Skip to main content

Retrieving a Momento auth token from AWS Secrets Manager

It's best practice to securely store your Momento authentication token. If you are using AWS, you can securely store the auth token in AWS Secrets Manager. With that, only code running with the correct IAM credentials will be able to fetch the auth token and use it to access Momento Cache or Momento Topics.


Just as you should reuse your Momento CacheClient and TopicClient objects when possible, so should you with the Momento auth token from AWS Secrets Manager. Otherwise you risk adding cost, both in time and money, to each Momento API call for the round trip to AWS Secrets Manager. To keep cost low and avoid potential throttling by AWS Secrets Manager it's best to use client side caching of the credentials as detailed in this AWS blog.

Entry in AWS Secrets Manager

When inserting the Momento auth token into AWS Secrets Manager, it should be as plaintext with no JSON as in this screenshot. (Token blurred for security.)

AWS Secrets Manager

Example Code for AWS Secrets Manager

In the code examples below, you can see where the getToken function is called just before creating the Momento cache connection client as that is where the auth token is needed and the only time it is needed.

const {
} = require('@aws-sdk/client-secrets-manager');
const { CacheGet, CacheSet, Configurations, ListCaches, CreateCache,
CacheClient, CredentialProvider } = require('@gomomento/sdk');

// Defines name of cache to use.
const CACHE_NAME = 'demo-cache2';

// A function that gets the Momento_Auth_Token you stored in AWS Secrets Manager.
// The secret was stored as a plaintext string to avoid parsing JSON.
async function getToken(secretName) {
try {
// Set up the AWS Secrets Manager client
const client = new SecretsManagerClient({ region: "us-west-2"});

return await client.send(
new GetSecretValueCommand({
SecretId: secretName,
VersionStage: "AWSCURRENT", // VersionStage defaults to AWSCURRENT if unspecified
} catch (error) {
console.error(`Error fetching secret value for "${secretName}":`, error.message);
// For a list of exceptions thrown, see
throw error;

// Create a Momento cache client connection object
async function createCacheClient() {
// Get the token from AWS Secrets Manager
const token = await getToken("Momento_Auth_Token");

return new CacheClient({
configuration: Configurations.Laptop.v1(),
credentialProvider: CredentialProvider.fromString({"authToken" : token.SecretString}),
defaultTtlSeconds: 600,

// A function to write to the cache
async function writeToCache(client, cacheName, key, data) {
const setResponse = await client.set(cacheName, key, data);
if (setResponse instanceof CacheSet.Success) {
console.log('Key stored successfully!');
} else if (setResponse instanceof CacheSet.Error) {
console.log('Error setting key: ', setResponse.toString());
} else {
console.log('Some other error: ', setResponse.toString());

// A function to read scalar items from the cache
async function readFromCache(client, cacheName, key) {
const fileResponse = await client.get(cacheName, key);
if (fileResponse instanceof CacheGet.Hit) {
console.log('Cache hit: ', fileResponse.valueString());
} else if (fileResponse instanceof CacheGet.Miss) {
console.log('Cache miss');
} else if (fileResponse instanceof CacheGet.Error) {
console.log('Error: ', fileResponse.message());

// Call the various functions
async function run() {
const cacheClient = await createCacheClient();

await writeToCache(cacheClient, CACHE_NAME, "code", "12345");
await readFromCache(cacheClient, CACHE_NAME, "code");



Do I have to do this?
No. You can store your Momento auth token in an environment variable or a file, but that is not best practice as it is not as secure as storing it in something like AWS Secrets Manager.