Vault
The vault is a zero-knowledge encrypted credential store for your organization. Store API keys, login credentials, SSH keys, and other secrets: Inkbox never sees the plaintext. All encryption and decryption happens client-side in the SDK or console using your vault key.
How it works
Every secret stored in the vault is encrypted with your organization's encryption key before it leaves the SDK. The server only ever sees ciphertext. To read secrets, you unlock the vault with your vault key, and the SDK or console decrypts everything locally.
Two keys are involved:
| Key | Purpose |
|---|---|
INKBOX_API_KEY | Authenticates API requests (sent to server) |
INKBOX_VAULT_KEY | Unlocks the vault for client-side decryption (never sent to server) |
Secret types
Each secret has a type that determines its payload structure:
| Type | Fields | Use case |
|---|---|---|
login | password, username, email, url, notes | Website or service logins |
api_key | api_key, endpoint, notes | API keys and tokens |
key_pair | access_key, secret_key, endpoint, notes | AWS-style key pairs |
ssh_key | private_key, public_key, fingerprint, passphrase, notes | SSH keys |
other | data, notes | Freeform secrets |
Unlocking the vault
Before you can read or write secrets, unlock the vault with your vault key. The SDK validates the key, fetches all encrypted secrets, and decrypts them locally.
PythonCreating secrets
Once unlocked, create secrets by specifying a name and a typed payload. The SDK encrypts the payload before sending it to the server.
PythonReading secrets
Access all decrypted secrets via the secrets property, or fetch a specific one by ID.
PythonUpdating and deleting secrets
Update a secret's name, description, or payload. Delete secrets when they're no longer needed.
PythonIdentity access control
Grant specific agent identities access to individual secrets. This lets you control which agents can use which credentials.
PythonVault metadata
Check the vault's status and counts without unlocking it.
Python