feat: add optional flag to skip secret masking during export (#1396)

harshithRai · web-flow · commit da903800cf68 · 2026-06-03T15:10:12.000+05:30
* feat: add AUTH0_EXPORT_SECRETS flag to allow exporting real secret values Adds optional AUTH0_EXPORT_SECRETS config flag (and --export_secrets CLI option) that skips secret masking during export. When disabled (default), secrets continue to be replaced with placeholder markers like ##CONNECTIONS_OAUTH2_SECRET##. Addresses issue #1356.
diff --git a/docs/configuring-the-deploy-cli.md b/docs/configuring-the-deploy-cli.md
@@ -179,6 +179,12 @@ Boolean. When enabled, will return identifiers of all resources. May be useful f
 
 Boolean. When enabled, exports JSON and YAML resources with keys sorted alphabetically, producing stable and deterministic output. Useful for reducing noise in diffs when keys would otherwise appear in non-deterministic order. Default: `false`.
 
+### `AUTH0_EXPORT_SECRETS`
+
+Boolean. When enabled, exports actual secret values (e.g. connection `client_secret`, log stream tokens, email provider credentials, attack protection CAPTCHA secrets) instead of replacing them with placeholder markers like `##CONNECTIONS_OAUTH2_SECRET##`. Useful for backup and restore scenarios where secrets need to be preserved. Default: `false`.
+
+> **Warning:** Enabling this option will write real credentials to exported files. Use with caution in shared or version-controlled environments.
+
 ### `EXCLUDED_PROPS`
 
 Provides ability to exclude any unwanted properties from management.
diff --git a/docs/using-as-cli.md b/docs/using-as-cli.md
@@ -29,6 +29,10 @@ Boolean. When enabled, will export the identifier fields for each resource. Defa
 
 Boolean. When enabled, exports resource configuration files with keys sorted alphabetically, producing stable and deterministic output. Useful for reducing noise in diffs. Default: `false`.
 
+### `--export_secrets`
+
+Boolean. When enabled, exports actual secret values instead of replacing them with placeholder markers (e.g. `##SMTP_PASS##`). Useful for backup and restore scenarios. **Warning:** real credentials will be written to exported files. Default: `false`.
+
 ### `--env`
 
 Boolean. Indicates if the tool should ingest environment variables or not. Default: `true`.
@@ -56,6 +60,9 @@ a0deploy export -c=config.json --format=directory --output_folder=local
 
