Secrets
Endpoint reference for secrets. For the guide, see Managing Secrets. For the model, see Secrets.
Base path: /v1/secrets/
Partner-scoped variants: /v1/partner/secrets/*. Explicit-tenant: /v1/t/{tenant_id}/secrets/*. Same request/response shapes.
GET /v1/secrets/{path}#
Read current or specific version.
Query:
| Name | Type | Description |
|---|---|---|
version |
integer | Specific version (default: current) |
Response 200 OK:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 | |
Errors: 404 secret_not_found, 404 version_not_found, 410 secret_expired, 403 access_denied.
Scope: secrets:read.
PUT /v1/secrets/{path}#
Create or update (new version).
Body:
| Field | Type | Required |
|---|---|---|
data |
object | Yes |
secret_type |
string | No |
metadata.description |
string | No |
metadata.tags |
array | No |
metadata.owner |
string | No |
options.max_versions |
integer 1–100 | No |
options.expires_in |
duration | No |
options.expires_at |
ISO 8601 | No |
options.rotation_policy_id |
string | No |
options.secret_policy_id |
string | No |
Response 201 Created (new) or 200 OK (update). Returns metadata only; no echo of the plaintext.
Scope: secrets:write.
PATCH /v1/secrets/{path}#
Update metadata without creating a new version.
Body: metadata and/or options fields.
Scope: secrets:write.
DELETE /v1/secrets/{path}#
Soft delete by default, hard delete with ?permanent=true, version-specific with ?version=N.
Query:
| Name | Type | Description |
|---|---|---|
permanent |
boolean | Hard delete (requires admin) |
version |
integer | Delete this version only |
Response 200 OK includes deleted_at and recoverable_until (soft-delete only).
Scope: secrets:delete.
POST /v1/secrets/{path}/restore#
Restore a soft-deleted secret. Must be within the retention window.
Scope: secrets:write + secrets:delete.
GET /v1/secrets#
List with filters.
Query:
| Name | Type | Description |
|---|---|---|
prefix |
string | Path prefix |
tag |
string (repeatable) | Tag filter |
secret_type |
string | Type filter |
expires_before |
ISO 8601 | Expiring filter |
updated_after |
ISO 8601 | Updated filter |
include_expired |
boolean | Default false |
include_metadata |
boolean | Full metadata |
limit |
integer 1–200 | Default 50 |
cursor |
string | Pagination |
Response 200 OK:
1 2 3 4 5 6 | |
Scope: secrets:list.
GET /v1/secrets/metadata/{path}#
Metadata only (no value). Access counts, last-accessed, rotation status.
Scope: secrets:list.
GET /v1/secrets/{path}/versions#
List all versions.
Query: limit, cursor, include_deleted.
Response 200 OK:
1 2 3 4 5 6 7 8 | |
Scope: secrets:read.
GET /v1/secrets/{path}/versions/{version}#
Read a specific version explicitly.
Scope: secrets:read.
POST /v1/secrets/{path}/rotate#
Trigger immediate rotation.
Body:
| Field | Description |
|---|---|
reason |
Audit reason |
new_value |
Required if the secret has no auto_generate: true rotation policy |
grace_period |
Override default |
notify |
Trigger webhooks (default true) |
Scope: secrets:rotate.
GET /v1/secrets/expiring#
Secrets expiring within a window.
Query:
| Name | Type | Description |
|---|---|---|
days |
integer | Default 30 |
prefix |
string | Path prefix |
Response:
1 2 3 4 5 | |
Scope: secrets:list.
POST /v1/secrets/batch#
Batch read. Up to 100 paths per request. See Batch Operations.
POST /v1/secrets/batch/metadata#
Batch metadata read. Supports wildcard expansion.