# Terminology ## Secrets Manager Structure In order to organize and maintain access to **Secrets,** Keeper Secrets Manager uses structures called **Applications** and **Clients**. ![Keeper Secrets Manager Structure](https://762006384-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MJXOXEifAmpyvNVL1to%2F-MiOVxUjq6ff2wn2Bdp9%2F-MiOWBgBHdzVFevLOHl6%2Fksm_diagram_aug2021.jpg?alt=media\&token=816fbae8-30af-43ac-bfe2-56dd5ebfa14d) Read below about how each of these items function in Secrets Manager. ### Secret Secrets are stored as records in the Keeper Vault and are typically stored as attachments or fields in these records. Any typed record or shared folder from the vault can be shared with an Application. ### Application An Application is a permission boundary that defines which records and folders a workload can access. Keeper Secrets Manager Applications are assigned to specific secrets or shared folders. The application is a container of permissions, client devices, audit trail, and history. An application can only decrypt the records assigned. Keeper recommends implementing the principle of least privilege, ensuring client devices only have access to the records they need. Although the user of the Vault can have unlimited secrets, Keeper recommends sharing up to 500 records per application for optimal performance. An example of an Application would be a Production Github Actions pipeline or Jenkins server. ### Client Device A client device is a machine, service, or runtime instance that authenticates to an application. This can include physical or virtual devices, AI agents, or cloud-based systems. Additionally, client devices can be identified by software applications operating in the cloud or CI/CD tools. Each Client device has a unique key to read and access the secrets. Clients adhere to the following: * One Time Access Tokens used for initialization that expire after a set time (default 24 hours) * IP Address lock (optional, disabled by default) * Access expiration (optional, disabled by default) An example of a Client Device would be a development machine, Terraform script, Github Actions instance or an AI agent. At least one client device is required to access secrets that are associated with an Application. Multiple client devices can be associated with the same Application. ### Configuration A Secrets Manager "Configuration" is a set of tokens that includes encryption keys, client identifiers and destination server information used to authenticate and decrypt data from the Keeper Secrets Manager APIs. Secrets Manager configurations are created from [One Time Access Tokens](https://docs.keeper.io/en/keeperpam/secrets-manager/about/one-time-token) and have a one to one relationship with [client devices](#client-device). A configuration can be stored as a text file with JSON, or it can be encoded into a single line string.