# Update

Rotate a secret's value or change its allowed domains.





Partial update. Send only the field(s) you want to change.

```http
PATCH /api/public/v1/vaults/{vault_id}/secrets/{secret_id}
```



<Callout type="info">
  Empty body (`{}`) is accepted as a no-op. `updated_at` is **not** bumped when no field actually changes.
</Callout>

## Request body [#request-body]

<TypeTable
  type="{
  value: {
    type: &#x22;string&#x22;,
    description: &#x22;New secret value.&#x22;
  },
  allowed_domains: {
    type: &#x22;string[]&#x22;,
    description: &#x22;New allowed domains.&#x22;
  }
}"
/>

## Example [#example]

<Tabs items="[&#x22;bash&#x22;, &#x22;TypeScript&#x22;, &#x22;Ruby&#x22;, &#x22;Python&#x22;, &#x22;Go&#x22;]">
  <Tab value="bash">
    ```bash
    curl -X PATCH https://api.nairi.ai/api/public/v1/vaults/VAULT_ID/secrets/SECRET_ID \
      -H "Authorization: Bearer $NAIRI_API_KEY" \
      -H "Content-Type: application/json" \
      -d '{
        "value": "postgresql://new-connection...",
        "allowed_domains": ["*.newdomain.com"]
      }'
    ```
  </Tab>

  <Tab value="TypeScript">
    ```ts
    const res = await fetch(
      `https://api.nairi.ai/api/public/v1/vaults/${vaultId}/secrets/${secretId}`,
      {
        method: "PATCH",
        headers: {
          Authorization: `Bearer ${process.env.NAIRI_API_KEY}`,
          "Content-Type": "application/json",
        },
        body: JSON.stringify({
          value: "postgresql://new-connection...",
          allowed_domains: ["*.newdomain.com"],
        }),
      },
    );
    const data = await res.json();
    ```
  </Tab>

  <Tab value="Ruby">
    ```ruby
    require "net/http"
    require "json"
    require "uri"

    uri = URI("https://api.nairi.ai/api/public/v1/vaults/#{vault_id}/secrets/#{secret_id}")
    req = Net::HTTP::Patch.new(uri)
    req["Authorization"] = "Bearer #{ENV['NAIRI_API_KEY']}"
    req["Content-Type"] = "application/json"
    req.body = {
      value: "postgresql://new-connection...",
      allowed_domains: ["*.newdomain.com"],
    }.to_json

    res = Net::HTTP.start(uri.host, uri.port, use_ssl: true) { |h| h.request(req) }
    data = JSON.parse(res.body)
    ```
  </Tab>

  <Tab value="Python">
    ```python
    import os
    import requests

    res = requests.patch(
        f"https://api.nairi.ai/api/public/v1/vaults/{vault_id}/secrets/{secret_id}",
        headers={
            "Authorization": f"Bearer {os.environ['NAIRI_API_KEY']}",
            "Content-Type": "application/json",
        },
        json={
            "value": "postgresql://new-connection...",
            "allowed_domains": ["*.newdomain.com"],
        },
    )
    data = res.json()
    ```
  </Tab>

  <Tab value="Go">
    ```go
    package main

    import (
    	"bytes"
    	"encoding/json"
    	"fmt"
    	"io"
    	"net/http"
    	"os"
    )

    func main() {
    	vaultID := os.Getenv("VAULT_ID")
    	secretID := os.Getenv("SECRET_ID")
    	body, _ := json.Marshal(map[string]any{
    		"value":           "postgresql://new-connection...",
    		"allowed_domains": []string{"*.newdomain.com"},
    	})
    	req, _ := http.NewRequest(
    		"PATCH",
    		"https://api.nairi.ai/api/public/v1/vaults/"+vaultID+"/secrets/"+secretID,
    		bytes.NewReader(body),
    	)
    	req.Header.Set("Authorization", "Bearer "+os.Getenv("NAIRI_API_KEY"))
    	req.Header.Set("Content-Type", "application/json")
    	res, _ := http.DefaultClient.Do(req)
    	defer res.Body.Close()
    	raw, _ := io.ReadAll(res.Body)
    	var data map[string]any
    	json.Unmarshal(raw, &data)
    	fmt.Println(data)
    }
    ```
  </Tab>
</Tabs>

## Response [#response]

```json
{
  "id": "sec_01KQ27AQH800XQTQPJZ0DH14SJ",
  "env_key": "DATABASE_URL",
  "allowed_domains": ["*.newdomain.com"],
  "created_at": "2026-04-25T11:45:19.000Z",
  "updated_at": "2026-04-12T18:50:00.000Z"
}
```