Java SDK

OkHttp-based Java SDK for Bella Baxter. First-class Spring Boot and Quarkus integrations.

Installation

Maven

<dependency>
    <groupId>io.bellabaxter</groupId>
    <artifactId>bella-baxter-sdk</artifactId>
    <version>1.0.0</version>
</dependency>

Gradle (Kotlin DSL)

implementation("io.bellabaxter:bella-baxter-sdk:1.0.0")

Requires Java 21+.

Quick Start

BaxterClient client = new BaxterClient(
    BaxterClientOptions.builder()
        .baxterUrl(System.getenv("BELLA_BAXTER_URL"))
        .apiKey(System.getenv("BELLA_BAXTER_API_KEY"))
        .build()
);

Map<String, String> secrets = client.getAllSecrets();
System.out.println(secrets.get("DATABASE_URL"));

Spring Boot Integration

Use an EnvironmentPostProcessor — the only Spring hook that runs before beans are created, so @Value("${DATABASE_URL}") and application.properties placeholders work correctly.

@Component
public class BellaEnvironmentPostProcessor implements EnvironmentPostProcessor {
    @Override
    public void postProcessEnvironment(ConfigurableEnvironment env, SpringApplication app) {
        var secrets = new BaxterClient(...).getAllSecrets();
        env.getPropertySources().addFirst(new MapPropertySource("bella", secrets));
    }
}

→ Full Spring Boot sample

Quarkus Integration

@ApplicationScoped
public class SecretsLoader {
    void onStart(@Observes StartupEvent ev) {
        Map<String, String> secrets = client.getAllSecrets();
        secrets.forEach(System::setProperty);
    }
}

→ Full Quarkus sample

Zero-Knowledge Encryption (ZKE)

By default the SDK generates a fresh P-256 keypair per request (ephemeral E2EE). With ZKE you supply a persistent device key — the server audits which host fetched each secret and the SDK caches the wrapped DEK.

Generate your device key once:

bella auth setup   # stores in OS keychain; copy the printed PEM

Use it in your app:

BaxterClient client = new BaxterClient(
    BaxterClientOptions.builder()
        .baxterUrl(System.getenv("BELLA_BAXTER_URL"))
        .apiKey(System.getenv("BELLA_BAXTER_API_KEY"))
        // Optional — reads BELLA_BAXTER_PRIVATE_KEY env var automatically
        .privateKeyPem(System.getenv("BELLA_BAXTER_PRIVATE_KEY"))
        .onWrappedDekReceived((wrappedDek, leaseExpires) ->
            System.out.printf("DEK wrapped, expires: %s%n", leaseExpires))
        .build()
);

Or just set the environment variable — the client reads BELLA_BAXTER_PRIVATE_KEY automatically:

export BELLA_BAXTER_PRIVATE_KEY="$(cat ~/.bella/device-key.pem)"

Spring Boot / Quarkus: pass via your environment; no code changes required beyond the env var.

If the variable is not set the SDK falls back to ephemeral E2EE — fully backward-compatible.

Typed Secrets

bella secrets generate java

Generates a BellaAppSecrets record. Spring Boot integration includes @ConfigurationProperties binding.

All Samples

Sample	Pattern	Link
01-dotenv-file	bella pull → dotenv-java	GitHub
02-process-inject	bella run -- java -jar app.jar	GitHub
03-spring-boot	EnvironmentPostProcessor	GitHub
04-quarkus	CDI @Observes StartupEvent	GitHub