search

Secret Vault

hashtag
Secret Vault

Store your AI provider API keys and 3rd-party service tokens (e.g., SendGrid, Telegram, SMTP) in your own AWS Lambda instead of AiTalk's database. When enabled, keys and tokens are fetched directly from your Lambda at runtime β€” nothing is stored on our servers.

hashtag
How It Works

Normal Mode:
  AiTalk Server ──(API Key from DB)──→ OpenAI / Claude / etc.

Secret Vault Mode:
  AiTalk Server ──(request key)──→ Your AWS Lambda ──(returns key)──→ AiTalk uses it once
                                                                      then discards from memory

With Secret Vault enabled:

  • Your AI provider API keys and 3rd-party service tokens (SendGrid, Telegram, SMTP, etc.) are stored only in your AWS Lambda environment variables

  • AiTalk fetches them at runtime, uses them for the API call, then discards them

  • If your Lambda is unreachable, API calls will fail β€” there is no fallback to the database (by design)

  • OAuth connections (e.g., Google Drive) always use the database (automatic token refresh is required)

hashtag
Prerequisites

  • An AWS account (free tier is sufficient)

  • Basic familiarity with the AWS Console

Cost: AWS Lambda includes 1 million free requests per month (permanent free tier). For most users, Secret Vault costs $0/month.

hashtag
Setup Guide

hashtag
Step 1: Create an AWS Lambda Function

  1. Sign in to the AWS Lambda Consolearrow-up-right

  2. Click Create function

  3. Choose Author from scratch

  4. Settings:

    • Function name: aitalk-secret-vault (or any name you prefer)

    • Runtime: Node.js 20.x

    • Architecture: x86_64

  5. Click Create function

hashtag
Step 2: Deploy the Template Code

  1. In AiTalk, go to Settings > Security

  2. Click Download Lambda Template to get the secret-vault-lambda.js file

  3. In the AWS Lambda console, go to the Code tab

  4. Replace the default code with the contents of the downloaded template

  5. Click Deploy

hashtag
Step 3: Enable Function URL

  1. Go to the Configuration tab β†’ Function URL

  2. Click Create function URL

  3. Auth type: NONE (authentication is handled by the Bearer token)

  4. Click Save

Important: "Missing permissions" warning

After saving, you may see a warning: "Your function URL auth type is NONE, but is missing permissions required for public access."

To fix this:

  1. Click Edit on the Function URL page

  2. Scroll down to View policy statement β€” verify the policy includes both lambda:InvokeFunctionUrl and lambda:InvokeFunction with Principal: "*"

  3. Click Save again

  4. The warning should change to: "Your function URL is public. Anyone with the URL can access your function."

This is expected β€” security is handled by the Bearer token in the Lambda code, not by AWS IAM.

  1. Copy the generated Function URL (e.g., https://xxxxxxxxxx.lambda-url.eu-west-1.on.aws/)

hashtag
Step 4: Add Your Secrets as Environment Variables

  1. Go to the Configuration tab β†’ Environment variables

  2. Click Edit

  3. Add your secrets using the exact key names shown in the Vault Key Reference table in AiTalk Settings:

Key Name
Value
Description

AUTH_TOKEN

(generated in Step 5)

Authentication token

ai_provider_openai_api_key

sk-xxxxxxxx...

OpenAI API Key

ai_provider_anthropic_api_key

sk-ant-xxxxxxxx...

Claude API Key

ai_provider_google_api_key

AIzaxxxxxxxx...

Gemini API Key

wf_conn_{connectionId}_token

(your token)

Workflow connection tokens

bot_channel_{channelId}_token

(your token)

Bot channel tokens

The exact key names for your workflow connections and bot channels are listed in Settings > Security > Vault Key Reference.

  1. Click Save

hashtag
Step 5: Connect AiTalk to Your Lambda

  1. In AiTalk, go to Settings > Security

  2. Paste the Lambda Function URL

  3. Click Generate New Token β€” copy the token

  4. Go back to your Lambda Environment variables and set AUTH_TOKEN to this token

  5. Click Test Connection to verify

  6. Click Save & Enable

hashtag
Vault Key Reference

The key names used in your Lambda environment variables must match exactly. You can find all key names in Settings > Security > Vault Key Reference.

hashtag
AI Provider Keys

Provider
Key Name

OpenAI

ai_provider_openai_api_key

Anthropic (Claude)

ai_provider_anthropic_api_key

Google (Gemini)

ai_provider_google_api_key

DeepSeek

ai_provider_deepseek_api_key

Grok

ai_provider_grok_api_key

hashtag
Workflow Connection Tokens

Format: wf_conn_{connectionId}_token

Examples:

  • wf_conn_cm1abc123def_token (Telegram connection)

  • wf_conn_cm2xyz789ghi_token (SendGrid connection)

hashtag
Bot Channel Tokens

Format: bot_channel_{channelId}_token

For Slack bots, two keys are needed:

  • bot_channel_{channelId}_slack_bot_token

  • bot_channel_{channelId}_slack_signing_secret

hashtag
Disabling Secret Vault

  1. Go to Settings > Security

  2. Click Disable

  3. AiTalk will revert to using the encrypted keys stored in the database

Your database-stored keys are never deleted when Vault is enabled, so you can switch back at any time.

hashtag
Troubleshooting

Problem
Solution

"Connection failed" on Test

Check that your Lambda Function URL is correct and the function is deployed

"Unauthorized" error

Verify the AUTH_TOKEN in your Lambda matches the token in AiTalk

"Key not found" error

Check the key name in Lambda environment variables matches exactly (case-sensitive)

AI chat not working after enabling

Ensure all required API key environment variables are set in Lambda

Workflow fails after enabling

Check that all workflow connection tokens are added to Lambda

hashtag
Security Notes

  • The Bearer token authenticates requests between AiTalk and your Lambda

  • Only your AWS account can access the Lambda environment variables

  • AiTalk never stores, logs, or caches the secrets retrieved from your Lambda

  • For maximum security, restrict Lambda access using AWS IAM policies

PreviousSecurityNextDrittanbieter

Last updated