Help CenterNairi API
Vault secrets

List

List all secrets in a Nairi vault. Names and metadata are returned; secret values are never exposed — fetch the value with a runtime injection instead.

Secret values are never returned in any response. Only the env_key and metadata come back. To rotate a secret, use Update.

GET /api/public/v1/vaults/{vault_id}/secrets

Example

curl -X GET https://api.nairi.ai/api/public/v1/vaults/VAULT_ID/secrets \
  -H "Authorization: Bearer $NAIRI_API_KEY"
const res = await fetch(
  `https://api.nairi.ai/api/public/v1/vaults/${vaultId}/secrets`,
  {
    headers: {
      Authorization: `Bearer ${process.env.NAIRI_API_KEY}`,
    },
  },
);
const secrets = (await res.json()) as Array<{ id: string; env_key: string }>;
require "net/http"
require "json"
require "uri"

uri = URI("https://api.nairi.ai/api/public/v1/vaults/#{vault_id}/secrets")
req = Net::HTTP::Get.new(uri)
req["Authorization"] = "Bearer #{ENV['NAIRI_API_KEY']}"

res = Net::HTTP.start(uri.host, uri.port, use_ssl: true) { |h| h.request(req) }
secrets = JSON.parse(res.body)
import os
import requests

res = requests.get(
    f"https://api.nairi.ai/api/public/v1/vaults/{vault_id}/secrets",
    headers={"Authorization": f"Bearer {os.environ['NAIRI_API_KEY']}"},
)
secrets = res.json()
package main

import (
	"encoding/json"
	"fmt"
	"io"
	"net/http"
	"os"
)

func main() {
	vaultID := os.Getenv("VAULT_ID")
	req, _ := http.NewRequest("GET", "https://api.nairi.ai/api/public/v1/vaults/"+vaultID+"/secrets", nil)
	req.Header.Set("Authorization", "Bearer "+os.Getenv("NAIRI_API_KEY"))
	res, _ := http.DefaultClient.Do(req)
	defer res.Body.Close()
	raw, _ := io.ReadAll(res.Body)
	var secrets []map[string]any
	json.Unmarshal(raw, &secrets)
	fmt.Println(secrets)
}

Response

[
  {
    "id": "sec_01KQ27AQH800XQTQPJZ0DH14SJ",
    "env_key": "DATABASE_URL",
    "allowed_domains": [],
    "created_at": "2026-04-25T11:45:19.000Z",
    "updated_at": "2026-04-25T11:45:19.000Z"
  }
]

allowed_domains defaults to [] when not set. An empty array means no domain restriction is applied.

Overview

What vault secrets are and how they are encrypted, stored, and injected into agent environments at runtime through the Nairi REST API endpoints.

Create

Add a new secret to an existing Nairi vault. Supply the key, the value, and the list of destination domains the secret is allowed to be injected into.

On this page

ExampleResponse