Jump to

Access Control

Control which agent identities can access specific vault secrets. Access rules are per-secret — you grant an identity access to one secret at a time. An identity without an access rule for a given secret cannot read it.

Grant identity access POST

POST /vault/secrets/{secret_id}/access

Grant an agent identity access to a specific secret.

Path parameters

Parameter	Type	Description
`secret_id`	UUID	Secret ID

Request body

Field	Type	Required	Description
`identity_id`	UUID	Yes	ID of the agent identity to grant access to

Request example

JSON

Response (201)

JSON

Error responses

Status	Description
403	Organization ID missing from token
404	Secret or identity not found
409	Identity already has access to this secret

Code examples

List access rules GET

GET /vault/secrets/{secret_id}/access

List all identity access rules for a secret.

Path parameters

Parameter	Type	Description
`secret_id`	UUID	Secret ID

Response (200)

JSON

Code examples

Revoke identity access DELETE

DELETE /vault/secrets/{secret_id}/access/{identity_id}

Revoke an identity's access to a secret. Returns 204 No Content on success.

Path parameters

Parameter	Type	Description
`secret_id`	UUID	Secret ID
`identity_id`	UUID	Identity ID to revoke access from

Code examples

Access rule object

Field	Type	Description
`id`	UUID	Unique access rule identifier
`vault_secret_id`	UUID	The secret this rule grants access to
`identity_id`	UUID	The agent identity that has access
`created_at`	string	Creation timestamp (ISO 8601)