Secrets & Sharing
These are the client APIs for the encrypted side of a space: SecretsService stores/reads secrets in the secrets space (over the vault), and SharingService lets an owner share a secret — or any capability — with another identity via a self-contained share link.
Shape
SecretsService(packages/sdk-services/src/secrets/SecretsService.ts; node/web variantsNodeSecretsService/WebSecretsService) —get/set/listsecrets resolved tovault/secrets/<NAME>paths, encrypted via encryption-networks.SharingService(packages/sdk-core/src/delegations/SharingService.ts) — produces share artifacts; the v2 form is a self-contained client-side token (the recipient needs no prior account), backed by a delegation of the relevant read + decrypt capabilities.
Mechanics
Sharing a secret composes two grants: a read capability over the KV path and a decrypt capability on the network (user-bound-decrypt). SharingService packages these as a PortableDelegation; the recipient redeems it (web receive helper in web-sdk) to read and decrypt — without the owner exposing the underlying key.
Relationships
Stores into secrets-space / vault-secrets via the vault; encrypts with encryption-networks + decrypts via user-bound-decrypt; shares by delegating capabilities; the data-source pattern is shown in example-listen (vault/secrets/*).
Status & drift
Shipped. v2 share links are self-contained (no recipient pre-registration); older link forms required a node round-trip.
Sources
js-sdk:packages/sdk-services/src/secrets/SecretsService.ts,packages/sdk-core/src/delegations/SharingService.ts