Guide / Application Key Manager
KO EN
html

Application Key Manager

Application Key Manager allows administrators to securely store, manage, search, encrypt, and use external service keys. It can be used for reCAPTCHA, AI API keys, payment keys, webhook secrets, public site keys, and other integration credentials.

Use this feature when iBoard needs to store external service keys in a centralized and secure way instead of hardcoding them in pages, JavaScript, controllers, or configuration files.

Overview

Application Key Manager provides a secure key registry for application-level secrets and public keys. It supports key grouping, provider names, environment separation, key types, encrypted storage, public key access, server-side access, and token replacement inside managed templates or HTML content.

Area Description
Search Filters Searches keys by keyword, group, provider, environment, and status.
Summary Cards Displays total key count, active key count, and secret key count.
Key List Displays registered application keys and available actions.
Create Key Creates a new application key with encrypted value storage.
Usage Guide Explains basic usage, server usage, public browser usage, reCAPTCHA examples, security rules, and token replacement.

Search Filters

The Search Filters area helps administrators quickly find saved keys.

Filter Description
Keyword Searches by key code, key name, provider, or related text.
Group Filters keys by logical group, such as SECURITY, AI, PAYMENT, WEBHOOK, or SITE.
Provider Filters by external service provider, such as GOOGLE, OPENAI, STRIPE, SENDGRID, or custom provider names.
Environment Filters by environment, such as PROD, DEV, TEST, or STAGING.
Status Filters keys by active or inactive status.
Search Applies the selected filter conditions.

Summary Cards

Summary cards provide a quick overview of the current key registry.

Card Description
Total Keys Total number of registered application keys.
Active Total number of active keys that can be used by the system.
Secret Type Total number of keys marked as secret type.

Key List

The Key List table displays saved application keys. If no keys are registered, the system displays No application keys found.

Column Description
ID Internal key record ID.
Code Unique key code used by the application.
Name Friendly key name shown in the administrator screen.
Group Logical group used for filtering and organization.
Provider External service provider name.
Environment Environment code such as PROD, DEV, TEST, or STAGING.
Type Key type such as SECRET, PUBLIC, TOKEN, or CONFIG.
Value Saved key value. Secret values are masked and encrypted.
Status Shows whether the key is active or inactive.
Sort Controls display order.
Action Provides edit, delete, test, or related actions depending on system configuration.

Create Application Key

The Create Application Key screen is used to store external service keys securely. Secret values are encrypted before saving.

Basic Settings

Field Example Description
Key Code GOOGLE_RECAPTCHA_SITE_KEY Unique code used by the application. This value is usually used in server code or token replacement.
Key Name Google reCAPTCHA Site Key Friendly name shown in the admin screen.
Group SECURITY, AI, PAYMENT Logical group for filtering and organization.
Provider GOOGLE, OPENAI, STRIPE External service provider name.
Environment PROD, DEV, TEST Environment-specific separation for keys.
Key Type SECRET, PUBLIC, TOKEN, CONFIG Determines how the key should be used and whether it may be exposed to the browser.
Key Value actual key value The actual key value. It is encrypted before saving and displayed only as a masked value later.
Description Optional description Explains where and why this key is used.
Sort Order 100 Controls display order in the list.
Active Checked Determines whether the key can be used by the system.
When editing an existing key, leave Key Value empty if you want to keep the current saved value.

Key Types

Key Type Usage Browser Exposure
PUBLIC Public keys such as reCAPTCHA site keys. Can be exposed to browser JavaScript or HTML when necessary.
SECRET Private service keys, API keys, webhook secrets, payment secrets, or server-only credentials. Must never be exposed to the browser.
TOKEN Access tokens or bearer tokens used by backend services. Must generally remain server-side unless specifically designed as public.
CONFIG Configuration values such as project IDs or non-secret integration settings. May be exposed only if it does not contain sensitive information.

