Encrypted storage for API keys, tokens, and credentials. Agent-scoped access, full audit trail, automatic rotation.
PUT /v1/vault/openai-key
{
"value": "sk-proj-abc123...",
"description": "OpenAI API key for embeddings",
"agent_ids": ["memory-agent", "verify-agent"],
"tags": ["api-key", "openai"],
"rotation_days": 90
}
→ {
"name": "openai-key",
"version": 1,
"created_at": "2026-03-17T00:00:00Z",
"rotation_due": "2026-06-15T00:00:00Z"
}GET /v1/vault/openai-key
X-Agent-Id: memory-agent
→ {
"name": "openai-key",
"value": "sk-proj-abc123...",
"version": 1
}The X-Agent-Id header is checked against the secret's policy. If the agent isn't allowed, you get 403.
GET /v1/vault
→ {
"secrets": [
{"name": "openai-key", "version": 2, "tags": ["api-key"]},
{"name": "db-password", "version": 1, "tags": ["database"]},
{"name": "stripe-webhook", "version": 1, "expires_at": "2026-04-01"}
]
}GET /v1/vault/openai-key/versions
→ [{"version": 1, "created_at": "..."}, {"version": 2, "created_at": "..."}]
GET /v1/vault/openai-key?version=1
→ {"value": "old-key-value..."}PUT /v1/vault/openai-key/policy
{ "agent_ids": ["memory-agent", "verify-agent", "new-agent"] }Set agent_ids to null to allow any agent in the project.
GET /v1/vault/openai-key/audit
→ {
"entries": [
{"action": "read", "agent_id": "memory-agent", "ts": "2026-03-17T00:01:00Z"},
{"action": "write", "agent_id": null, "ts": "2026-03-17T00:00:00Z", "version": 1}
]
}| Operation | Credits |
|---|---|
| Store / update secret | 2 |
| Read secret | 1 |
| List secrets | 1 |
| Delete secret | 1 |
| Read audit log | 1 |