Help CenterNairi API
Vault secrets

Update

Rotate a vault secret's value or change the list of allowed destination domains where it can be injected at runtime. Returns the updated secret object.

Partial update. Send only the field(s) you want to change.

PATCH /api/public/v1/vaults/{vault_id}/secrets/{secret_id}

Empty body ({}) is accepted as a no-op. updated_at is not bumped when no field actually changes.

Request body

Prop

Type

Example

curl -X PATCH https://api.nairi.ai/api/public/v1/vaults/VAULT_ID/secrets/SECRET_ID \
  -H "Authorization: Bearer $NAIRI_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{
    "value": "postgresql://new-connection...",
    "allowed_domains": ["*.newdomain.com"]
  }'
const res = await fetch(
  `https://api.nairi.ai/api/public/v1/vaults/${vaultId}/secrets/${secretId}`,
  {
    method: "PATCH",
    headers: {
      Authorization: `Bearer ${process.env.NAIRI_API_KEY}`,
      "Content-Type": "application/json",
    },
    body: JSON.stringify({
      value: "postgresql://new-connection...",
      allowed_domains: ["*.newdomain.com"],
    }),
  },
);
const data = await res.json();
require "net/http"
require "json"
require "uri"

uri = URI("https://api.nairi.ai/api/public/v1/vaults/#{vault_id}/secrets/#{secret_id}")
req = Net::HTTP::Patch.new(uri)
req["Authorization"] = "Bearer #{ENV['NAIRI_API_KEY']}"
req["Content-Type"] = "application/json"
req.body = {
  value: "postgresql://new-connection...",
  allowed_domains: ["*.newdomain.com"],
}.to_json

res = Net::HTTP.start(uri.host, uri.port, use_ssl: true) { |h| h.request(req) }
data = JSON.parse(res.body)
import os
import requests

res = requests.patch(
    f"https://api.nairi.ai/api/public/v1/vaults/{vault_id}/secrets/{secret_id}",
    headers={
        "Authorization": f"Bearer {os.environ['NAIRI_API_KEY']}",
        "Content-Type": "application/json",
    },
    json={
        "value": "postgresql://new-connection...",
        "allowed_domains": ["*.newdomain.com"],
    },
)
data = res.json()
package main

import (
	"bytes"
	"encoding/json"
	"fmt"
	"io"
	"net/http"
	"os"
)

func main() {
	vaultID := os.Getenv("VAULT_ID")
	secretID := os.Getenv("SECRET_ID")
	body, _ := json.Marshal(map[string]any{
		"value":           "postgresql://new-connection...",
		"allowed_domains": []string{"*.newdomain.com"},
	})
	req, _ := http.NewRequest(
		"PATCH",
		"https://api.nairi.ai/api/public/v1/vaults/"+vaultID+"/secrets/"+secretID,
		bytes.NewReader(body),
	)
	req.Header.Set("Authorization", "Bearer "+os.Getenv("NAIRI_API_KEY"))
	req.Header.Set("Content-Type", "application/json")
	res, _ := http.DefaultClient.Do(req)
	defer res.Body.Close()
	raw, _ := io.ReadAll(res.Body)
	var data map[string]any
	json.Unmarshal(raw, &data)
	fmt.Println(data)
}

Response

{
  "id": "sec_01KQ27AQH800XQTQPJZ0DH14SJ",
  "env_key": "DATABASE_URL",
  "allowed_domains": ["*.newdomain.com"],
  "created_at": "2026-04-25T11:45:19.000Z",
  "updated_at": "2026-04-12T18:50:00.000Z"
}

Create

Add a new secret to an existing Nairi vault. Supply the key, the value, and the list of destination domains the secret is allowed to be injected into.

Delete

Permanently delete a single secret from a Nairi vault by ID. Irreversible — any agent currently relying on the secret value will lose access on next run.

On this page

Request bodyExampleResponse