ScaiVault Documentation

ScaiVault is the ScaiLabs secrets and certificate management platform. It stores, versions, rotates, and distributes credentials, issues X.509 certificates from an internal CA or ACME, and generates short-lived dynamic credentials for databases and cloud providers — all behind a single multi-tenant API.

These docs are for developers integrating with the ScaiVault API. Code examples appear in curl, Python, and JavaScript / TypeScript.

Where to start#

• New to ScaiVault? Read What is ScaiVault, then Quickstart.
• Following a scenario end-to-end? Pick a Tutorial.
• Migrating from another secret store? See Migrations.
• Wiring into your stack? See Integrations (Kubernetes, Terraform, GitHub Actions, Docker Compose).
• Issuing certificates? Jump to PKI Certificates or ACME.
• Looking for an endpoint? Go straight to the API Reference.
• Using a client? Pick your interface: Python, JavaScript, .NET, CLI, MCP.
• Quick recipe needed? Check the Cookbook.

Table of contents#

1. Introduction#

1. What is ScaiVault
2. Philosophy
3. Architecture
4. Security and Compliance

2. Getting Started#

1. Quickstart
2. Authentication
3. Your First Integration

3. Core Concepts#

1. Multi-tenancy
2. Secrets
3. Policies and Permissions
4. Rotation
5. PKI
6. Dynamic Secrets
7. Events and Webhooks
8. Errors

4. API Guides#

1. Managing Secrets
2. Batch Operations
3. Policies
4. Rotation Policies
5. PKI Certificates
6. ACME (Let's Encrypt)
7. Dynamic Secrets
8. Audit Logs
9. Cookbook

5. Clients#

1. Python SDK
2. JavaScript SDK
3. .NET SDK
4. CLI
5. MCP Server

6. API Reference#

1. Authentication
2. Secrets
3. Policies
4. Rotation
5. PKI
6. Dynamic Secrets
7. Audit Logs
8. Webhooks
9. Subscriptions
10. Federation
11. Identity
12. System
13. Error Codes
14. Secret Policies
15. DNS Providers
16. Webhook Events

7. Advanced#

1. Federation Deep Dive
2. Rate Limiting
3. Webhook Signatures

8. Operations#

1. Deployment
2. Health and Monitoring
3. Troubleshooting

9. Tutorials#

1. Rotate an OAuth Credential End-to-End
2. Build an mTLS Service Mesh
3. Dynamic Postgres Credentials in Production
4. Migrate from .env Files
5. Issue an ACME Wildcard Certificate

10. Migrations#

1. From HashiCorp Vault
2. From AWS Secrets Manager
3. From .env Files

11. Integrations#

1. Kubernetes
2. Terraform
3. GitHub Actions
4. Docker Compose

Changelog#

• Changelog

Conventions used in these docs#

Base URL. All examples assume https://scaivault.scailabs.ai as the base. Replace with your own ScaiVault instance URL when self-hosting.

Authentication. Every request (except /health and /health/ready) requires a ScaiKey-issued bearer token. See Authentication.

API path prefix. The ScaiVault API lives under /v1/. Future breaking changes will introduce new versions (/v2/) without breaking /v1/.

Secret paths. Secrets are identified by a /-separated path, e.g. environments/production/salesforce/api-credentials. Paths are tenant-scoped unless prefixed with /partner/ or /t/{tenant_id}/.

Tenant context. Tenant is determined from the token's tenant_id claim. Partner admins can act on other tenants via the /t/{tenant_id}/ prefix. See Multi-tenancy.

Pagination. List endpoints use cursor-based pagination. Pass cursor from a previous response to get the next page. has_more: false means you've reached the end.

Timestamps. All timestamps are ISO 8601 in UTC (2026-04-23T14:30:00.123456Z).