Usage Guide

The Usage Guide explains how application keys can be created and used from server code, browser code, reCAPTCHA integration, security rules, and token replacement.

Basic Usage

  1. Use filters to search saved keys.
  2. Click Create Key to add a new key.
  3. Click edit to update an existing key.
  4. Use test if available to verify whether the encrypted key can be decrypted successfully.

Server Usage

Use IAppKeyProvider in services or controllers when you need to read key values internally.

Inject IAppKeyProvider

private readonly IAppKeyProvider _appKeyProvider;

public MyService(IAppKeyProvider appKeyProvider)
{
    _appKeyProvider = appKeyProvider;
}

Get a General Key Value

string apiKey = await _appKeyProvider.GetValueAsync("OPENAI_API_KEY", "PROD");

Get Google reCAPTCHA Site Key

string siteKey = await _appKeyProvider.GetGoogleRecaptchaSiteKeyAsync("PROD");

Get Google reCAPTCHA Secret Key

string secretKey = await _appKeyProvider.GetGoogleRecaptchaSecretKeyAsync("PROD");

Public Key Usage

Public key usage is intended for browser-safe keys only. The controller provides a public-key-only endpoint. It blocks SECRET keys and only returns keys whose Key Type is PUBLIC.

Controller Endpoint

/Admin/AppKeys/GetSiteKey?keyCode=GOOGLE_RECAPTCHA_SITE_KEY&environmentCode=PROD

JavaScript Example

async function loadSiteKey() {
    const response = await fetch("/Admin/AppKeys/GetSiteKey?keyCode=GOOGLE_RECAPTCHA_SITE_KEY&environmentCode=PROD");
    const result = await response.json();

    if (!result.success) {
        throw new Error(result.message || "Failed to load site key.");
    }

    return result.value;
}
Do not expose SECRET, TOKEN, payment secret, webhook secret, or AI API keys to JavaScript.

reCAPTCHA Enterprise v3 Example

For score-based reCAPTCHA Enterprise, the browser gets a token with grecaptcha.enterprise.execute, then the server verifies the token with Google Cloud Assessment API.

Required Keys

  • GOOGLE_RECAPTCHA_SITE_KEY - Key Type: PUBLIC
  • GOOGLE_RECAPTCHA_PROJECT_ID - Key Type: CONFIG
  • GOOGLE_RECAPTCHA_API_KEY - Key Type: SECRET

Client Script Example

<script src="https://www.google.com/recaptcha/enterprise.js?render=SITE_KEY"></script>

const token = await grecaptcha.enterprise.execute(SITE_KEY, {
    action: "newsletter_subscribe"
});

Server Validation Concept

if (!tokenProperties.Valid) return false;
if (tokenProperties.Action != "newsletter_subscribe") return false;
if (riskAnalysis.Score < 0.5m) return false;

Security Notes

Security Rule Description
Do not display secrets SECRET values are encrypted and should never be rendered to the browser.
Use PUBLIC for browser keys Only keys marked PUBLIC should be used in JavaScript or HTML.
Separate environments Use DEV, TEST, and PROD to avoid mixing local and production keys.
Rotate keys Replace compromised keys immediately and clear application cache after saving.
Limit token replacement Use token replacement only for PUBLIC or safe CONFIG values.
The controller clears cached key values after save, delete, or status change so updated keys can be used immediately.

Token Replacement

Token replacement is useful when a page is rendered from saved HTML, skin files, page builder content, or database-managed templates.

Basic Concept

Instead of writing the real key value directly in HTML, write a token pattern such as ##{GOOGLE_RECAPTCHA_SITE_KEY}##. During rendering, the server replaces the token with the actual value from the key manager.

