Secrets API
All endpoints require a bearer token in the Authorization header. The server listens on https://localhost:13100 by default.
-H "Authorization: Bearer <token>"Store a Secret
PUT /v1/secrets/:path
Store or update an encrypted secret.
Request:
{ "value": "xoxp-1234567890-abcdef", "type": "oauth-token", "description": "Indigo Slack user token"}| Field | Required | Description |
|---|---|---|
value | Yes | The secret value |
type | No | Metadata: oauth-token, api-key, password, certificate, other |
description | No | Human-readable description |
Response (200):
{ "ok": true, "path": "slack/indigo/user-token", "bytes": 42, "metadata": { "type": "oauth-token", "description": "Indigo Slack user token" }}Errors: 400 invalid input, 403 vault locked.
Retrieve a Secret
GET /v1/secrets/:path
Retrieve and decrypt a secret by path.
Response (200):
{ "path": "slack/indigo/user-token", "value": "xoxp-1234567890-abcdef", "metadata": { "type": "oauth-token", "description": "Indigo Slack user token" }, "createdAt": "2026-02-28T14:20:15.000Z", "updatedAt": "2026-02-28T14:20:15.000Z"}Errors: 404 not found, 403 vault locked.
List Secrets
GET /v1/secrets?prefix=<prefix>
List secrets matching a path prefix. Returns metadata only — values are never included.
Response (200):
{ "entries": [ { "path": "slack/indigo/user-token", "metadata": { "type": "oauth-token", "description": "Indigo Slack user token" }, "createdAt": "2026-02-28T14:20:15.000Z", "updatedAt": "2026-02-28T14:20:15.000Z" }, { "path": "slack/indigo/bot-token", "metadata": { "type": "oauth-token" }, "createdAt": "2026-02-28T12:00:00.000Z", "updatedAt": "2026-02-28T12:00:00.000Z" } ]}Delete a Secret
DELETE /v1/secrets/:path
Delete a secret permanently.
Response (200):
{ "ok": true, "path": "slack/indigo/user-token", "message": "Secret deleted"}Errors: 404 not found, 403 vault locked.