Vault API
A zero-knowledge encrypted credential store for your organization. Store API keys, login credentials, SSH keys, and other secrets — Inkbox never sees the plaintext. All encryption and decryption happens client-side using your vault key.
API base URL:
https://inkbox.ai/api/v1/vaultQuick start
Create an account and get your API key from the Inkbox console:
Get API keyMost vault API requests support api-key authentication. Vault deletion is handled separately in the Inkbox Console. See individual endpoint docs for details.
X-API-Key: YOUR_API_KEYVault
Only one active vault can exist per organization. After deleting a vault, you can initialize a new one.
Initialize vault
POSTCreate a new vault with a primary key and four recovery keys
/api/v1/vault/initializeGet vault info
GETGet vault metadata including secret and key counts
/api/v1/vault/infoUnlock vault
GETFetch encrypted secrets and wrapped keys for client-side decryption
/api/v1/vault/unlockDelete vault
DELETEDelete the vault and all its keys and secrets
/api/v1/vaultSecrets
Create secret
POSTStore a new encrypted secret
/api/v1/vault/secretsList secrets
GETList all secrets (metadata only, no payloads)
/api/v1/vault/secretsGet secret
GETGet a single secret with its encrypted payload
/api/v1/vault/secrets/{secret_id}Update secret
PATCHUpdate a secret's name, description, or encrypted payload
/api/v1/vault/secrets/{secret_id}Delete secret
DELETEDelete a secret
/api/v1/vault/secrets/{secret_id}Keys
List vault keys
GETList all vault keys (primary and recovery)
/api/v1/vault/keysReplace primary key
PUTReplace the primary vault key using current key or recovery code
/api/v1/vault/keys/primaryRevoke vault key
DELETERevoke a vault key by its auth hash
/api/v1/vault/keys/{auth_hash}Access control
Grant identity access
POSTGrant an agent identity access to a specific secret
/api/v1/vault/secrets/{secret_id}/accessList access rules
GETList all identity access rules for a secret
/api/v1/vault/secrets/{secret_id}/accessRevoke identity access
DELETERevoke an identity's access to a secret
/api/v1/vault/secrets/{secret_id}/access/{identity_id}Initialize vault POST
POST /vault/initializeCreate a new vault for your organization. The request body contains client-generated cryptographic material, so use the SDK or CLI rather than calling this directly — see capabilities/vault.
Returns 201 with the new vault_id and related identifiers.
Get vault info GET
GET /vault/infoRetrieve metadata about the organization's active vault.
Response (200)
| Field | Type | Description |
|---|---|---|
id | UUID | Vault identifier |
organization_id | string | Organization that owns this vault |
created_at | string | Creation timestamp (ISO 8601) |
updated_at | string | Last update timestamp (ISO 8601) |
key_count | integer | Active primary vault keys |
secret_count | integer | Active vault secrets |
recovery_key_count | integer | Active recovery keys |
Unlock vault GET
GET /vault/unlockFetch the encrypted vault bundle so the client can decrypt it locally. The response contains the wrapped key material needed to derive the org encryption key, plus encrypted_secrets (same shape as GET /vault/secrets/{secret_id}). Use the SDK or CLI to handle the decryption flow.
Delete vault DELETE
DELETE /vaultDelete the vault and all associated keys and secrets. This is a destructive operation — all vault keys and secrets are permanently inaccessible after deletion. This action is performed in the Inkbox Console.
After deletion, the organization can initialize a new vault. The deleted vault does not block creating a new one.
Response
Returns 204 No Content on success.
Where to delete a vault
Delete the vault from the Inkbox Console:
Open Inkbox Console