Vault secrets
Create
Add a new secret to a vault.
POST /api/public/v1/vaults/{vault_id}/secretsRequest body
Prop
Type
Example
curl -X POST https://api.nairi.ai/api/public/v1/vaults/VAULT_ID/secrets \
-H "Authorization: Bearer $NAIRI_API_KEY" \
-H "Content-Type: application/json" \
-d '{
"env_key": "DATABASE_URL",
"value": "postgresql://...",
"allowed_domains": ["*.example.com"]
}'const res = await fetch(
`https://api.nairi.ai/api/public/v1/vaults/${vaultId}/secrets`,
{
method: "POST",
headers: {
Authorization: `Bearer ${process.env.NAIRI_API_KEY}`,
"Content-Type": "application/json",
},
body: JSON.stringify({
env_key: "DATABASE_URL",
value: "postgresql://...",
allowed_domains: ["*.example.com"],
}),
},
);
const data = (await res.json()) as { id: string };require "net/http"
require "json"
require "uri"
uri = URI("https://api.nairi.ai/api/public/v1/vaults/#{vault_id}/secrets")
req = Net::HTTP::Post.new(uri)
req["Authorization"] = "Bearer #{ENV['NAIRI_API_KEY']}"
req["Content-Type"] = "application/json"
req.body = {
env_key: "DATABASE_URL",
value: "postgresql://...",
allowed_domains: ["*.example.com"],
}.to_json
res = Net::HTTP.start(uri.host, uri.port, use_ssl: true) { |h| h.request(req) }
data = JSON.parse(res.body)import os
import requests
res = requests.post(
f"https://api.nairi.ai/api/public/v1/vaults/{vault_id}/secrets",
headers={
"Authorization": f"Bearer {os.environ['NAIRI_API_KEY']}",
"Content-Type": "application/json",
},
json={
"env_key": "DATABASE_URL",
"value": "postgresql://...",
"allowed_domains": ["*.example.com"],
},
)
data = res.json()package main
import (
"bytes"
"encoding/json"
"fmt"
"io"
"net/http"
"os"
)
func main() {
vaultID := os.Getenv("VAULT_ID")
body, _ := json.Marshal(map[string]any{
"env_key": "DATABASE_URL",
"value": "postgresql://...",
"allowed_domains": []string{"*.example.com"},
})
req, _ := http.NewRequest(
"POST",
"https://api.nairi.ai/api/public/v1/vaults/"+vaultID+"/secrets",
bytes.NewReader(body),
)
req.Header.Set("Authorization", "Bearer "+os.Getenv("NAIRI_API_KEY"))
req.Header.Set("Content-Type", "application/json")
res, _ := http.DefaultClient.Do(req)
defer res.Body.Close()
raw, _ := io.ReadAll(res.Body)
var data map[string]any
json.Unmarshal(raw, &data)
fmt.Println(data)
}Response: 201 Created
{
"id": "sec_01KQ27AQH800XQTQPJZ0DH14SJ",
"env_key": "DATABASE_URL",
"allowed_domains": ["*.example.com"],
"created_at": "2026-04-25T11:45:19.000Z",
"updated_at": "2026-04-25T11:45:19.000Z"
}Error responses
| HTTP | Body | When |
|---|---|---|
400 | {"error":"env_key already exists in this vault"} | A secret with the same env_key already exists in this vault — use PATCH to rotate its value. |
400 | {"error":"value cannot be empty"} | The value field is missing or empty. |
404 | {"error":"vault not found"} | The vault does not exist in the calling organization. |