API Reference

A REST API that speaks your language

The best API docs are the ones you don't need to read twice. FyVault's API is RESTful, consistent, and typed end to end -- so you spend your time building, not deciphering.

REST / JSON Bearer Auth Base: https://api.fyvault.com/api/v1

You've read API docs that feel like they were written as the backend team's least favorite task. Vague parameter names. Missing examples. Error codes that just say "something went wrong."

FyVault is different. Every endpoint has a working example. Every error returns a human-readable message, a machine-readable code, and a direct link to the docs page that explains what happened. The URL structure is predictable -- learn one resource path and you already know the rest.

See for yourself -- this is a real request you can run in thirty seconds:

terminal

# Store a secret and get back a versioned resource

curl -X POST https://api.fyvault.com/api/v1/orgs/acme/secrets \

-H "Authorization: Bearer $FYVAULT_TOKEN" \

-H "Content-Type: application/json" \

-d '{

"name": "stripe-live-key",

"type": "api_key",

"value": "sk_live_..."

# 201 Created -- clean, predictable, done

{

"id": "sec_abc123",

"name": "stripe-live-key",

"type": "api_key",

"version": 1,

"created_at": "2025-01-15T09:32:00Z"

}

Three ways to authenticate -- pick what fits your workflow

Different contexts call for different credentials. Use API keys for server-side integrations, session tokens for browser apps, and agent credentials for autonomous AI workflows.

API Keys

Generate a long-lived key for server-to-server integrations. Scoped to an organization, rotatable on demand, and revocable in one call.

Authorization: Bearer fv_live_abc123...

Session Tokens

Short-lived JWTs for browser-based flows. Issued on login, refreshed silently, and invalidated the moment a user signs out.

Authorization: Bearer eyJhbGciOiJIUzI1NiIs...

Agent Credentials

Purpose-built tokens for AI agents and automated pipelines. Scoped to exactly the secrets an agent needs and nothing more.

Authorization: Bearer fv_agent_xyz789...

Manage secrets programmatically

Full CRUD for every secret in your vault

Create, read, update, and delete secrets through clean, predictable endpoints. Every secret is versioned automatically, so you always have a trail back to what changed and when.

POST/orgs/:org_id/secretsStore a new secret with automatic versioning

GET/orgs/:org_id/secretsList all secrets, filterable by type and tag

GET/orgs/:org_id/secrets/:idRetrieve a secret with its full version history

PATCH/orgs/:org_id/secrets/:idUpdate a value and increment the version

DELETE/orgs/:org_id/secrets/:idSoft-delete with a configurable retention window

Control who gets access

Agent credentials, team permissions, device trust

Secrets are only useful if the right people and systems can reach them. These endpoints let you manage teams, assign devices, and issue scoped credentials without ever touching a dashboard.

POST/orgs/:org_id/teamsCreate a team with role-based access

POST/orgs/:org_id/teams/:id/membersAdd a member and assign their permissions

POST/orgs/:org_id/devicesRegister a trusted device

POST/orgs/:org_id/devices/:id/assignBind a secret to a specific device

POST/orgs/:org_id/agent-credentialsIssue a scoped credential for an AI agent

Automate the tedious parts

Rotation, sharing, compliance, and webhooks

The operations that eat up your afternoon -- rotating keys, generating compliance reports, setting up webhook notifications -- are all a single API call. Automate them once and stop thinking about them.

POST/orgs/:org_id/secrets/:id/rotateRotate a secret and notify dependent services

POST/orgs/:org_id/secrets/:id/shareGenerate a time-limited, encrypted share link

GET/orgs/:org_id/compliance/reportPull a compliance snapshot on demand

POST/orgs/:org_id/webhooksSubscribe to secret lifecycle events

GET/orgs/:org_id/webhooksList all active webhook subscriptions

Define the rules

Policies, audit logs, and governance

Codify your security posture as policy objects. Set rotation schedules, enforce naming conventions, require multi-party approval for sensitive operations -- all through the API.

POST/orgs/:org_id/policiesCreate an enforceable security policy

GET/orgs/:org_id/policiesList all active policies and their scope

PATCH/orgs/:org_id/policies/:idUpdate policy rules without downtime

DELETE/orgs/:org_id/policies/:idRetire a policy gracefully

GET/orgs/:org_id/audit-logQuery the immutable audit trail

Built on principles you will appreciate at 2 a.m.

An API is a contract. Here is what FyVault guarantees on every request, every response, every time.

Consistent resource URLs

Every resource follows the same /orgs/:org_id/:resource/:id pattern. Learn one, know them all.

Typed error responses

Errors include a machine-readable code, a human-readable message, and a link to the relevant docs page.

Pagination built in

List endpoints support cursor-based pagination out of the box. No surprises at scale.

Idempotent writes

Pass an Idempotency-Key header on POST requests and safely retry without creating duplicates.

Versioned from day one

The API is versioned in the URL path. Breaking changes go to a new version. Your integrations stay stable.

Rate limits that make sense

Generous defaults, clear headers showing your remaining budget, and a 429 response that tells you exactly when to retry.

Errors that actually help you fix things

No more guessing what went wrong. Every error includes a code your program can match on, a message a human can read, and a docs link that explains the fix.

error response

# 403 Forbidden -- but you know exactly why

{

"error": {

"code": "SECRET_ACCESS_DENIED",

"message": "This agent credential does not have read access to secret sec_abc123. Grant the 'secrets:read' scope or use a different credential.",

"docs": "https://docs.fyvault.com/errors/secret-access-denied"

}

Ready to start building?

Full request and response schemas, SDK quickstarts, rate limit details, and pagination guides -- all in one place.