Payload Schemas
The encrypted_payload field in a vault secret contains a client-side encrypted JSON object. The plaintext structure depends on the secret_type. This page documents the schema for each type.
All encryption and decryption happens client-side using your vault key — the server only ever sees ciphertext.
API key
Stores API keys and tokens.
| Field | Type | Required | Description |
|---|---|---|---|
api_key | string | Yes | API key or token |
endpoint | string | No | API endpoint URL |
notes | string | No | Freeform notes |
JSONKey pair
Stores AWS-style access key / secret key pairs.
| Field | Type | Required | Description |
|---|---|---|---|
access_key | string | Yes | Access key ID |
secret_key | string | Yes | Secret access key |
endpoint | string | No | Service endpoint URL |
notes | string | No | Freeform notes |
JSONLogin
Stores website or service credentials with optional two-factor authentication.
| Field | Type | Required | Description |
|---|---|---|---|
password | string | Yes | Password |
username | string | No | Username |
email | string | No | Email address |
url | string | No | Login URL |
notes | string | No | Freeform notes |
totp | object | No | TOTP configuration for two-factor authentication (see below) |
JSONTOTP configuration
When a login secret includes a totp field, the SDK can generate time-based one-time passwords (RFC 6238) client-side. The TOTP secret is encrypted alongside the rest of the login payload — the server never sees it.
| Field | Type | Required | Default | Description |
|---|---|---|---|---|
secret | string | Yes | — | Base32-encoded shared secret |
algorithm | string | No | sha1 | Hash algorithm: sha1, sha256, or sha512 |
digits | number | No | 6 | Code length: 6 or 8 |
period | number | No | 30 | Time step in seconds: 30 or 60 |
issuer | string | No | — | Issuer name (e.g. "GitHub") |
account_name | string | No | — | Account identifier (e.g. "user@example.com") |
The TOTP config follows the Google Authenticator Key URI format. You can parse an otpauth://totp/... URI directly using the SDK's parse_totp_uri / parseTotpUri helper.
SSH key
Stores SSH key pairs and metadata.
| Field | Type | Required | Description |
|---|---|---|---|
private_key | string | Yes | Private key (PEM format) |
public_key | string | No | Public key |
fingerprint | string | No | Key fingerprint |
passphrase | string | No | Private key passphrase |
notes | string | No | Freeform notes |
JSONOther
Freeform data for secrets that don't fit other types.
| Field | Type | Required | Description |
|---|---|---|---|
data | string | Yes | Freeform data |
notes | string | No | Freeform notes |
JSON