Cookbook

Short, copy-pasteable recipes for things you'll do often. Each entry has a one-line scenario and the code that does it. For deeper explanations, follow the cross-links.

Reading#

Read one secret and use a single field#

python
from scaivault_sdk import SyncScaiVaultClient
client = SyncScaiVaultClient(...)
db = client.secrets.read("environments/production/billing/database")
conn_str = db.data["url"]

Read many secrets at startup#

python
batch = client.secrets.batch_read([
    "environments/production/billing/database",
    "environments/production/billing/stripe",
    "environments/production/billing/sendgrid",
])
for path, secret in batch.secrets.items():
    apply_config(path, secret)

See Batch Operations.

Read with retry on transient failure#

python
import time
from scaivault_sdk.errors import RateLimitError, ServiceUnavailableError

for attempt in range(5):
    try:
        secret = client.secrets.read(path)
        break
    except RateLimitError as e:
        time.sleep(e.retry_after)
    except ServiceUnavailableError:
        time.sleep(2 ** attempt)
else:
    raise RuntimeError("max retries exceeded")

Read a specific version#

bash
curl -H "Authorization: Bearer $TOKEN" \
     "https://scaivault.scailabs.ai/v1/secrets/app/db/password?version=2"

Check whether a secret exists without reading it#

python
try:
    client.secrets.read_metadata(path)
    exists = True
except NotFoundError:
    exists = False

read_metadata returns version count, tags, rotation status — but not the value, and only requires secrets:list not secrets:read.

Writing#

Idempotent write of initial value#

python
try:
    client.secrets.read_metadata(path)
    # exists; do nothing
except NotFoundError:
    client.secrets.write(path, data={"key": initial_value}, secret_type="api_key")

Update one field without overwriting others#

ScaiVault doesn't have field-level update. Read, mutate, write:

python
secret = client.secrets.read("app/config")
new_data = {**secret.data, "feature_flag_x": True}
client.secrets.write("app/config", data=new_data, secret_type=secret.secret_type)

Write a JSON blob from a file#

bash
scaivault secrets write app/config \
  --type json \
  --json-file ./config.json

Write with expiration#

python
client.secrets.write(
    path="test/oauth-token",
    data={"token": value},
    options={"expires_in": "1h"},
)

Rotation#

Force rotation now#

bash
curl -X POST https://scaivault.scailabs.ai/v1/secrets/$PATH/rotate \
  -H "Authorization: Bearer $TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"reason": "compromise"}'

List secrets due for rotation in the next week#

bash
curl -H "Authorization: Bearer $TOKEN" \
     "https://scaivault.scailabs.ai/v1/rotation/due?within_hours=168" \
  | jq -r '.secrets[] | "\(.path) \(.next_rotation_at)"'

Find secrets that missed their rotation window#

bash
curl -H "Authorization: Bearer $TOKEN" \
     "https://scaivault.scailabs.ai/v1/rotation/due?include_overdue=true" \
  | jq -r '.secrets[] | select(.is_overdue) | .path'

bash
curl -X POST https://scaivault.scailabs.ai/v1/webhooks \
  -H "Authorization: Bearer $TOKEN" \
  -H "Content-Type: application/json" \
  -d '{
    "name": "prod-rotations",
    "url": "https://ops.acme.example/scaivault/rotations",
    "secret": "whsec_...",
    "events": ["rotation.due", "rotation.overdue", "rotation.failed"],
    "filters": {"path_prefix": "environments/production/"}
  }'

Policies and access#

Grant a service account read access to one path#

bash
curl -X POST https://scaivault.scailabs.ai/v1/policies \
  -H "Authorization: Bearer $TOKEN" \
  -H "Content-Type: application/json" \
  -d '{
    "name": "sa-billing-stripe-read",
    "rules": [{"path_pattern": "environments/production/billing/stripe", "permissions": ["read"]}]
  }'

curl -X POST https://scaivault.scailabs.ai/v1/policies/pol_abc/bindings \
  -H "Authorization: Bearer $TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"identity_type": "service_account", "identity_id": "sa:billing-prod"}'

Test whether an identity can read a path#

bash
curl -X POST https://scaivault.scailabs.ai/v1/policies/test \
  -H "Authorization: Bearer $TOKEN" \
  -H "Content-Type: application/json" \
  -d '{
    "identity_id": "sa:billing-prod",
    "path": "environments/production/billing/stripe",
    "permission": "read"
  }' | jq '.allowed'

List who has access to a path#

ScaiVault doesn't have a direct "who can read X" endpoint, but you can list all policies and filter:

bash
curl -H "Authorization: Bearer $TOKEN" https://scaivault.scailabs.ai/v1/policies \
  | jq -r '.policies[] | select(.rules[].path_pattern as $p | "environments/production/billing/stripe" | test($p)) | .id'

(Glob-pattern matching in jq is rough; for production use the SDK's policies.list_for_path().)

