External backends for parameter values
By default, nullplatform stores parameter values in its own database. External backends let you keep those values in a system you control instead. Each backend is configured as a provider, so it inherits the standard NRN and dimensions model.
Why use an external backend
You'll typically reach for one of these when:
- A compliance requirement says secrets must stay inside a system you operate.
- You already have a secret manager and don't want to mirror values across systems.
- You want full control over how values are stored, retrieved, and audited, without nullplatform sitting in the data path.
Nothing about the developer experience changes when you flip a backend on: parameter values still appear in the same place in the UI, and the CLI and API contract stay the same.
Available backends
All backends are configured under Platform settings > Security & Secrets.
HashiCorp Vault
A managed integration with HashiCorp Vault. You give nullplatform a Vault address and a token, and parameter values stored under the configured NRN land in Vault automatically. The token is encrypted at rest and masked in API responses.
💡 Use this when you want a turnkey secret-management backend and you already run Vault, or you're happy to stand one up.
External parameters
A marker backend that hands lifecycle events off to a notification channel you configure. Nullplatform never touches the value; it only emits notifications (parameter:store, parameter:retrieve, parameter:delete, parameter:notify). Your handler, whether it's an agent script running inside your infrastructure or an HTTP endpoint you expose, decides where the value lives.
💡 Use this when no off-the-shelf integration matches your needs, or when you want to build on top of a backend nullplatform doesn't ship natively (AWS Secrets Manager, GCP Secret Manager, Azure Key Vault, an internal vault, etc.).
Comparing the two
| HashiCorp Vault | External parameters | |
|---|---|---|
| Setup effort | Low (configure provider, supply token) | Medium (configure provider, set up channel, implement handler) |
| Storage location | HashiCorp Vault, addressed by your token | Anywhere your handler writes to |
| Token / credentials managed by | Nullplatform (encrypted at rest) | You |
| Token rotation | Update the provider; old token kept valid during grace period | Up to your handler |
| Best for | Teams already running Vault | Teams that need a custom backend |
How values flow
These backends sit between the parameter API and where the value finally lives.
The provider tells nullplatform which backend applies to a given {NRN, dimensions} tuple. NRN inheritance picks the most specific match: a backend configured at organization=1:account=2 covers every namespace, application, and scope underneath unless a deeper provider overrides it.
Next steps
- Set up HashiCorp Vault: step-by-step guide to point an NRN at Vault.
- Set up external parameters: step-by-step guide to route lifecycle events to your own agent.
- Providers overview: how providers, NRN inheritance, and dimensions work in general.
- Parameters: how parameter values are delivered to your application at runtime.