 # Fetching Auth0 tenant configurations with IDs of all assets
 a0deploy export -c=config.json --format=yaml --output_folder=local --export_ids=true
+
+# Fetching Auth0 tenant configurations including real secret values
+a0deploy export -c=config.json --format=directory --output_folder=local --export_secrets
 ```
 
 ## `import` command
diff --git a/src/args.ts b/src/args.ts
@@ -26,6 +26,7 @@ type ExportSpecificParams = {
   output_folder: string;
   export_ids?: boolean;
   export_ordered?: boolean;
+  export_secrets?: boolean;
 };
 
 export type ExportParams = ExportSpecificParams & SharedParams;
@@ -138,6 +139,11 @@ function getParams(): CliParams {
         describe: 'Order keys in exported JSON files for consistent diffs.',
         type: 'boolean',
       },
+      export_secrets: {
+        describe: 'Export actual secret values instead of placeholder markers.',
+        type: 'boolean',
+        default: false,
+      },
     })
     .example(
       '$0 export -c config.json -f yaml -o path/to/export',
diff --git a/src/commands/export.ts b/src/commands/export.ts
@@ -16,6 +16,7 @@ export default async function exportCMD(params: ExportParams) {
     config: configObj,
     export_ids: exportIds,
     export_ordered: exportOrdered,
+    export_secrets: exportSecrets,
     secret: clientSecret,
     env: shouldInheritEnv = false,
     experimental_ea: experimentalEA,
@@ -51,6 +52,11 @@ export default async function exportCMD(params: ExportParams) {
     overrides.AUTH0_EXPORT_ORDERED = exportOrdered;
   }
 
+  // Allow passed in export_secrets to override the configured one
+  if (exportSecrets) {
+    overrides.AUTH0_EXPORT_SECRETS = exportSecrets;
+  }
+
   // Overrides AUTH0_INCLUDE_EXPERIMENTAL_EA is experimental_ea passed in command line
   if (experimentalEA) {
     overrides.AUTH0_EXPERIMENTAL_EA = experimentalEA;
diff --git a/src/context/defaults.ts b/src/context/defaults.ts
@@ -1,9 +1,22 @@
 import { AttackProtection } from '../tools/auth0/handlers/attackProtection';
 import { maskSecretAtPath } from '../tools/utils';
+import { Config } from '../types';
+
+// env vars arrive as strings, so check both forms
+function isExportSecrets(config?: Pick<Config, 'AUTH0_EXPORT_SECRETS'>): boolean {
+  return (
+    config?.AUTH0_EXPORT_SECRETS === true || (config?.AUTH0_EXPORT_SECRETS as unknown) === 'true'
+  );
+}
 
 // eslint-disable-next-line import/prefer-default-export
-export function emailProviderDefaults(emailProvider) {
+export function emailProviderDefaults(
+  emailProvider,
+  config?: Pick<Config, 'AUTH0_EXPORT_SECRETS'>
+) {
   // eslint-disable-line
+  if (isExportSecrets(config)) return emailProvider;
+
   const updated = { ...emailProvider };
 
   const apiKeyProviders = ['mailgun', 'mandrill', 'sendgrid', 'sparkpost'];
@@ -111,8 +124,8 @@ export function phoneTemplatesDefaults(phoneTemplate) {
   return updated;
 }
 
-export function connectionDefaults(connection) {
-  if (connection.options) {
+export function connectionDefaults(connection, config?: Pick<Config, 'AUTH0_EXPORT_SECRETS'>) {
+  if (!isExportSecrets(config) && connection.options) {
     // Mask secret for key: connection.options.client_secret
     maskSecretAtPath({
       resourceTypeName: 'connections',
@@ -124,7 +137,9 @@ export function connectionDefaults(connection) {
   return connection;
 }
 
-export function logStreamDefaults(logStreams) {
+export function logStreamDefaults(logStreams, config?: Pick<Config, 'AUTH0_EXPORT_SECRETS'>) {
+  if (isExportSecrets(config)) return logStreams;
+
   // masked sensitive fields
   const sensitiveKeys = [
     'httpAuthorization',
@@ -152,7 +167,12 @@ export function logStreamDefaults(logStreams) {
   return maskedLogStreams;
 }
 
-export function attackProtectionDefaults(attackProtection: AttackProtection) {
+export function attackProtectionDefaults(
+  attackProtection: AttackProtection,
+  config?: Pick<Config, 'AUTH0_EXPORT_SECRETS'>
+) {
+  if (isExportSecrets(config)) return attackProtection;
+
   const { captcha } = attackProtection;
 
   if (captcha) {
diff --git a/src/context/directory/handlers/attackProtection.ts b/src/context/directory/handlers/attackProtection.ts
@@ -85,7 +85,7 @@ async function dump(context: DirectoryContext): Promise<void> {
   const files = attackProtectionFiles(context.filePath);
   fs.ensureDirSync(files.directory);
 
-  const maskedAttackProtection = attackProtectionDefaults(attackProtection);
+  const maskedAttackProtection = attackProtectionDefaults(attackProtection, context.config);
 
   if (maskedAttackProtection.botDetection) {
     dumpJSON(files.botDetection, maskedAttackProtection.botDetection);
diff --git a/src/context/directory/handlers/connections.ts b/src/context/directory/handlers/connections.ts
@@ -100,7 +100,7 @@ async function dump(context: DirectoryContext): Promise<void> {
