# AzureSecretStore API

Secret store backed by Azure Key Vault.

---
Canonical: /handbook/api/classes/_purista_azure-secret-store.AzureSecretStore/
Source: azure-secret-store/src/AzureSecretStore.impl.ts
Format: Markdown for agents
---

Secret store backed by Azure Key Vault.

Package: `@purista/azure-secret-store`

## Signature

```typescript
class AzureSecretStore
```

## Examples

```typescript
const store = new AzureSecretStore({
  vaultUrl: 'https://example-vault.vault.azure.net',
  cacheTtl: 30_000,
})

await store.setSecret('acme-prod-payments-api-token', 'placeholder-secret')
const secret = await store.getSecret('acme-prod-payments-api-token')
```

## Members

### Constructors

- `new constructor(config: { allowInsecureConnection: boolean; cacheTtl: number; enableCache: boolean; enableGet: boolean; enableRemove: boolean; enableSet: boolean; ... })` — Creates an Azure Key Vault-backed secret store.

### Properties

- `cache: SecretStoreCacheMap` — Optional in-memory cache of secret values.
- `client: SecretClient` — Azure Key Vault client used for secret operations.
- `config: { allowInsecureConnection: boolean; cacheTtl: number; enableCache: boolean; enableGet: boolean; enableRemove: boolean; enableSet: boolean; ... }` — Store configuration including operation toggles and cache settings.
- `logger: Logger` — Child logger scoped to the store name.
- `name: string` — Store name used in logs and diagnostics.

### Methods

- `destroy(): Promise<void>` — Shutdown hook for store adapters.
- `getSecret<SecretNames>(...secretNames: SecretNames): Promise<ObjectWithKeysFromStringArray<SecretNames, string | undefined>>` — Get one or more secrets by name.
- `getSecretImpl<SecretNames>(...secretNames: SecretNames): Promise<ObjectWithKeysFromStringArray<SecretNames, string | undefined>>` — Adapter-specific secret lookup implementation.
- `removeSecret(secretName: string): Promise<void>` — Remove one secret by name.
- `removeSecretImpl(secretName: string): Promise<void>` — Adapter-specific secret removal implementation.
- `setSecret(secretName: string, secretValue: string): Promise<void>` — Store or replace one secret value.
- `setSecretImpl(secretName: string, secretValue: string): Promise<void>` — Adapter-specific secret write implementation.