

๐Ÿ’ก For cross-secret reporting, use Admin โ†’ Reports โ†’ Secret Audit to generate filtered audit reports for compliance reviews.
Module 06 ยท Security Guidelines

Best Practices for API Key Security

Following these guidelines ensures your team maintains a strong security posture around API key management throughout the credential lifecycle.

โœ… Security Checklist โ€” Your Organization's Standards
  • One key per purpose โ€” Never reuse a single API key across multiple applications or environments
  • Minimum required scopes โ€” Configure API keys with only the permissions the application actually needs
  • Rotate on a schedule โ€” Rotate production API keys at least every 90 days, or per your key provider's recommendation
  • Rotate immediately on compromise โ€” If a key is ever exposed (code repo, log file, email), rotate it immediately and audit access
  • Never log key values โ€” Ensure applications and log aggregators do not record API key values in plain text
  • Use Secret Server SDK/API โ€” Applications should retrieve keys programmatically from Secret Server instead of using static config files
  • Review access quarterly โ€” Audit folder permissions and remove access for users who no longer need it
  • Document every key โ€” All template fields should be fully populated, especially service, environment, owner, and notes
โš ๏ธ Red Flags: If you find API keys in .env files committed to Git, in Slack messages, in spreadsheets, or on sticky notes โ€” those keys must be rotated immediately and an incident ticket should be opened.
Module 07 ยท Assessment

Knowledge Check

Answer these questions to demonstrate your understanding of API key management with Secret Server. Click an option to submit your answer.

1. When creating an API key secret, which field type should be used for the actual key value?
A
Text
B
Password
C
URL
D
Notes
2. An API key stored in Secret Server becomes compromised. What is the correct order of response?
A
Deactivate the Secret Server record, then notify the team
B
Revoke at the provider โ†’ rotate new key โ†’ update Secret Server โ†’ open incident ticket
C
Open an incident ticket, then wait for security team approval to rotate
D
Update the key value in Secret Server only โ€” rotation is sufficient
3. What is the purpose of a Secret Template in Secret Server?
A
To control who has access to view secrets
B
To encrypt the secret data before storage
C
To define the fields and data types that a secret record will contain
D
To schedule automatic rotation of secrets
4. Which of the following is the MOST secure way for an application to consume an API key stored in Secret Server?
A
Store the key in a config file on the application server
B
Set the key as an environment variable at deployment time
C
Email the key to the developer so they can configure the app
D
Use the Secret Server SDK/REST API to retrieve the key at runtime