HTML Template Example

<input type="hidden"
       id="NewsletterRecaptchaSiteKey"
       value="##{GOOGLE_RECAPTCHA_SITE_KEY}##" />

Rendered HTML Result

<input type="hidden"
       id="NewsletterRecaptchaSiteKey"
       value="actual-google-recaptcha-site-key" />

Server Replacement Example

string googleRecaptchaSiteKey =
    await _appKeyProvider.GetGoogleRecaptchaSiteKeyAsync("PROD");

result = result.Replace(
    "##{GOOGLE_RECAPTCHA_SITE_KEY}##",
    googleRecaptchaSiteKey ?? string.Empty
);

General Replacement Helper Example

private async Task<string> ReplaceAppKeyTokensAsync(string html)
{
    if (string.IsNullOrWhiteSpace(html))
    {
        return string.Empty;
    }

    string googleRecaptchaSiteKey =
        await _appKeyProvider.GetValueAsync("GOOGLE_RECAPTCHA_SITE_KEY", "PROD");

    string googleProjectId =
        await _appKeyProvider.GetValueAsync("GOOGLE_RECAPTCHA_PROJECT_ID", "PROD");

    html = html.Replace("##{GOOGLE_RECAPTCHA_SITE_KEY}##", googleRecaptchaSiteKey ?? string.Empty);
    html = html.Replace("##{GOOGLE_RECAPTCHA_PROJECT_ID}##", googleProjectId ?? string.Empty);

    return html;
}

Recommended Workflow

  1. Open Admin > Site > AppKeys.
  2. Click Create Key.
  3. Enter a unique Key Code.
  4. Enter a friendly Key Name.
  5. Select Group, Provider, Environment, and Key Type.
  6. Enter the Key Value.
  7. Add a description explaining where the key is used.
  8. Set Active if the key should be usable.
  9. Click Save Key.
  10. Use the key from server code, public endpoint, or token replacement depending on its type.

Common Use Cases

Use Case Recommended Key Type Recommended Usage
Google reCAPTCHA site key PUBLIC Use in browser or token replacement.
Google reCAPTCHA API key SECRET Use only from server code.
OpenAI API key SECRET Use only from server-side services.
Stripe secret key SECRET Use only from payment server logic.
Stripe publishable key PUBLIC May be used in browser payment UI.
Webhook signing secret SECRET Use only for server-side signature verification.
Project ID or tenant ID CONFIG Use from server or browser only if non-sensitive.

Important Notes

  • SECRET values are encrypted before saving.
  • Existing secret values are never displayed in plain text.
  • Leave Key Value empty when editing if you want to keep the existing saved value.
  • Use PUBLIC only for keys that are safe to expose to the browser.
  • Never expose SECRET, TOKEN, payment secret, webhook secret, or AI API keys in JavaScript or HTML.
  • Use separate environments such as DEV, TEST, and PROD.
  • Rotate compromised or old keys immediately.

Troubleshooting

Problem Possible Cause Solution
Key does not appear in the list Search filters may be applied or the key may not have been saved. Clear filters and confirm that the key was saved successfully.
Server code returns empty key value The key code or environment may be incorrect, or the key may be inactive. Check Key Code, Environment, and Active status.
Public endpoint does not return a key The key may not be marked as PUBLIC. Confirm that the key type is PUBLIC.
Secret value is not visible after saving This is expected behavior. Secret values are encrypted and masked. Enter a new value only when you want to replace the existing secret.
Token replacement does not work The token pattern or key code may be incorrect. Check the token format and key code spelling.
Updated key is not reflected Application cache may still contain an old value. Save the key again or clear cache if the system requires it.

Best Practices

  • Use clear key codes such as GOOGLE_RECAPTCHA_SITE_KEY or OPENAI_API_KEY.
  • Keep provider names consistent, such as GOOGLE, OPENAI, STRIPE, or SENDGRID.
  • Separate production and development keys by environment.
  • Use SECRET for private credentials and PUBLIC only for browser-safe values.
  • Document where each key is used in the Description field.
  • Rotate sensitive keys regularly.
  • Restrict access to this screen to trusted administrators only.
Application keys often control access to external services. Manage them carefully, protect secret values, and never expose private credentials to the browser.