---
title: SecretsKeyManager
description: Uses the Commons Secrets API to manage keys that authenticate a TLS connection to a peer. The configuration references the keystore that holds the keys.
component: pinggateway
version: 2026
page_id: pinggateway:reference:SecretsKeyManager
canonical_url: https://docs.pingidentity.com/pinggateway/2026/reference/SecretsKeyManager.html
revdate: 2025-06-02T18:01:47Z
section_ids:
  SecretsKeyManager-usage: Usage
  SecretsKeyManager-properties: Properties
  SecretsKeyManager-example: Example
  SecretsKeyManager-moreinfo: More information
---

# SecretsKeyManager

Uses the Commons Secrets API to manage keys that authenticate a TLS connection to a peer. The configuration references the keystore that holds the keys.

## Usage

```json
{
   "name": string,
   "type": "SecretsKeyManager",
   "config": {
     "signingSecretId": [ configuration expression<secret-id>, ... ] || configuration expression<secret-id>,
     "secretsProvider": SecretsProvider reference
 }
}
```

## Properties

* `"signingSecretId"`: array of *configuration expressions<[secret-id](preface.html#definition-secretid)>, required*

  One or more secret IDs used to retrieve private signing keys.

  PingGateway accepts a scalar instead of an array when there's only one secret ID.

  A secret ID must point to a [CryptoKey](../security-guide/keys.html#secret-types).

* `"secretsProvider"`: *SecretsProvider [reference](preface.html#definition-reference), required*

  The [SecretsProvider](SecretsProvider.html) to query for secrets to resolve the private signing key.

## Example

The following example uses a private key found from a keystore for TLS handshake.

```json
{
  "type": "SecretsKeyManager",
  "config": {
    "signingSecretId": "key.manager.secret.id",
    "secretsProvider": {
      "type": "KeyStoreSecretStore",
      "config": {
        "file": "path/to/certs/ig.example.com.p12",
        "storePasswordSecretId": "keystore.pass",
        "secretsProvider": "SecretsPasswords",
        "mappings": [{
          "secretId": "key.manager.secret.id",
          "aliases": [ "ig.example.com" ]
        }]
      }
    }
  }
}
```

## More information

[Secrets](secrets.html)

[org.forgerock.openig.secrets.SecretsKeyManagerHeaplet](../_attachments/apidocs/org/forgerock/openig/secrets/SecretsKeyManagerHeaplet.html)