Application Key Manager
Application Key Manager allows administrators to securely store, manage, search, encrypt, and use external service keys. It can be used for reCAPTCHA, AI API keys, payment keys, webhook secrets, public site keys, and other integration credentials.
Use this feature when iBoard needs to store external service keys in a centralized and secure way instead of hardcoding them in pages, JavaScript, controllers, or configuration files.
Overview
Application Key Manager provides a secure key registry for application-level secrets and public keys. It supports key grouping, provider names, environment separation, key types, encrypted storage, public key access, server-side access, and token replacement inside managed templates or HTML content.
| Area | Description |
|---|---|
| Search Filters | Searches keys by keyword, group, provider, environment, and status. |
| Summary Cards | Displays total key count, active key count, and secret key count. |
| Key List | Displays registered application keys and available actions. |
| Create Key | Creates a new application key with encrypted value storage. |
| Usage Guide | Explains basic usage, server usage, public browser usage, reCAPTCHA examples, security rules, and token replacement. |
Search Filters
The Search Filters area helps administrators quickly find saved keys.
| Filter | Description |
|---|---|
| Keyword | Searches by key code, key name, provider, or related text. |
| Group | Filters keys by logical group, such as SECURITY, AI, PAYMENT, WEBHOOK, or SITE. |
| Provider | Filters by external service provider, such as GOOGLE, OPENAI, STRIPE, SENDGRID, or custom provider names. |
| Environment | Filters by environment, such as PROD, DEV, TEST, or STAGING. |
| Status | Filters keys by active or inactive status. |
| Search | Applies the selected filter conditions. |
Summary Cards
Summary cards provide a quick overview of the current key registry.
| Card | Description |
|---|---|
| Total Keys | Total number of registered application keys. |
| Active | Total number of active keys that can be used by the system. |
| Secret Type | Total number of keys marked as secret type. |
Key List
The Key List table displays saved application keys. If no keys are registered, the system displays No application keys found.
| Column | Description |
|---|---|
| ID | Internal key record ID. |
| Code | Unique key code used by the application. |
| Name | Friendly key name shown in the administrator screen. |
| Group | Logical group used for filtering and organization. |
| Provider | External service provider name. |
| Environment | Environment code such as PROD, DEV, TEST, or STAGING. |
| Type | Key type such as SECRET, PUBLIC, TOKEN, or CONFIG. |
| Value | Saved key value. Secret values are masked and encrypted. |
| Status | Shows whether the key is active or inactive. |
| Sort | Controls display order. |
| Action | Provides edit, delete, test, or related actions depending on system configuration. |
Create Application Key
The Create Application Key screen is used to store external service keys securely. Secret values are encrypted before saving.
Basic Settings
| Field | Example | Description |
|---|---|---|
| Key Code | GOOGLE_RECAPTCHA_SITE_KEY |
Unique code used by the application. This value is usually used in server code or token replacement. |
| Key Name | Google reCAPTCHA Site Key |
Friendly name shown in the admin screen. |
| Group | SECURITY, AI, PAYMENT |
Logical group for filtering and organization. |
| Provider | GOOGLE, OPENAI, STRIPE |
External service provider name. |
| Environment | PROD, DEV, TEST |
Environment-specific separation for keys. |
| Key Type | SECRET, PUBLIC, TOKEN, CONFIG |
Determines how the key should be used and whether it may be exposed to the browser. |
| Key Value | actual key value |
The actual key value. It is encrypted before saving and displayed only as a masked value later. |
| Description | Optional description | Explains where and why this key is used. |
| Sort Order | 100 |
Controls display order in the list. |
| Active | Checked | Determines whether the key can be used by the system. |
When editing an existing key, leave Key Value empty if you want to keep the current saved value.
