Secrets management for use by e.g. env vars in workloads.

GET/workloads/secrets

List secrets

Returns managed workload secrets visible to the current member through team membership.

Parameters

limitinteger

limit

The maximum number of items to list.

Type

integer

Format

"int32"

Minimum

0

Maximum

100

Default

100

pageinteger

page

The page number to retrieve (1-indexed). Used with limit to support offset-based pagination.

Type

integer

Format

"int32"

Minimum

1

Default

1

Responses

Responses

A list of secrets is returned.

Content-Type

application/json

{

  

"total": 0,

  

"items": [

  

  

{

  

  

  

"secretId": "A1B2C3D4E5",

  

  

  

"teamIds": [

  

  

  

  

"A1B2C3D4E5"

  

  

  

]

  

  

}

  

],

  

"included": {

  

  

"secrets": [

  

  

  

{

  

  

  

  

"id": "A1B2C3D4E5",

  

  

  

  

"name": "Production Cluster",

  

  

  

  

"description": "string",

  

  

  

  

"backingType": "string",

  

  

  

  

"metadata": {

  

  

  

  

},

  

  

  

  

"currentVersion": 0,

  

  

  

  

"revoked": true,

  

  

  

  

"revokedBy": "A1B2C3D4E5",

  

  

  

  

"createdAt": "string",

  

  

  

  

"createdBy": "A1B2C3D4E5",

  

  

  

  

"updatedAt": "string",

  

  

  

  

"updatedBy": "A1B2C3D4E5"

  

  

  

}

  

  

],

  

  

"teams": [

  

  

  

{

  

  

  

  

"team": {

  

  

  

  

  

"id": "A1B2C3D4E5",

  

  

  

  

  

"organizationId": "A1B2C3D4E5",

  

  

  

  

  

"name": "string",

  

  

  

  

  

"createdAt": "string",

  

  

  

  

  

"createdBy": "A1B2C3D4E5",

  

  

  

  

  

"updatedAt": "string",

  

  

  

  

  

"updatedBy": "A1B2C3D4E5",

  

  

  

  

  

"defaultRoleId": "A1B2C3D4E5"

  

  

  

  

},

  

  

  

  

"memberCount": 0

  

  

  

}

  

  

]

  

}

}

POST/workloads/secrets

Create a secret

Creates a managed workload secret. Secret values are stored encrypted and are never returned.

Request Body

application/json

{

  

"name": "Production Cluster",

  

"description": "string",

  

"backingType": "string",

  

"metadataWrite": {

  

},

  

"value": "string",

  

"teamIds": [

  

  

"A1B2C3D4E5"

  

]

}

Responses

Responses

The secret was created successfully.

Content-Type

application/json

{

  

"id": "A1B2C3D4E5",

  

"name": "Production Cluster",

  

"description": "string",

  

"backingType": "string",

  

"metadata": {

  

},

  

"currentVersion": 0,

  

"revoked": true,

  

"revokedBy": "A1B2C3D4E5",

  

"createdAt": "string",

  

"createdBy": "A1B2C3D4E5",

  

"updatedAt": "string",

  

"updatedBy": "A1B2C3D4E5"

}

GET/workloads/secrets/{secret}

Describe a secret

Returns managed workload secret metadata. The secret value is never returned.

Responses

Responses

The secret was returned successfully.

Content-Type

application/json

{

  

"id": "A1B2C3D4E5",

  

"name": "Production Cluster",

  

"description": "string",

  

"backingType": "string",

  

"metadata": {

  

},

  

"currentVersion": 0,

  

"revoked": true,

  

"revokedBy": "A1B2C3D4E5",

  

"createdAt": "string",

  

"createdBy": "A1B2C3D4E5",

  

"updatedAt": "string",

  

"updatedBy": "A1B2C3D4E5"

}

DELETE/workloads/secrets/{secret}

Delete a secret

Soft-deletes an unreferenced managed workload secret.

Responses

Responses

The secret was deleted successfully.

PATCH/workloads/secrets/{secret}

Update a secret

Updates managed workload secret metadata and team assignments. Team removals that would break existing references are rejected.

Request Body

application/json

{

  

"name": "Production Cluster",

  

"description": "string",

  

"metadataWrite": {

  

},

  

"teamIds": [

  

  

"A1B2C3D4E5"

  

]

}

Responses

Responses

The secret was updated successfully.

Content-Type

application/json

{

  

"id": "A1B2C3D4E5",

  

"name": "Production Cluster",

  

"description": "string",

  

"backingType": "string",

  

"metadata": {

  

},

  

"currentVersion": 0,

  

"revoked": true,

  

"revokedBy": "A1B2C3D4E5",

  

"createdAt": "string",

  

"createdBy": "A1B2C3D4E5",

  

"updatedAt": "string",

  

"updatedBy": "A1B2C3D4E5"

}

PUT/workloads/secrets/{secret}/value

Replace a secret value

Replaces the current secret value by appending a new internal version. The value is never returned.

Request Body

application/json

{

  

"value": "string"

}

Responses

Responses

The secret value was replaced successfully.

Content-Type

application/json

{

  

"id": "A1B2C3D4E5",

  

"name": "Production Cluster",

  

"description": "string",

  

"backingType": "string",

  

"metadata": {

  

},

  

"currentVersion": 0,

  

"revoked": true,

  

"revokedBy": "A1B2C3D4E5",

  

"createdAt": "string",

  

"createdBy": "A1B2C3D4E5",

  

"updatedAt": "string",

  

"updatedBy": "A1B2C3D4E5"

}

POST/workloads/secrets/{secret}/revoke

Revoke a secret

Emergency-revokes the current secret version. Future runtime resolution fails closed until a replacement value is provided.

Responses

Responses

The secret current version was revoked successfully.

Content-Type

application/json

{

  

"id": "A1B2C3D4E5",

  

"name": "Production Cluster",

  

"description": "string",

  

"backingType": "string",

  

"metadata": {

  

},

  

"currentVersion": 0,

  

"revoked": true,

  

"revokedBy": "A1B2C3D4E5",

  

"createdAt": "string",

  

"createdBy": "A1B2C3D4E5",

  

"updatedAt": "string",

  

"updatedBy": "A1B2C3D4E5"

}