# Secrets The Secrets tool tracks expiry dates for API tokens, SSL certificates, passwords, and any other time-sensitive credentials. It provides in-app status indicators and daily Gotify notifications when secrets are about to expire or have already expired. --- ## Accessing the tool Navigate to **🔑 Secrets** in the sidebar under the **Tools** section. --- ## Secret fields | Field | Required | Description | |-------|----------|-------------| | Name | Yes | A clear identifier, e.g. `Cloudflare API Token` | | Type | Yes | One of: API Token, SSL Certificate, Password, Generic | | Description | No | What the secret is used for | | Expiry Date | Yes | The date the secret expires | | Warn (days before) | Yes | How many days before expiry to start showing a warning. Defaults to 30. | | Notes | No | Any additional free-text notes | --- ## Status indicators Each secret is assigned a status based on the current date and its warning threshold: | Status | Meaning | |--------|---------| | **OK** (green) | Expiry is further away than the warning threshold | | **Expiring** (amber) | Expiry is within the warning window | | **Expired** (red) | The expiry date has passed | The Days Left column shows how many days remain, or how many days ago the secret expired (shown as `Xd ago`). --- ## Filtering Use the filter bar to search by name or description. The status dropdown lets you view only expired, expiring, or OK secrets. --- ## Notifications Sloth Manager checks for expiring and expired secrets once per day at **08:00** and sends a single Gotify notification listing all secrets that need attention. The check also runs once when the backend starts, but only if it has not already run today — so restarting the backend will not spam notifications. Notifications require Gotify to be configured and enabled in **⚙️ Settings → Notifications**. Example notification: ``` 🦥 Sloth Manager — Secrets Alert 2 secrets need attention: ✕ EXPIRED — Azure Client Secret ⚠ 12d left — SSL Certificate (example.com) ``` --- ## Audit log All secret changes (add, update, delete) are recorded in **📋 Audit Log** under the category **Secret**. --- ## Export Press **⬇ Export CSV** to download the current (filtered) list of secrets as a CSV file. The export includes name, type, description, expiry date, warning days, status, days left, and notes. --- ## Data storage Secrets are stored in `backend/secrets.json`. This file is created automatically on first use. The path can be overridden with the `SECRETS_PATH` environment variable — see `ENVIRONMENT.md` for details. > **Note:** Secret values themselves (e.g. the actual token or password) are not stored — only metadata such as the name, type, and expiry date.