The Vault endpoint returns secrets by default and can optionally return keys, certificates, or a single resource. Vault access requires a Vault Access Key provided as a Bearer token.
GET /api/v1/vaults/{vault_id}
All requests must include:
Authorization: Bearer VAULT_ACCESS_KEY
Accept: application/json
If the token is missing or invalid, the API returns:
401 Unauthorized
If no query parameters are provided, the response includes:
curl --request GET \
--url "https://secryn.example.com/api/v1/vaults/{vault_id}" \
--header "Accept: application/json" \
--header "Authorization: Bearer VAULT_ACCESS_KEY"
secrets[] with: id, name, value, content_type, tags
Use the secrets query parameter to control secret output.
GET /api/v1/vaults/{vault_id}?secrets=names
Returns only:
idnamecurl --request GET \
--url "https://secryn.example.com/api/v1/vaults/{vault_id}?secrets=names" \
--header "Accept: application/json" \
--header "Authorization: Bearer VAULT_ACCESS_KEY"
Use the include query parameter to fetch keys and/or certificates.
Supported values:
keyscertificatesMultiple values can be comma-separated.
curl --request GET \
--url "https://secryn.example.com/api/v1/vaults/{vault_id}?include=keys,certificates" \
--header "Accept: application/json" \
--header "Authorization: Bearer VAULT_ACCESS_KEY"
Returned key fields:
id, name, type, key_type, key_size, activation_date, expiration_date, tags
Keys are only included if:
activation_date is null oractivation_date <= now()If a key is expired, it is returned as:
{ "id": "<key-id>", "message": "Resource expired" }
Returned certificate fields:
id, name, type, expires_at, tags
If a certificate is expired, it is returned as:
{ "id": "<certificate-id>", "message": "Resource expired" }
Note: Expired certificates and keys may be included in the list, but will be represented as an object with an id and an expiration message.
Use the resource query parameter to fetch a specific secret, key, or certificate by ID.
GET /api/v1/vaults/{vault_id}?resource={resource_id}
Secryn checks the resource in this order:
If not found, returns:
404 Not Found
If the resource ID matches an active secret, Secryn returns JSON.
Fields returned:
id, name, value, content_type, tags
Example:
curl --request GET \
--url "https://secryn.example.com/api/v1/vaults/{vault_id}?resource={secret_id}" \
--header "Accept: application/json" \
--header "Authorization: Bearer VAULT_ACCESS_KEY"
If the resource ID matches a certificate, Secryn returns the certificate file contents (PEM) with:
Content-Type: application/x-pem-fileExample:
curl --request GET \
--url "https://secryn.example.com/api/v1/vaults/{vault_id}?resource={certificate_id}" \
--header "Authorization: Bearer VAULT_ACCESS_KEY"
If expired, returns:
410 Gone with { "message": "Resource expired" }
If the resource ID matches a key, Secryn returns the key file contents (PEM) with:
Content-Type: application/x-pem-fileExample:
curl --request GET \
--url "https://secryn.example.com/api/v1/vaults/{vault_id}?resource={key_id}" \
--header "Authorization: Bearer VAULT_ACCESS_KEY"
If the key is not active yet (activation_date is in the future), returns:
403 Forbidden with { "message": "Resource not active" }
If expired, returns:
410 Gone with { "message": "Resource expired" }
All successful vault responses include:
idnameDepending on query parameters, responses may include:
secrets (array)keys (array)certificates (array)Every vault request is recorded in Request Logs with:
| Status | Meaning |
|---|---|
| 200 | Success |
| 401 | Invalid / missing vault access key |
| 403 | Resource not active (key activation date in future) |
| 404 | Resource not found |
| 410 | Resource expired (keys/certificates when fetched directly by resource) |