Key Types
| Key Type | Usage | Browser Exposure |
|---|---|---|
| PUBLIC | Public keys such as reCAPTCHA site keys. | Can be exposed to browser JavaScript or HTML when necessary. |
| SECRET | Private service keys, API keys, webhook secrets, payment secrets, or server-only credentials. | Must never be exposed to the browser. |
| TOKEN | Access tokens or bearer tokens used by backend services. | Must generally remain server-side unless specifically designed as public. |
| CONFIG | Configuration values such as project IDs or non-secret integration settings. | May be exposed only if it does not contain sensitive information. |
Usage Guide
The Usage Guide explains how application keys can be created and used from server code, browser code, reCAPTCHA integration, security rules, and token replacement.
Basic Usage
- Use filters to search saved keys.
- Click Create Key to add a new key.
- Click edit to update an existing key.
- Use test if available to verify whether the encrypted key can be decrypted successfully.
Server Usage
Use IAppKeyProvider in services or controllers when you need to read key values internally.
Inject IAppKeyProvider
private readonly IAppKeyProvider _appKeyProvider;
public MyService(IAppKeyProvider appKeyProvider)
{
_appKeyProvider = appKeyProvider;
}
Get a General Key Value
string apiKey = await _appKeyProvider.GetValueAsync("OPENAI_API_KEY", "PROD");
Get Google reCAPTCHA Site Key
string siteKey = await _appKeyProvider.GetGoogleRecaptchaSiteKeyAsync("PROD");
Get Google reCAPTCHA Secret Key
string secretKey = await _appKeyProvider.GetGoogleRecaptchaSecretKeyAsync("PROD");
Public Key Usage
Public key usage is intended for browser-safe keys only. The controller provides a public-key-only endpoint. It blocks SECRET keys and only returns keys whose Key Type is PUBLIC.
Controller Endpoint
/Admin/AppKeys/GetSiteKey?keyCode=GOOGLE_RECAPTCHA_SITE_KEY&environmentCode=PROD
JavaScript Example
async function loadSiteKey() {
const response = await fetch("/Admin/AppKeys/GetSiteKey?keyCode=GOOGLE_RECAPTCHA_SITE_KEY&environmentCode=PROD");
const result = await response.json();
if (!result.success) {
throw new Error(result.message || "Failed to load site key.");
}
return result.value;
}
Do not expose SECRET, TOKEN, payment secret, webhook secret, or AI API keys to JavaScript.
reCAPTCHA Enterprise v3 Example
For score-based reCAPTCHA Enterprise, the browser gets a token with grecaptcha.enterprise.execute,
then the server verifies the token with Google Cloud Assessment API.
Required Keys
GOOGLE_RECAPTCHA_SITE_KEY- Key Type: PUBLICGOOGLE_RECAPTCHA_PROJECT_ID- Key Type: CONFIGGOOGLE_RECAPTCHA_API_KEY- Key Type: SECRET
Client Script Example
<script src="https://www.google.com/recaptcha/enterprise.js?render=SITE_KEY"></script>
const token = await grecaptcha.enterprise.execute(SITE_KEY, {
action: "newsletter_subscribe"
});
Server Validation Concept
if (!tokenProperties.Valid) return false;
if (tokenProperties.Action != "newsletter_subscribe") return false;
if (riskAnalysis.Score < 0.5m) return false;
Security Notes
| Security Rule | Description |
|---|---|
| Do not display secrets | SECRET values are encrypted and should never be rendered to the browser. |
| Use PUBLIC for browser keys | Only keys marked PUBLIC should be used in JavaScript or HTML. |
| Separate environments | Use DEV, TEST, and PROD to avoid mixing local and production keys. |
| Rotate keys | Replace compromised keys immediately and clear application cache after saving. |
| Limit token replacement | Use token replacement only for PUBLIC or safe CONFIG values. |
The controller clears cached key values after save, delete, or status change so updated keys can be used immediately.
Token Replacement
Token replacement is useful when a page is rendered from saved HTML, skin files, page builder content, or database-managed templates.
Basic Concept
Instead of writing the real key value directly in HTML, write a token pattern such as
##{GOOGLE_RECAPTCHA_SITE_KEY}##.
During rendering, the server replaces the token with the actual value from the key manager.