     const connectionName = sanitize(dumpedConnection.name);
 
     // Mask secrets
-    dumpedConnection = connectionDefaults(dumpedConnection);
+    dumpedConnection = connectionDefaults(dumpedConnection, context.config);
 
     if (dumpedConnection.strategy === 'email') {
       ensureProp(dumpedConnection, 'options.email.body');
diff --git a/src/context/directory/handlers/emailProvider.ts b/src/context/directory/handlers/emailProvider.ts
@@ -36,7 +36,7 @@ async function dump(context: DirectoryContext): Promise<void> {
     const excludedDefaults = context.assets.exclude?.defaults || [];
     if (!excludedDefaults.includes('emailProvider')) {
       // Add placeholder for credentials as they cannot be exported
-      return emailProviderDefaults(context.assets.emailProvider);
+      return emailProviderDefaults(context.assets.emailProvider, context.config);
     }
     return context.assets.emailProvider;
   })();
diff --git a/src/context/directory/handlers/logStreams.ts b/src/context/directory/handlers/logStreams.ts
@@ -40,7 +40,7 @@ async function dump(context: DirectoryContext): Promise<void> {
   fs.ensureDirSync(logStreamsDirectory);
 
   // masked sensitive fields
-  const maskedLogStreams = logStreamDefaults(logStreams);
+  const maskedLogStreams = logStreamDefaults(logStreams, context.config);
 
   maskedLogStreams.forEach((logStream) => {
     const ruleFile = path.join(logStreamsDirectory, `${sanitize(logStream.name)}.json`);
diff --git a/src/context/yaml/handlers/attackProtection.ts b/src/context/yaml/handlers/attackProtection.ts
@@ -43,7 +43,7 @@ async function dump(context: YAMLContext): Promise<ParsedAttackProtection> {
     attackProtectionConfig.captcha = captcha;
   }
 
-  const maskedAttackProtection = attackProtectionDefaults(attackProtectionConfig);
+  const maskedAttackProtection = attackProtectionDefaults(attackProtectionConfig, context.config);
 
   return {
     attackProtection: maskedAttackProtection,
diff --git a/src/context/yaml/handlers/connections.ts b/src/context/yaml/handlers/connections.ts
@@ -72,7 +72,7 @@ async function dump(context: YAMLContext): Promise<ParsedConnections> {
       };
 
       // Mask secrets
-      dumpedConnection = connectionDefaults(dumpedConnection);
+      dumpedConnection = connectionDefaults(dumpedConnection, context.config);
 
       if (dumpedConnection.strategy === 'email') {
         ensureProp(connection, 'options.email.body');
diff --git a/src/context/yaml/handlers/emailProvider.ts b/src/context/yaml/handlers/emailProvider.ts
@@ -23,7 +23,7 @@ async function dump(context: YAMLContext): Promise<ParsedEmailProvider> {
     const excludedDefaults = context.assets.exclude?.defaults || [];
     if (emailProvider && !excludedDefaults.includes('emailProvider')) {
       // Add placeholder for credentials as they cannot be exported
-      return emailProviderDefaults(emailProvider);
+      return emailProviderDefaults(emailProvider, context.config);
     }
     return emailProvider;
   })();
diff --git a/src/context/yaml/handlers/logStreams.ts b/src/context/yaml/handlers/logStreams.ts
@@ -21,7 +21,7 @@ async function dump(context: YAMLContext): Promise<ParsedLogStreams> {
   if (!logStreams) return { logStreams: null };
 
   // masked sensitive fields
-  const maskedLogStreams = logStreamDefaults(logStreams);
+  const maskedLogStreams = logStreamDefaults(logStreams, context.config);
 
   return {
     logStreams: maskedLogStreams,
diff --git a/src/types.ts b/src/types.ts
@@ -78,6 +78,7 @@ export type Config = {
   AUTH0_KEYWORD_REPLACE_MAPPINGS?: KeywordMappings;
   AUTH0_EXPORT_IDENTIFIERS?: boolean;
   AUTH0_EXPORT_ORDERED?: boolean;
+  AUTH0_EXPORT_SECRETS?: boolean;
   AUTH0_CONNECTIONS_DIRECTORY?: string;
   AUTH0_DRY_RUN?: boolean | 'preview';
   AUTH0_DRY_RUN_INTERACTIVE?: boolean;
diff --git a/test/commands/export.test.ts b/test/commands/export.test.ts
@@ -0,0 +1,45 @@
+import { expect } from 'chai';
+import * as sinon from 'sinon';
+
+import exportCMD from '../../src/commands/export';
+import * as contextModule from '../../src/context';
+
+describe('#export command', () => {
+  let sandbox: sinon.SinonSandbox;
+
+  beforeEach(() => {
+    sandbox = sinon.createSandbox();
+    sandbox.stub(contextModule, 'setupContext').resolves({
+      dump: sandbox.stub().resolves(),
+    } as any);
+  });
+
+  afterEach(() => {
+    sandbox.restore();
+  });
+
+  it('should set AUTH0_EXPORT_SECRETS when export_secrets flag is passed', async () => {
+    await exportCMD({
+      _: ['export'],
+      output_folder: 'local',
+      format: 'directory',
+      export_secrets: true,
+      env: false,
+    } as any);
+
+    const [config] = (contextModule.setupContext as sinon.SinonStub).firstCall.args;
+    expect(config.AUTH0_EXPORT_SECRETS).to.equal(true);
