API Reference
REST API for SecretServer.io. All endpoints are under https://api.secretserver.io/api/v1.
Authentication: Pass your API key as a Bearer token or via the X-API-Key header.
Authorization: Bearer sk_live_... # or X-API-Key: sk_live_...
Generate an API key in account settings. Full OpenAPI spec: openapi.yaml.
Sections
Path-based access (universal)ContainersGeneric SecretsPasswords & CredentialsKeys & CertificatesVersion HistorySharingTemp AccessAuthenticationPath-based access
Resolve any secret by its container path — no need to know the secret type in advance.
/api/v1/s/:container/:keyGet current value of a secret by container + key name
/api/v1/s/:container/:key/:versionGet a specific historical version (2=previous, 3=two back…)
/api/v1/t/:tokenPublic — redeem a temp access token (no auth required)
# Request
GET /api/v1/s/production/postgres-password
# Response
{
"id": "uuid",
"name": "postgres-password",
"secret_type": "computer_credential",
"data": {
"hostname": "db.example.com",
"admin_user": "postgres",
"password": "s3cur3P@ssw0rd!"
},
"created_at": "2026-02-15T10:00:00Z"
}Containers
Containers are namespaces for organising secrets. Each has a URL-safe slug used in path-based access.
/api/v1/containersList containers
/api/v1/containersCreate a container
/api/v1/containers/:idGet container
/api/v1/containers/:idUpdate container
/api/v1/containers/:idDelete container
POST /api/v1/containers
{
"name": "Production",
"slug": "production",
"description": "Production environment secrets"
}Generic Secrets
/api/v1/secretsList secrets
/api/v1/secretsCreate secret
/api/v1/secrets/:idGet secret + value
/api/v1/secrets/:idUpdate secret
/api/v1/secrets/:idDelete secret
Passwords & Credentials
All credential endpoints follow the same CRUD pattern. Replace :type with the type name.
/api/v1/passwords[/:id]Username + password entries
/api/v1/computer-credentials[/:id]Hostnames, IP addresses, OS credentials
/api/v1/wifi-credentials[/:id]SSID, WPA2/3/WEP, band, hidden flag
/api/v1/windows-credentials[/:id]Domain accounts, local accounts, MSA
/api/v1/social-credentials[/:id]Social network accounts with 2FA flag
/api/v1/root-credentials[/:id]Root / su credentials with sudo flag
/api/v1/ldap-bind-credentials[/:id]LDAP bind DN + password
/api/v1/integrations[/:id]Third-party service tokens (bearer, API key, OAuth2)
/api/v1/disk-credentials[/:id]LUKS, BitLocker, FileVault, VeraCrypt passphrases
/api/v1/service-config[/:id]Service config file values
POST /api/v1/computer-credentials
{
"name": "DB Server",
"container_id": "uuid-of-container", // optional
"hostname": "db.example.com",
"ip_address": "10.0.1.50",
"os_type": "linux",
"admin_user": "root",
"password": "s3cur3P@ssw0rd!" // stored in Vault, never in DB
}Keys & Certificates
/api/v1/ssh-keys[/:id]SSH key pairs (Ed25519, RSA, ECDSA)
/api/v1/gpg-keys[/:id]GPG / PGP key pairs
/api/v1/certificates[/:id]X.509 TLS certificates
/api/v1/api-tokens[/:id]API tokens for external services
/api/v1/openssl-keys[/:id]RSA, ECDSA, Ed25519 keys
/api/v1/ntlm[/:id]NTLM hash credentials
/api/v1/code-signing-keys[/:id]Apple, Authenticode, Android, GPG, Maven signing keys
Version History
Available on all secret types. Enable per-secret with configurable max (1–12 versions).
/api/v1/:type/:id/history-settingsGet history settings (enabled, max_versions)
/api/v1/:type/:id/history-settingsUpdate history settings
/api/v1/:type/:id/historyList version metadata (no secret values)
/api/v1/:type/:id/history/:versionGet a specific historical version value
PUT /api/v1/computer-credentials/:id/history-settings
{ "history_enabled": true, "max_versions": 6 }
GET /api/v1/computer-credentials/:id/history
{
"versions": [
{ "version_num": 1, "created_by": "alice@example.com", "created_at": "..." },
{ "version_num": 2, "created_by": "bob@example.com", "created_at": "..." }
]
}Temp Access
Generate time-limited tokens for unauthenticated access. Tokens are SHA-256 hashed at rest. Useful for CI/CD pipelines, external scripts, and ephemeral services.
/api/v1/:type/:id/temp-accessCreate a temp access token
/api/v1/:type/:id/temp-accessList active (non-expired) grants
/api/v1/temp-access/:grant_idRevoke a grant
/api/v1/t/:tokenPublic — redeem token, returns secret value
POST /api/v1/computer-credentials/:id/temp-access
{ "duration_seconds": 900 }
// Response
{
"token": "a3f8c2e1d4b7...", // shown ONCE, store it
"expires_at": "2026-02-17T12:15:00Z"
}
// Redeem (no API key required)
GET /api/v1/t/a3f8c2e1d4b7...
{
"id": "uuid", "name": "postgres-password",
"secret_type": "computer_credential",
"data": { "password": "s3cur3P@ssw0rd!" }
}Authentication
/api/v1/auth/oidc/loginInitiate OIDC/SSO login
/api/v1/auth/oidc/callbackOIDC callback
/api/v1/auth/device/codeDevice code flow (CLI / headless)
/api/v1/auth/device/tokenPoll for device code token
/api/v1/auth/api-keysCreate an API key
/api/v1/auth/api-keysList API keys
/api/v1/auth/api-keys/:idRevoke an API key