# Create Add a new secret to a vault. ```http POST /api/public/v1/vaults/{vault_id}/secrets ``` ## Request body [#request-body] ## Example [#example] ```bash curl -X POST https://api.nairi.ai/api/public/v1/vaults/VAULT_ID/secrets \ -H "Authorization: Bearer $NAIRI_API_KEY" \ -H "Content-Type: application/json" \ -d '{ "env_key": "DATABASE_URL", "value": "postgresql://...", "allowed_domains": ["*.example.com"] }' ``` ```ts const res = await fetch( `https://api.nairi.ai/api/public/v1/vaults/${vaultId}/secrets`, { method: "POST", headers: { Authorization: `Bearer ${process.env.NAIRI_API_KEY}`, "Content-Type": "application/json", }, body: JSON.stringify({ env_key: "DATABASE_URL", value: "postgresql://...", allowed_domains: ["*.example.com"], }), }, ); const data = (await res.json()) as { id: string }; ``` ```ruby require "net/http" require "json" require "uri" uri = URI("https://api.nairi.ai/api/public/v1/vaults/#{vault_id}/secrets") req = Net::HTTP::Post.new(uri) req["Authorization"] = "Bearer #{ENV['NAIRI_API_KEY']}" req["Content-Type"] = "application/json" req.body = { env_key: "DATABASE_URL", value: "postgresql://...", allowed_domains: ["*.example.com"], }.to_json res = Net::HTTP.start(uri.host, uri.port, use_ssl: true) { |h| h.request(req) } data = JSON.parse(res.body) ``` ```python import os import requests res = requests.post( f"https://api.nairi.ai/api/public/v1/vaults/{vault_id}/secrets", headers={ "Authorization": f"Bearer {os.environ['NAIRI_API_KEY']}", "Content-Type": "application/json", }, json={ "env_key": "DATABASE_URL", "value": "postgresql://...", "allowed_domains": ["*.example.com"], }, ) data = res.json() ``` ```go package main import ( "bytes" "encoding/json" "fmt" "io" "net/http" "os" ) func main() { vaultID := os.Getenv("VAULT_ID") body, _ := json.Marshal(map[string]any{ "env_key": "DATABASE_URL", "value": "postgresql://...", "allowed_domains": []string{"*.example.com"}, }) req, _ := http.NewRequest( "POST", "https://api.nairi.ai/api/public/v1/vaults/"+vaultID+"/secrets", bytes.NewReader(body), ) req.Header.Set("Authorization", "Bearer "+os.Getenv("NAIRI_API_KEY")) req.Header.Set("Content-Type", "application/json") res, _ := http.DefaultClient.Do(req) defer res.Body.Close() raw, _ := io.ReadAll(res.Body) var data map[string]any json.Unmarshal(raw, &data) fmt.Println(data) } ``` ## Response: `201 Created` [#response-201-created] ```json { "id": "sec_01KQ27AQH800XQTQPJZ0DH14SJ", "env_key": "DATABASE_URL", "allowed_domains": ["*.example.com"], "created_at": "2026-04-25T11:45:19.000Z", "updated_at": "2026-04-25T11:45:19.000Z" } ``` ## Error responses [#error-responses] | HTTP | Body | When | | ----- | -------------------------------------------------- | ------------------------------------------------------------------------------------------------ | | `400` | `{"error":"env_key already exists in this vault"}` | A secret with the same `env_key` already exists in this vault — use `PATCH` to rotate its value. | | `400` | `{"error":"value cannot be empty"}` | The `value` field is missing or empty. | | `404` | `{"error":"vault not found"}` | The vault does not exist in the calling organization. |