PKI#

Issue a 7-day mTLS cert#

bash
curl -X POST https://scaivault.scailabs.ai/v1/pki/issue/svc-mtls \
  -H "Authorization: Bearer $TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"common_name": "billing.svc.cluster.local", "ttl": "168h"}'

Renew a cert ahead of schedule#

bash
curl -X POST https://scaivault.scailabs.ai/v1/pki/certificates/cert_abc/renew \
  -H "Authorization: Bearer $TOKEN"

Validate a cert chain a client gave you#

bash
curl -X POST https://scaivault.scailabs.ai/v1/pki/certificates/validate \
  -H "Authorization: Bearer $TOKEN" \
  -H "Content-Type: application/json" \
  -d "{
    \"certificate_pem\": \"$(cat client.crt | sed -z 's/\\n/\\\\n/g')\",
    \"chain_pem\":      \"$(cat client-chain.crt | sed -z 's/\\n/\\\\n/g')\",
    \"check_revocation\": true
  }"

List certs expiring in 30 days#

bash
curl -H "Authorization: Bearer $TOKEN" \
     "https://scaivault.scailabs.ai/v1/pki/certificates?expiring_within=30d" \
  | jq -r '.data[] | "\(.common_name) \(.valid_until)"'

Revoke a cert#

bash
curl -X POST https://scaivault.scailabs.ai/v1/pki/revoke \
  -H "Authorization: Bearer $TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"serial_number": "1A:2B:...", "reason": "key_compromise"}'

Dynamic credentials#

One-shot Postgres credential for a script#

python
with client.dynamic.credentials("postgres-prod", "readonly", ttl="30m") as creds:
    run_query(creds["connection_url"])
# Lease revoked automatically on exit

AWS IAM credentials for a deploy job#

bash
lease=$(curl -fsS -X POST \
  -H "Authorization: Bearer $TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"ttl":"15m"}' \
  "https://scaivault.scailabs.ai/v1/dynamic/engines/aws-prod/creds/deploy")
export AWS_ACCESS_KEY_ID=$(echo "$lease" | jq -r '.data.access_key_id')
export AWS_SECRET_ACCESS_KEY=$(echo "$lease" | jq -r '.data.secret_access_key')

# Do the deploy
terraform apply -auto-approve

# Revoke
curl -X DELETE -H "Authorization: Bearer $TOKEN" \
  "https://scaivault.scailabs.ai/v1/dynamic/leases/$(echo "$lease" | jq -r '.lease_id')"

Emergency revoke all leases from an engine#

bash
curl -X POST https://scaivault.scailabs.ai/v1/dynamic/leases/revoke-prefix \
  -H "Authorization: Bearer $TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"prefix": "lease_", "engine": "postgres-prod"}'

Audit#

Who read this secret in the last 24 hours?#

bash
curl -H "Authorization: Bearer $TOKEN" \
     "https://scaivault.scailabs.ai/v1/audit/secrets/environments/production/billing/stripe?from=$(date -u -d '1 day ago' +%Y-%m-%dT%H:%M:%SZ)" \
  | jq -r '.logs[] | "\(.timestamp) \(.identity_id) \(.source_ip)"'

Find every action by an ex-employee#

bash
curl -H "Authorization: Bearer $TOKEN" \
     "https://scaivault.scailabs.ai/v1/audit/identities/user:alice@acme.example?from=2026-01-01"

Then rotate everything in the response's summary.resources_accessed.

Export last month for compliance#

bash
curl -X POST https://scaivault.scailabs.ai/v1/audit/export \
  -H "Authorization: Bearer $TOKEN" \
  -H "Content-Type: application/json" \
  -d '{
    "from": "2026-04-01T00:00:00Z",
    "to":   "2026-04-30T23:59:59Z",
    "format": "jsonl",
    "destination": {"type": "s3", "bucket": "acme-audit", "prefix": "scaivault/2026-04/", "credentials_path": "infra/aws/audit-uploader"}
  }'

Health and observability#

Smoke test the API#

bash

1	`curl -fsS https://scaivault.scailabs.ai/v1/health`

Detailed component health#

bash
curl -H "Authorization: Bearer $TOKEN" \
     https://scaivault.scailabs.ai/v1/health/detailed | jq

Confirm a token works and see its identity#

bash
curl -H "Authorization: Bearer $TOKEN" \
     https://scaivault.scailabs.ai/v1/auth/whoami

Find your own rate-limit headroom#

bash
curl -i -H "Authorization: Bearer $TOKEN" \
     https://scaivault.scailabs.ai/v1/secrets?limit=1 \
  | grep -i ratelimit
# X-RateLimit-Limit: 1000
# X-RateLimit-Remaining: 982
# X-RateLimit-Reset: 1714478460

Federation#

Read from HashiCorp Vault via ScaiVault#

(Assumes federation backend already configured.)

bash
# Native path: kv/data/apps/billing/db in Vault
# Federation path: external/hashicorp/apps/billing/db
curl -H "Authorization: Bearer $TOKEN" \
     https://scaivault.scailabs.ai/v1/secrets/external/hashicorp/apps/billing/db

Trigger an immediate sync#

bash
curl -X POST -H "Authorization: Bearer $TOKEN" \
     https://scaivault.scailabs.ai/v1/federation/backends/fed_abc/sync

Cleanup and migration#

Soft-delete then restore#

bash
curl -X DELETE -H "Authorization: Bearer $TOKEN" \
     https://scaivault.scailabs.ai/v1/secrets/old/path
# ... later ...
curl -X POST -H "Authorization: Bearer $TOKEN" \
     https://scaivault.scailabs.ai/v1/secrets/old/path/restore

Bulk-tag secrets matching a pattern#

python
listing = client.secrets.list(prefix="environments/staging/", limit=200)
for item in listing.data:
    client.secrets.update_metadata(
        path=item.path,
        metadata={"tags": list(set(item.tags + ["needs-rotation"]))},
    )

Find unused secrets (30-day baseline)#

bash
curl -H "Authorization: Bearer $TOKEN" \
     "https://scaivault.scailabs.ai/v1/secrets?include_metadata=true&limit=200" \
  | jq -r '.secrets[] | select(.access_count_30d == 0) | .path'

What's next#

Managing Secrets — full secret API.
Tutorials — longer scenarios that use these recipes.
Reference — every endpoint.