API

API Certificates

Learn how to access certificates via vault-scoped access and public resource tokens.

Certificates

Certificates can be accessed either:

  • Through a vault (requires a Vault Access Key), or
  • Directly as a public resource (requires a resource-specific public token)

Certificates are immutable and not versioned.

Authentication

Vault access (standard)

Authorization: Bearer VAULT_ACCESS_KEY
Accept: application/json

Public certificate access (resource token)

Authorization: Bearer RESOURCE_PUBLIC_TOKEN

Public tokens only apply to certificates marked Public during creation or upload.

List Certificates in a Vault

Use include=certificates:

GET /api/v1/vaults/{vault_id}?include=certificates

Example:

curl --request GET \
  --url "https://secryn.example.com/api/v1/vaults/{vault_id}?include=certificates" \
  --header "Accept: application/json" \
  --header "Authorization: Bearer VAULT_ACCESS_KEY"

Returned fields

id, name, type, expires_at, tags

Expired certificates in list

If a certificate is expired, it may be returned as:

{ "id": "<cert-id>", "message": "Resource expired" }

Fetch a Certificate from a Vault by ID

Use the vault endpoint with resource=:

GET /api/v1/vaults/{vault_id}?resource={certificate_id}

Example:

curl --request GET \
  --url "https://secryn.example.com/api/v1/vaults/{vault_id}?resource={certificate_id}" \
  --header "Authorization: Bearer VAULT_ACCESS_KEY"

Response type

When fetching a certificate by resource ID, Secryn returns the certificate file contents (PEM) with:

  • Content-Type: application/x-pem-file
  • Cache headers disabled (no-store, no-cache)

Status codes

  • 410 Gone -> certificate expired
  • 404 Not Found -> certificate not found in that vault

Fetch a Public Certificate Directly

If a certificate was created/uploaded with Public visibility, it can be accessed directly using the public token:

GET /api/v1/certificates/{certificate_id}

Authorization: Bearer RESOURCE_PUBLIC_TOKEN

Example:

curl --request GET \
  --url "https://secryn.example.com/api/v1/certificates/{certificate_id}" \
  --header "Authorization: Bearer RESOURCE_PUBLIC_TOKEN"

Public access behavior:

  • No vault access key required
  • Token is valid only for that certificate
  • Response is PEM (application/x-pem-file)
  • Access is logged

Notes

  • Certificates cannot be edited and have no versions
  • Expired certificates return 410 when fetched directly
  • Uploading a certificate extracts metadata (e.g., expiry) automatically in the Web UI
  • All access is recorded in Request Logs

Keys

Examples