[Hold][WIP] Workflow Endpoint: how to encrypt secrets #670
+552
−3
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
awalker4
reviewed
Jul 11, 2025
There was a problem hiding this comment.
Added some comments! I can add a commit to this branch to update the code samples once the new certificate flow is ready. Some other thoughts:
- I think the pattern of showing redacted on the encrypted text is a bit noisy. It's instructive to show the
---BEGIN PUBLIC KEY---headers and such, but the other text will always be garbled nonsense, so there's nothing to "hide". Maybe just ellipses?
{
"encrypted_aes_key": "x3+......9zD",
"aes_iv": "k2N......g==",
"encrypted_value": "gM1......A2m",
"type": "rsa_aes"
}
| typically required when creating [source connectors](/api-reference/workflow/sources/overview) or | ||
| [destination connectors](/api-reference/workflow/destinations/overview) that work with specific third-party services. | ||
|
|
||
| Instead of programmatically sending a secret to Unstructured in plain text, which presents a security risk, |
There was a problem hiding this comment.
Suggested change
| Instead of programmatically sending a secret to Unstructured in plain text, which presents a security risk, | |
| There are inherent risks to sending plaintext secrets over a network. For stronger security, you may choose to use Unstructured's process for encrypting secrets locally as follows: |
For now our stance is that this is more secure but it isn't backwards incompatible (except for GDrive). We'll also need to confirm that SecretReference is accepted by all connectors before pushing this approach too broadly.
| Instead of programmatically sending a secret to Unstructured in plain text, which presents a security risk, | ||
| you must instead follow Unstructured's process for more securely sending the secret as follows: | ||
|
|
||
| 1. Call Unstructured to get the Privacy Enhanced Mail (PEM) version of the public key for your Unstructured user account. |
There was a problem hiding this comment.
Suggested change
| 1. Call Unstructured to get the Privacy Enhanced Mail (PEM) version of the public key for your Unstructured user account. | |
| 1. Call Unstructured to get the RSA public key associated with your Unstructured user account. |
The pem detail is probably too in the weeds. For the security minded folks who are doing this, the file format goes without saying. "RSA public key" is the right level of detail.
| you must instead follow Unstructured's process for more securely sending the secret as follows: | ||
|
|
||
| 1. Call Unstructured to get the Privacy Enhanced Mail (PEM) version of the public key for your Unstructured user account. | ||
| 2. Use this PEM to encrypt your plain-text secret locally. |
There was a problem hiding this comment.
Suggested change
| 2. Use this PEM to encrypt your plain-text secret locally. | |
| 2. Use this key to encrypt your plaintext secret locally. |
|
|
||
| - [Google Drive source connector](/api-reference/workflow/sources/google-drive) | ||
|
|
||
| Unstructured plans to add this requirement to other source and destination connectors in the future. |
There was a problem hiding this comment.
Suggested change
| Unstructured plans to add this requirement to other source and destination connectors in the future. | |
| Unstructured plans to support this workflow with other source and destination connectors in the future. |
| import GetStartedSimpleAPIOnly from '/snippets/general-shared-text/get-started-simple-api-only.mdx'; | ||
|
|
||
| While you can use a REST API client such as `curl` or Postman to complete most of the following steps, you can only use Python to | ||
| complete the step of encrypting the plain-text secret locally. Otherwise, both approaches are shown for the other steps. |
There was a problem hiding this comment.
Suggested change
| complete the step of encrypting the plain-text secret locally. Otherwise, both approaches are shown for the other steps. | |
| complete the step of encrypting the plaintext secret locally. Otherwise, both approaches are shown for the other steps. |
|
|
||
| import GetStartedSimpleAPIOnly from '/snippets/general-shared-text/get-started-simple-api-only.mdx'; | ||
|
|
||
| While you can use a REST API client such as `curl` or Postman to complete most of the following steps, you can only use Python to |
There was a problem hiding this comment.
Suggested change
| While you can use a REST API client such as `curl` or Postman to complete most of the following steps, you can only use Python to | |
| While you can use a REST API client such as `curl` or Postman to complete most of the following steps, you can only use Python or another encryption language library to |
| - `UNSTRUCTURED_API_URL`, set to the Workflow Endpoint API URL for your Unstructured user account. | ||
| - `UNSTRUCTURED_API_KEY`, set to the API key for your Unstructured user account. | ||
|
|
||
| ## Step 1: Get the PEM version of the public key |
There was a problem hiding this comment.
Suggested change
| ## Step 1: Get the PEM version of the public key | |
| ## Step 1: Get the RSA public key |
| </Accordion> | ||
| </AccordionGroup> | ||
|
|
||
| ## Step 4: Use the registered secret's ID and encryption type |
There was a problem hiding this comment.
Suggested change
| ## Step 4: Use the registered secret's ID and encryption type | |
| ## Step 4: Use the registered secret's reference ID |
|
See this notebook for an updated flow once https://github.com/Unstructured-IO/platform-api/pull/544 is merged. The response from |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Work in progress. Still waiting for renamed "retrieve" endpoint, and certificate signing.
For now, see: