Brightspot CMS Developer Guide

Building a custom secret service

Brightspot's Secret Service API provides a standardized interface for encrypting secrets in Brightspot. To use this API, you must implement a custom secret service that securely stores data, either via encryption or by leveraging a third-party secret storage solution.

This topic provides guidance on how to implement a custom secret service integration. Note that since each integration can be quite different depending on the third-party service, this topic may not cover all details needed to build an integration with a specific third party.

To create a new secret service implementation, create a new java class that implements the com.psddev.cms.secret.SecretService interface.

To implement the SecretService interface, a class must implement the following methods:

  1. storeSecret(Secret secret)
    • This method should persist the given secret securely.
    • Parameters:
      • secret - The secret that should be stored.
  2. getSecret(Secret secret)
    • This method should securely retrieve the value for the given Secret.
    • Parameters:
      • secret - The secret whose value should be retrieved.
    • Returns:
      • The unencrypted value of the given secret.
  3. deleteSecret(Secret secret)
    • This method should delete the stored value of the given secret.
    • Parameters:
      • secret - The secret whose stored value should be deleted.

The SecretService interface extends SettingsBackedObject, which allows your SecretService to be initialized by com.psddev.dari.util.Settings. These settings are typically set in your Tomcat context.xml file. To apply these settings you can extend the initialize(String settingsKey, Map<String, Object> settings) method from SettingsBackedObject. An example implementation is shown below:

public class CustomSecretService implements SecretService {
        private static final String PREFIX_SUB_SETTING = "prefix";

     * A Prefix to append to all keys stored by this Secret manager.
    private String prefix;

    public void initialize(String settingsKey, Map<String, Object> settings) {
        prefix =, settings.get(PREFIX_SUB_SETTING));

In the above example, the prefix value could now be configured with the brightspot/cms/secretService/{name}/prefix settings key.

Once you have your secret service implemented, enabling it must be done via environment variables, typically in your Tomcat context.xml file. The keys and respective values are described in the table below:

Key Value
brightspot/cms/defaultSecretService The name of the default secret service. This is used in other keys below and is designated as {name}.
brightspot/cms/secretService/{name}/class The fully qualified java class name of your SecretService implementation.
Any additional settings can be configured via additional keys.
Previous Topic
AWS Secret Service
Next Topic
Rich text
Was this topic helpful?
Thanks for your feedback.
The elements that get you up and running in a matter of days, from pre-built content types, to modules, to landing pages.

Content types
Landing pages
Everything you need to manage and administer content within Brightspot CMS, including plug-and-play integrations.

Admin configurations
A guide for installing, supporting and administering code on the Brightspot platform, including integrations requiring developer support to use.

Field types
Content modeling
Rich-text elements