Vault Secrets
A vault secret is an encrypted credential stored in your organization's vault. The server only stores ciphertext — all encryption and decryption happens client-side using your vault key.
Each secret has a secret_type that determines its payload structure: login, api_key, key_pair, ssh_key, or other.
Create secret POST
POST /vault/secretsStore a new encrypted secret. The encrypted_payload field contains the client-side encrypted credential data.
Request body
| Field | Type | Required | Description |
|---|---|---|---|
name | string | Yes | Human-readable name for this secret. 1–255 chars. |
description | string | No | Optional description |
secret_type | string | Yes | One of: login, api_key, key_pair, ssh_key, other |
encrypted_payload | string | Yes | Client-side encrypted payload (base64) |
Request example
JSONResponse (201)
JSONError responses
| Status | Description |
|---|---|
| 403 | Organization ID missing from token |
| 422 | Missing or invalid fields |
Code examples
cURLList secrets GET
GET /vault/secretsList all secrets (metadata only — no encrypted payloads). Optionally filter by secret type.
Query parameters
| Parameter | Type | Description |
|---|---|---|
secret_type | string | Filter by type: login, api_key, key_pair, ssh_key, other |
Response (200)
JSONCode examples
cURLGet secret GET
GET /vault/secrets/{secret_id}Get a single secret including its encrypted_payload. Use this to fetch the ciphertext for client-side decryption.
Path parameters
| Parameter | Type | Description |
|---|---|---|
secret_id | UUID | Secret ID |
Response (200)
JSONCode examples
cURLUpdate secret PATCH
PATCH /vault/secrets/{secret_id}Update a secret's name, description, or encrypted payload. Only supplied fields are modified.
Path parameters
| Parameter | Type | Description |
|---|---|---|
secret_id | UUID | Secret ID |
Request body
| Field | Type | Required | Description |
|---|---|---|---|
name | string | No | Updated name. 1–255 chars. |
description | string | No | Updated description |
encrypted_payload | string | No | Updated client-side encrypted payload (base64) |
Request example
JSONResponse (200)
Returns the updated secret object (without encrypted_payload).
Code examples
cURLDelete secret DELETE
DELETE /vault/secrets/{secret_id}Delete a secret. Returns 204 No Content on success.
Path parameters
| Parameter | Type | Description |
|---|---|---|
secret_id | UUID | Secret ID |
Code examples
cURLSecret object
| Field | Type | Description |
|---|---|---|
id | UUID | Unique secret identifier |
name | string | Human-readable name |
description | string | null | Optional description |
secret_type | string | Type: login, api_key, key_pair, ssh_key, other |
status | string | Lifecycle status: active, deleted |
created_at | string | Creation timestamp (ISO 8601) |
updated_at | string | Last update timestamp (ISO 8601) |
Secret detail object
Extends the secret object with the encrypted payload. Returned by the get endpoint.
| Field | Type | Description |
|---|---|---|
| ...all secret fields | ||
encrypted_payload | string | Client-side encrypted payload (base64) |