--- title: Base64EncodedSecretStore description: Manage a repository of generic secrets, such as passwords or simple shared secrets, whose values are base64-encoded, and hard-coded in the route. component: pinggateway version: 2026 page_id: pinggateway:reference:Base64EncodedSecretStore canonical_url: https://docs.pingidentity.com/pinggateway/2026/reference/Base64EncodedSecretStore.html revdate: 2025-06-02T18:01:47Z section_ids: Base64EncodedSecretStore-usage: Usage Base64EncodedSecretStore-properties: Properties Base64EncodedSecretStore-log: Log level Base64EncodedSecretStore-example: Example Base64EncodedSecretStore-moreinfo: More information --- # Base64EncodedSecretStore Manage a repository of generic secrets, such as passwords or simple shared secrets, whose values are base64-encoded, and hard-coded in the route. This Secret store can only manage the [GenericSecret](../security-guide/keys.html#secret-types) type. The secrets provider queries the Base64EncodedSecretStore for a named secret, identified by the `secret-id` in the `"secret-id": "string"` pair. The Base64EncodedSecretStore returns the matching secret. The secrets provider builds the secret, checking that the secret's constraints are met, and returns a unique secret. If the secret's constraints aren't met, the secrets provider cannot build the secret and the secret query fails. Secrets from Base64EncodedSecretStore never expire. | | | | - | ---------------------------------------------------------------------------------------------------------------------------------------- | | | Use Base64EncodedSecretStore for testing or evaluation only, to store passwords locally. In production, use an alternative secret store. | Learn how PingGateway manages secrets in [About secrets](../security-guide/keys.html#about-secrets). ## Usage ```json { "name": string, "type": "Base64EncodedSecretStore", "config": { "secrets": map or configuration expression } } ``` ## Properties * `"secrets"`: *[map](preface.html#definition-map) or configuration expression\, required* Map of one or more data pairs with the format `Map`, where: * The key is the ID of a secret used in a route * The value is the base64-encoded value of a secret, or a configuration expression that evaluates to the base64-encoded value of a secret The following formats are allowed: ```json { "secrets": { "secret-id": "configuration expression", ... } } ``` ```json { "secrets": "configuration expression" } ``` In the following example, the property is a map whose values are provided by strings: ```json { "type": "Base64EncodedSecretStore", "config": { "secrets": { "agent.password": "d2VsY29tZQ==", "crypto.header.key": "Y2hhbmdlaXQ=" } } } ``` In the following example, the property is a map whose values are provided by a configuration token and a configuration expression. The values are substituted when the route is loaded: ```json { "type": "Base64EncodedSecretStore", "config": { "secrets": { "agent.password": "&{secret.value|aGVsbG8=}", "crypto.header.key": "${readProperties('file.property')['b64.key.value']}" } } } ``` ## Log level To facilitate debugging secrets for the Base64EncodedSecretStore, in `logback.xml` add a logger defined by the fully qualified package name of the Base64EncodedSecretStore. The following line in `logback.xml` sets the log level to `ALL`: ```xml ``` ## Example For an example that uses Base64EncodedSecretStore, refer to `client-credentials.json` in [Client credentials grant with PingAM](../gateway-guide/oauth2-clientcredentials.html). ## More information [Secrets](secrets.html) [org.forgerock.openig.secrets.Base64EncodedSecretStore](../_attachments/apidocs/org/forgerock/openig/secrets/Base64EncodedSecretStore.html)