---
title: ScaiVault Documentation
path: overview
status: published
---

# ScaiVault Documentation

ScaiVault is the ScaiLabs secrets and certificate management platform. It stores, versions, rotates, and distributes credentials, issues X.509 certificates from an internal CA or ACME, and generates short-lived dynamic credentials for databases and cloud providers — all behind a single multi-tenant API.

These docs are for developers integrating with the ScaiVault API. Code examples appear in **curl**, **Python**, and **JavaScript / TypeScript**.

## Where to start

- **New to ScaiVault?** Read [What is ScaiVault](./introduction/what-is-scaivault), then [Quickstart](./getting-started/quickstart).
- **Following a scenario end-to-end?** Pick a [Tutorial](./tutorials/).
- **Migrating from another secret store?** See [Migrations](./migrations/).
- **Wiring into your stack?** See [Integrations](./integrations/) (Kubernetes, Terraform, GitHub Actions, Docker Compose).
- **Issuing certificates?** Jump to [PKI Certificates](./api-guides/pki-certificates) or [ACME](./api-guides/acme).
- **Looking for an endpoint?** Go straight to the [API Reference](./reference/).
- **Using a client?** Pick your interface: [Python](./sdks/python), [JavaScript](./sdks/javascript), [.NET](./sdks/dotnet), [CLI](./sdks/cli), [MCP](./sdks/mcp).
- **Quick recipe needed?** Check the [Cookbook](./api-guides/cookbook).

## Table of contents

### 1. Introduction
1. [What is ScaiVault](./introduction/what-is-scaivault)
2. [Philosophy](./introduction/philosophy)
3. [Architecture](./introduction/architecture)
4. [Security and Compliance](./introduction/security-and-compliance)

### 2. Getting Started
1. [Quickstart](./getting-started/quickstart)
2. [Authentication](./getting-started/authentication)
3. [Your First Integration](./getting-started/your-first-integration)

### 3. Core Concepts
1. [Multi-tenancy](./core-concepts/multi-tenancy)
2. [Secrets](./core-concepts/secrets)
3. [Policies and Permissions](./core-concepts/policies-and-permissions)
4. [Rotation](./core-concepts/rotation)
5. [PKI](./core-concepts/pki)
6. [Dynamic Secrets](./core-concepts/dynamic-secrets)
7. [Events and Webhooks](./core-concepts/events-and-webhooks)
8. [Errors](./core-concepts/errors)

### 4. API Guides
1. [Managing Secrets](./api-guides/secrets)
2. [Batch Operations](./api-guides/batch-operations)
3. [Policies](./api-guides/policies)
4. [Rotation Policies](./api-guides/rotation)
5. [PKI Certificates](./api-guides/pki-certificates)
6. [ACME (Let's Encrypt)](./api-guides/acme)
7. [Dynamic Secrets](./api-guides/dynamic-secrets)
8. [Audit Logs](./api-guides/audit-logs)
9. [Cookbook](./api-guides/cookbook)

### 5. Clients
1. [Python SDK](./sdks/python)
2. [JavaScript SDK](./sdks/javascript)
3. [.NET SDK](./sdks/dotnet)
4. [CLI](./sdks/cli)
5. [MCP Server](./sdks/mcp)

### 6. API Reference
1. [Authentication](./reference/authentication)
2. [Secrets](./reference/secrets)
3. [Policies](./reference/policies)
4. [Rotation](./reference/rotation)
5. [PKI](./reference/pki)
6. [Dynamic Secrets](./reference/dynamic)
7. [Audit Logs](./reference/audit)
8. [Webhooks](./reference/webhooks)
9. [Subscriptions](./reference/subscriptions)
10. [Federation](./reference/federation)
11. [Identity](./reference/identity)
12. [System](./reference/system)
13. [Error Codes](./reference/error-codes)
14. [Secret Policies](./reference/secret-policies)
15. [DNS Providers](./reference/dns-providers)
16. [Webhook Events](./reference/webhook-events)

### 7. Advanced
1. [Federation Deep Dive](./advanced/federation)
2. [Rate Limiting](./advanced/rate-limiting)
3. [Webhook Signatures](./advanced/webhook-signatures)

### 8. Operations
1. [Deployment](./operations/deployment)
2. [Health and Monitoring](./operations/health-and-monitoring)
3. [Troubleshooting](./operations/troubleshooting)

### 9. Tutorials
1. [Rotate an OAuth Credential End-to-End](./tutorials/rotate-oauth-credentials)
2. [Build an mTLS Service Mesh](./tutorials/mtls-service-mesh)
3. [Dynamic Postgres Credentials in Production](./tutorials/dynamic-postgres-credentials)
4. [Migrate from .env Files](./tutorials/migrate-from-env-files)
5. [Issue an ACME Wildcard Certificate](./tutorials/acme-wildcard-cert)

### 10. Migrations
1. [From HashiCorp Vault](./migrations/from-hashicorp-vault)
2. [From AWS Secrets Manager](./migrations/from-aws-secrets-manager)
3. [From .env Files](./migrations/from-env-files)

### 11. Integrations
1. [Kubernetes](./integrations/kubernetes)
2. [Terraform](./integrations/terraform)
3. [GitHub Actions](./integrations/github-actions)
4. [Docker Compose](./integrations/docker-compose)

### Changelog
- [Changelog](./changelog)

## Conventions used in these docs

**Base URL.** All examples assume `https://scaivault.scailabs.ai` as the base. Replace with your own ScaiVault instance URL when self-hosting.

**Authentication.** Every request (except `/health` and `/health/ready`) requires a ScaiKey-issued bearer token. See [Authentication](./getting-started/authentication).

**API path prefix.** The ScaiVault API lives under `/v1/`. Future breaking changes will introduce new versions (`/v2/`) without breaking `/v1/`.

**Secret paths.** Secrets are identified by a `/`-separated path, e.g. `environments/production/salesforce/api-credentials`. Paths are tenant-scoped unless prefixed with `/partner/` or `/t/{tenant_id}/`.

**Tenant context.** Tenant is determined from the token's `tenant_id` claim. Partner admins can act on other tenants via the `/t/{tenant_id}/` prefix. See [Multi-tenancy](./core-concepts/multi-tenancy).

**Pagination.** List endpoints use cursor-based pagination. Pass `cursor` from a previous response to get the next page. `has_more: false` means you've reached the end.

**Timestamps.** All timestamps are ISO 8601 in UTC (`2026-04-23T14:30:00.123456Z`).