← Back to all posts
7 min readCentrali Team

Centrali 2.5.0: Secret Fields, Trigger Health, and Platform Hardening

Encrypt sensitive data with secret string fields, monitor trigger health at a glance, and benefit from comprehensive security and observability improvements across the platform.

ProductAnnouncementChangelog

Centrali 2.5.0 is here with a focus on security, observability, and platform hardening. This release brings encrypted secret fields, trigger health monitoring, and comprehensive improvements to make your applications more secure and easier to operate.

Secret String Fields

Storing sensitive data like API keys, tokens, and credentials just got a lot safer. The new isSecret property option encrypts values at rest and masks them in API responses.

How It Works

Add isSecret: true to any string property:

json
{ "name": "api_credentials", "properties": [ { "name": "service_name", "type": "string" }, { "name": "api_key", "type": "string", "isSecret": true }, { "name": "api_secret", "type": "string", "isSecret": true } ] }

When you read the record, secret fields are automatically masked:

json
{ "data": { "service_name": "Payment Gateway", "api_key": "********", "api_secret": "********" } }

Reveal When Needed

To access the plaintext value, use the reveal endpoint with explicit permission:

bash
POST /records/slug/api-credentials/{id}/secrets/reveal { "fields": ["api_key"] }
json
{ "revealed": { "api_key": "pk_live_abc123xyz" } }

Compare Without Revealing

Verify a value matches a stored secret without exposing it:

bash
POST /records/slug/api-credentials/{id}/secrets/compare { "field": "api_key", "value": "pk_live_abc123xyz" }
json
{ "matches": true }

This is perfect for authentication flows where you need to verify credentials.

Encryption Details

  • Algorithm: AES-256-GCM encryption at rest
  • Key rotation: Rotate keys without downtime using the admin API
  • Batch mode: Rotate keys across all workspaces in a single operation
  • Audit logging: All reveal and compare operations are logged

Trigger Health Monitoring

Understanding which triggers are healthy, failing, or need attention is now visible at a glance.

Health Badges

The trigger list now shows health badges:

  • Healthy (green) - Running successfully
  • Degraded (yellow) - Experiencing some failures
  • Unhealthy (red) - Consistent failures
  • Paused (gray) - Manually paused

Detailed Health Cards

Click into any trigger to see the new health card with:

  • Success rate over the last 24 hours
  • Recent failure count and error messages
  • Last successful and failed execution times
  • Recommendations for fixing issues

System Triggers

System triggers (internal platform triggers) now hide implementation details that aren't relevant to users, with the Runs tab hidden and click-through disabled.

Function Execution Email Notifications

Subscribe to receive email notifications when your functions complete or fail.

From the console:

  1. Go to any compute function
  2. Click the notification bell icon
  3. Select which events to receive (success, failure, or both)

You'll receive structured emails with:

  • Function name and workspace
  • Execution status and duration
  • Error details for failures
  • Quick link to view the full run

Realtime Compute Events

The SDK playground now streams function completion events via SSE, making it easier to test and debug compute functions in real-time.

Features include:

  • Quick trigger invocation - Invoke triggers with one click
  • Auto job tracking - See job progress as it happens
  • Live event stream - Watch function executions complete in real-time

CSV/JSON Helpers

New utility functions for working with structured data in compute functions:

typescript
// Parse CSV to JSON const records = api.parseCSV(csvContent, { headers: true }); // Generate CSV from JSON const csv = api.generateCSV(records, { includeHeaders: true }); // Store the result await api.storeFile(csv, 'export.csv', { mimeType: 'text/csv' });

Comprehensive Metrics

All backend services now expose detailed Prometheus metrics:

  • HTTP metrics - Request count, latency, and status codes per endpoint
  • NATS metrics - Message throughput, subscription health, and latency
  • Redis metrics - Connection pool utilization and operation latency
  • App-specific metrics - Custom metrics per service (record counts, function executions, etc.)

Metrics are collected with proper label cardinality to avoid explosion in high-traffic scenarios.

Console Improvements

The sidebar navigation has been revamped with:

  • New structure grouping related items
  • Cleaner visual styling
  • Better mobile responsiveness
  • Improved keyboard navigation

Security Hardening

This release includes several security improvements:

  • Scheduler API authorization - All scheduler endpoints now require proper permissions
  • Webhook subscription authorization - Webhook management requires appropriate access
  • Endpoint remediation - Previously unprotected API endpoints now enforce authorization
  • Centralized IAM registration - Consistent resource registration across services

Bug Fixes

  • Storage service no longer burns CPU in NATS subscription loops
  • Search resource names use consistent kebab-case in auth middleware
  • Tempo traces exclude noisy health/metrics/version endpoints
  • Policy migration handles updated_at column correctly

What's Next

We're continuing to improve observability with distributed tracing improvements and log aggregation. On the security front, we're working on field-level permissions and audit log export.

Get Started

Update your SDK to the latest version:

bash
npm install @centrali-io/centrali-sdk@latest

Check the secret fields documentation for detailed guides on encryption and key rotation.

Visit the changelog for the complete list of changes.

Building something with Centrali and want to share feedback about this feature?

Email feedback@centrali.io