HTML Template Example
<input type="hidden"
id="NewsletterRecaptchaSiteKey"
value="##{GOOGLE_RECAPTCHA_SITE_KEY}##" />
Rendered HTML Result
<input type="hidden"
id="NewsletterRecaptchaSiteKey"
value="actual-google-recaptcha-site-key" />
Server Replacement Example
string googleRecaptchaSiteKey =
await _appKeyProvider.GetGoogleRecaptchaSiteKeyAsync("PROD");
result = result.Replace(
"##{GOOGLE_RECAPTCHA_SITE_KEY}##",
googleRecaptchaSiteKey ?? string.Empty
);
General Replacement Helper Example
private async Task<string> ReplaceAppKeyTokensAsync(string html)
{
if (string.IsNullOrWhiteSpace(html))
{
return string.Empty;
}
string googleRecaptchaSiteKey =
await _appKeyProvider.GetValueAsync("GOOGLE_RECAPTCHA_SITE_KEY", "PROD");
string googleProjectId =
await _appKeyProvider.GetValueAsync("GOOGLE_RECAPTCHA_PROJECT_ID", "PROD");
html = html.Replace("##{GOOGLE_RECAPTCHA_SITE_KEY}##", googleRecaptchaSiteKey ?? string.Empty);
html = html.Replace("##{GOOGLE_RECAPTCHA_PROJECT_ID}##", googleProjectId ?? string.Empty);
return html;
}
Recommended Workflow
- Open Admin > Site > AppKeys.
- Click Create Key.
- Enter a unique Key Code.
- Enter a friendly Key Name.
- Select Group, Provider, Environment, and Key Type.
- Enter the Key Value.
- Add a description explaining where the key is used.
- Set Active if the key should be usable.
- Click Save Key.
- Use the key from server code, public endpoint, or token replacement depending on its type.
Common Use Cases
| Use Case | Recommended Key Type | Recommended Usage |
|---|---|---|
| Google reCAPTCHA site key | PUBLIC | Use in browser or token replacement. |
| Google reCAPTCHA API key | SECRET | Use only from server code. |
| OpenAI API key | SECRET | Use only from server-side services. |
| Stripe secret key | SECRET | Use only from payment server logic. |
| Stripe publishable key | PUBLIC | May be used in browser payment UI. |
| Webhook signing secret | SECRET | Use only for server-side signature verification. |
| Project ID or tenant ID | CONFIG | Use from server or browser only if non-sensitive. |
Important Notes
- SECRET values are encrypted before saving.
- Existing secret values are never displayed in plain text.
- Leave Key Value empty when editing if you want to keep the existing saved value.
- Use PUBLIC only for keys that are safe to expose to the browser.
- Never expose SECRET, TOKEN, payment secret, webhook secret, or AI API keys in JavaScript or HTML.
- Use separate environments such as DEV, TEST, and PROD.
- Rotate compromised or old keys immediately.
Troubleshooting
| Problem | Possible Cause | Solution |
|---|---|---|
| Key does not appear in the list | Search filters may be applied or the key may not have been saved. | Clear filters and confirm that the key was saved successfully. |
| Server code returns empty key value | The key code or environment may be incorrect, or the key may be inactive. | Check Key Code, Environment, and Active status. |
| Public endpoint does not return a key | The key may not be marked as PUBLIC. | Confirm that the key type is PUBLIC. |
| Secret value is not visible after saving | This is expected behavior. Secret values are encrypted and masked. | Enter a new value only when you want to replace the existing secret. |
| Token replacement does not work | The token pattern or key code may be incorrect. | Check the token format and key code spelling. |
| Updated key is not reflected | Application cache may still contain an old value. | Save the key again or clear cache if the system requires it. |
Best Practices
- Use clear key codes such as
GOOGLE_RECAPTCHA_SITE_KEYorOPENAI_API_KEY. - Keep provider names consistent, such as
GOOGLE,OPENAI,STRIPE, orSENDGRID. - Separate production and development keys by environment.
- Use SECRET for private credentials and PUBLIC only for browser-safe values.
- Document where each key is used in the Description field.
- Rotate sensitive keys regularly.
- Restrict access to this screen to trusted administrators only.
Application keys often control access to external services. Manage them carefully, protect secret values, and never expose private credentials to the browser.