Custom Provider API

Use fvprov_ tokens to let internal services push, rotate, and revoke credentials in FyVault.

When to use this

If you run an internal platform that issues credentials (database provisioner, certificate authority, custom auth service), the Provider API lets that platform push secrets directly into FyVault without human intervention.

Creating a provider token

fyvault provider-api create-token \
  --name "db-provisioner" \
  --scopes issue,rotate,revoke

Returns a fvprov_ token. Store it securely in the calling service.

Issue a credential

curl -X POST https://api.fyvault.com/api/v1/provider/issue \
  -H "Authorization: Bearer fvprov_..." \
  -H "Content-Type: application/json" \
  -d '{
    "secretName": "DB_PASSWORD",
    "environment": "production",
    "value": "pg_newpass_abc123",
    "ttlSeconds": 86400
  }'

Rotate a credential

curl -X POST https://api.fyvault.com/api/v1/provider/rotate \
  -H "Authorization: Bearer fvprov_..." \
  -H "Content-Type: application/json" \
  -d '{
    "secretName": "DB_PASSWORD",
    "environment": "production",
    "newValue": "pg_rotated_xyz789"
  }'

Revoke a credential

curl -X POST https://api.fyvault.com/api/v1/provider/revoke \
  -H "Authorization: Bearer fvprov_..." \
  -H "Content-Type: application/json" \
  -d '{
    "secretName": "DB_PASSWORD",
    "environment": "production"
  }'

SDK examples

Node.js

import { FyVault } from "@fyvault/sdk";

const fv = new FyVault({ accessToken: "fvprov_...", orgId: "org_acme" });

await fv.providers.issue({
  secretName: "DB_PASSWORD",
  environment: "production",
  value: "pg_newpass_abc123",
  ttlSeconds: 86400,
});

Python

from fyvault import FyVault

fv = FyVault(access_token="fvprov_...", org_id="org_acme")

fv.providers.issue(
    secret_name="DB_PASSWORD",
    environment="production",
    value="pg_newpass_abc123",
    ttl_seconds=86400,
)