Help CenterNairi API
Vault secrets

Update

Rotate a secret's value or change its allowed domains.

Partial update. Send only the field(s) you want to change.

PATCH /api/public/v1/vaults/{vault_id}/secrets/{secret_id}

Empty body ({}) is accepted as a no-op. updated_at is not bumped when no field actually changes.

Request body

Prop

Type

Example

curl -X PATCH https://api.nairi.ai/api/public/v1/vaults/VAULT_ID/secrets/SECRET_ID \
  -H "Authorization: Bearer $NAIRI_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{
    "value": "postgresql://new-connection...",
    "allowed_domains": ["*.newdomain.com"]
  }'
const res = await fetch(
  `https://api.nairi.ai/api/public/v1/vaults/${vaultId}/secrets/${secretId}`,
  {
    method: "PATCH",
    headers: {
      Authorization: `Bearer ${process.env.NAIRI_API_KEY}`,
      "Content-Type": "application/json",
    },
    body: JSON.stringify({
      value: "postgresql://new-connection...",
      allowed_domains: ["*.newdomain.com"],
    }),
  },
);
const data = await res.json();
require "net/http"
require "json"
require "uri"

uri = URI("https://api.nairi.ai/api/public/v1/vaults/#{vault_id}/secrets/#{secret_id}")
req = Net::HTTP::Patch.new(uri)
req["Authorization"] = "Bearer #{ENV['NAIRI_API_KEY']}"
req["Content-Type"] = "application/json"
req.body = {
  value: "postgresql://new-connection...",
  allowed_domains: ["*.newdomain.com"],
}.to_json

res = Net::HTTP.start(uri.host, uri.port, use_ssl: true) { |h| h.request(req) }
data = JSON.parse(res.body)
import os
import requests

res = requests.patch(
    f"https://api.nairi.ai/api/public/v1/vaults/{vault_id}/secrets/{secret_id}",
    headers={
        "Authorization": f"Bearer {os.environ['NAIRI_API_KEY']}",
        "Content-Type": "application/json",
    },
    json={
        "value": "postgresql://new-connection...",
        "allowed_domains": ["*.newdomain.com"],
    },
)
data = res.json()
package main

import (
	"bytes"
	"encoding/json"
	"fmt"
	"io"
	"net/http"
	"os"
)

func main() {
	vaultID := os.Getenv("VAULT_ID")
	secretID := os.Getenv("SECRET_ID")
	body, _ := json.Marshal(map[string]any{
		"value":           "postgresql://new-connection...",
		"allowed_domains": []string{"*.newdomain.com"},
	})
	req, _ := http.NewRequest(
		"PATCH",
		"https://api.nairi.ai/api/public/v1/vaults/"+vaultID+"/secrets/"+secretID,
		bytes.NewReader(body),
	)
	req.Header.Set("Authorization", "Bearer "+os.Getenv("NAIRI_API_KEY"))
	req.Header.Set("Content-Type", "application/json")
	res, _ := http.DefaultClient.Do(req)
	defer res.Body.Close()
	raw, _ := io.ReadAll(res.Body)
	var data map[string]any
	json.Unmarshal(raw, &data)
	fmt.Println(data)
}

Response

{
  "id": "sec_01KQ27AQH800XQTQPJZ0DH14SJ",
  "env_key": "DATABASE_URL",
  "allowed_domains": ["*.newdomain.com"],
  "created_at": "2026-04-25T11:45:19.000Z",
  "updated_at": "2026-04-12T18:50:00.000Z"
}

Create

Add a new secret to a vault.

Delete

Permanently delete a vault secret.

On this page

Request bodyExampleResponse