> ## Documentation Index
> Fetch the complete documentation index at: https://docs.nebius.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Overview of the MysteryBox service

*MysteryBox* is a Nebius AI Cloud service for centralized management of secrets. In the secrets, you can securely store sensitive information, such as API keys, passwords or certificates, in an encrypted form. MysteryBox allows you to avoid hardcoding sensitive data, for example, in [Terraform manifests](../terraform-provider) or cloud-init scripts. As a result, you eliminate vulnerabilities and maintain compliance with security.

A typical workflow is to [create a secret](./secrets/create) in MysteryBox and store sensitive information there. After that, you or a [service account](../iam/overview#accounts-and-members) uses this secret, for instance, in a script, CI/CD pipeline, runtime application or Terraform manifest.

## MysteryBox use cases

MysteryBox supports integration with different Nebius AI Cloud resources. For instance, you can operate with secrets when working with [Compute virtual machines](../compute) (VMs), containers or managed services.

Examples:

* On a Compute VM, you create a script that uses an API key for the application configuration or third-party API access. You save this API key to a MysteryBox secret. A service account associated with the given VM launches the script and retrieves the secret with the API key.
* You [create an access key](../iam/service-accounts/access-keys) to authenticate a service account in [Object Storage](../object-storage), and you store the secret key in MysteryBox.
* Managed services of Nebius AI Cloud generate passwords and store them in MysteryBox secrets.

## Secrets and versions

A *secret* is the main MysteryBox resource that stores sensitive data. A secret is located in a [project](../iam/overview#projects), but user and service accounts can access the secret within the [region](../overview/regions) if the accounts have corresponding permissions. User and service accounts of different regions cannot access the secret.

Every secret has multiple versions. A *version* is a snapshot of stored data. You cannot modify this snapshot once it is [created](./secrets/create-version).

A secret has a *primary version*. When you retrieve a secret and do not specify a particular version, MysteryBox provides you with the primary one. By default, this is the latest version unless you [explicitly set the primary version](./secrets/make-version-primary).

Every version contains the *payload* of a secret. The payload consists of one or several key-value pairs. When you create a secret, you put data there in the key-value format. A key represents an ID, and a value contains sensitive data that can be in the form of a string or a binary file.