+  });
+
+  it('should not set AUTH0_EXPORT_SECRETS when export_secrets flag is absent', async () => {
+    await exportCMD({
+      _: ['export'],
+      output_folder: 'local',
+      format: 'directory',
+      env: false,
+    } as any);
+
+    const [config] = (contextModule.setupContext as sinon.SinonStub).firstCall.args;
+    expect(config.AUTH0_EXPORT_SECRETS).to.equal(undefined);
+  });
+});
diff --git a/test/context/defaults.test.js b/test/context/defaults.test.js
@@ -4,6 +4,7 @@ import {
   emailProviderDefaults,
   connectionDefaults,
   logStreamDefaults,
+  attackProtectionDefaults,
 } from '../../src/context/defaults';
 
 describe('#context defaults', () => {
@@ -162,6 +163,34 @@ describe('#context defaults', () => {
 
       expect(result.options.client_secret).to.equal('##CONNECTIONS_CUSTOM_OAUTH_2_0_SECRET##');
     });
+
+    it('should not mask client_secret when AUTH0_EXPORT_SECRETS is true', () => {
+      const connection = {
+        name: 'Test Connection',
+        strategy: 'oauth2',
+        options: {
+          client_secret: 'real_secret_value',
+        },
+      };
+
+      const result = connectionDefaults(connection, { AUTH0_EXPORT_SECRETS: true });
+
+      expect(result.options.client_secret).to.equal('real_secret_value');
+    });
+
+    it('should not mask client_secret when AUTH0_EXPORT_SECRETS is the string "true"', () => {
+      const connection = {
+        name: 'Test Connection',
+        strategy: 'oauth2',
+        options: {
+          client_secret: 'real_secret_value',
+        },
+      };
+
+      const result = connectionDefaults(connection, { AUTH0_EXPORT_SECRETS: 'true' });
+
+      expect(result.options.client_secret).to.equal('real_secret_value');
+    });
   });
 
   describe('logStreamDefaults', () => {
@@ -361,5 +390,53 @@ describe('#context defaults', () => {
 
       expect(result[0].sink.httpAuthorization).to.equal('##LOGSTREAMS_CUSTOM_HTTP_2_0_SECRET##');
     });
+
+    it('should not mask sensitive fields when AUTH0_EXPORT_SECRETS is true', () => {
+      const logStreams = [
+        {
+          name: 'HTTP Stream',
+          type: 'http',
+          sink: {
+            httpEndpoint: 'https://example.com/logs',
+            httpAuthorization: 'Bearer real_token',
+          },
+        },
+      ];
+
+      const result = logStreamDefaults(logStreams, { AUTH0_EXPORT_SECRETS: true });
+
+      expect(result[0].sink.httpAuthorization).to.equal('Bearer real_token');
+      expect(result[0].sink.httpEndpoint).to.equal('https://example.com/logs');
+    });
+  });
+
+  describe('emailProviderDefaults with AUTH0_EXPORT_SECRETS', () => {
+    it('should not mask credentials when AUTH0_EXPORT_SECRETS is true', () => {
+      const emailProvider = {
+        name: 'smtp',
+        credentials: {
+          smtp_host: 'mail.example.com',
+          smtp_pass: 'real_password',
+        },
+      };
+
+      const result = emailProviderDefaults(emailProvider, { AUTH0_EXPORT_SECRETS: true });
+
+      expect(result).to.deep.equal(emailProvider);
+    });
+  });
+
+  describe('attackProtectionDefaults with AUTH0_EXPORT_SECRETS', () => {
+    it('should not mask captcha secrets when AUTH0_EXPORT_SECRETS is true', () => {
+      const attackProtection = {
+        captcha: {
+          hcaptcha: { secret: 'real-hcaptcha-secret' },
+        },
+      };
+
+      const result = attackProtectionDefaults(attackProtection, { AUTH0_EXPORT_SECRETS: true });
+
+      expect(result.captcha.hcaptcha.secret).to.equal('real-hcaptcha-secret');
+    });
   });
 });
diff --git a/test/context/directory/logStreams.test.js b/test/context/directory/logStreams.test.js

Original file line number	Diff line number	Diff line change
`@@ -36,7 +36,7 @@ async function dump(context: DirectoryContext): Promise<void> {`
`36`	`36`	`const excludedDefaults = context.assets.exclude?.defaults \|\| [];`
`37`	`37`	`if (!excludedDefaults.includes('emailProvider')) {`
`38`	`38`	`// Add placeholder for credentials as they cannot be exported`
`39`		`- return emailProviderDefaults(context.assets.emailProvider);`
	`39`	`+ return emailProviderDefaults(context.assets.emailProvider, context.config);`
`40`	`40`	`}`
`41`	`41`	`return context.assets.emailProvider;`
`42`	`42`	`})();`
Original file line number	Diff line number	Diff line change
`@@ -43,7 +43,7 @@ async function dump(context: YAMLContext): Promise<ParsedAttackProtection> {`
`43`	`43`	`attackProtectionConfig.captcha = captcha;`
`44`	`44`	`}`
`45`	`45`
`46`		`- const maskedAttackProtection = attackProtectionDefaults(attackProtectionConfig);`
	`46`	`+ const maskedAttackProtection = attackProtectionDefaults(attackProtectionConfig, context.config);`
`47`	`47`
`48`	`48`	`return {`
`49`	`49`	`attackProtection: maskedAttackProtection,`