# AWSSecretStore API

Secret store backed by AWS Secrets Manager.

---
Canonical: /handbook/api/classes/_purista_aws-secret-store.AWSSecretStore/
Source: aws-secret-store/src/AWSSecretStore.impl.ts
Format: Markdown for agents
---

Secret store backed by AWS Secrets Manager.

Package: `@purista/aws-secret-store`

## Signature

```typescript
class AWSSecretStore
```

## Examples

```typescript
const store = new AWSSecretStore({
  client: { region: 'eu-central-1' },
  cacheTtl: 30_000,
})

await store.setSecret('tenants/acme/prod/payments/api-token', 'placeholder-secret')
const secret = await store.getSecret('tenants/acme/prod/payments/api-token')
```

## Members

### Constructors

- `new constructor(config: { cacheTtl: number; client: SecretsManagerClientConfigType; enableCache: boolean; enableGet: boolean; enableRemove: boolean; enableSet: boolean; ... })` — Creates an AWS Secrets Manager-backed secret store.

### Properties

- `cache: SecretStoreCacheMap` — Optional in-memory cache of secret values.
- `client: SecretsManagerClient` — AWS SDK client used for Secrets Manager requests.
- `config: { cacheTtl: number; client: SecretsManagerClientConfigType; enableCache: boolean; enableGet: boolean; enableRemove: boolean; enableSet: boolean; ... }` — Store configuration including operation toggles and cache settings.
- `logger: Logger` — Child logger scoped to the store name.
- `name: string` — Store name used in logs and diagnostics.

### Methods

- `destroy(): Promise<void>` — Shutdown hook for store adapters.
- `getSecret<SecretNames>(...secretNames: SecretNames): Promise<ObjectWithKeysFromStringArray<SecretNames, string | undefined>>` — Get one or more secrets by name.
- `getSecretImpl<SecretNames>(...secretNames: SecretNames): Promise<ObjectWithKeysFromStringArray<SecretNames, string | undefined>>` — Adapter-specific secret lookup implementation.
- `removeSecret(secretName: string): Promise<void>` — Remove one secret by name.
- `removeSecretImpl(secretName: string): Promise<void>` — Adapter-specific secret removal implementation.
- `setSecret(secretName: string, secretValue: string): Promise<void>` — Store or replace one secret value.
- `setSecretImpl(secretName: string, secretValue: string): Promise<void>` — Adapter-specific secret write implementation.