Create Secret
Create a new secret with credentials stored in Vault or external vault.
Required Role: ADMIN or OWNER
Tier Limits:
- Free Tier: Maximum 5 secrets
- Pro Tier: Maximum 100 secrets
Security Note: Credentials are stored encrypted in PostgreSQL Vault and are NEVER returned in API responses.
Secrets can be created in two ways:
Option 1: Direct credentials - Store credentials in AWS SSM Parameter Store Request body should contain:
- name: Secret name (must be unique within the team)
- description: Optional description
- secret_type: Type of credentials (s3, azure_blob, gcs, etc.)
- auth_method: Authentication method for the provider
- credentials: Provider-specific credentials dict
Option 2: External vault - Reference secrets in 1Password, Doppler, or Infisical Request body should contain:
- name: Secret name (must be unique within the team)
- description: Optional description
- secret_type: Type of credentials (s3, azure_blob, gcs, etc.)
- auth_method: Authentication method for the provider
- vault_connection_id: ID of the vault connection to use
- field_mappings: List of objects
Example for S3 (direct credentials):
{
"name": "AWS Production Access",
"description": "S3 access for prod environment",
"secret_type": "s3",
"auth_method": "s3_access_key",
"credentials": {
"access_key_id": "AKIAIOSFODNN7EXAMPLE",
"secret_access_key": "wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY"
}
}
Example for S3 (1Password external vault):
{
"name": "AWS Production Access",
"description": "S3 access via 1Password",
"secret_type": "s3",
"auth_method": "s3_access_key",
"vault_connection_id": "uuid-of-1password-connection",
"field_mappings": [
{"field_name": "access_key_id", "reference": "op://DevOps/AWS-Prod/access_key_id"},
{"field_name": "secret_access_key", "reference": "op://DevOps/AWS-Prod/secret_access_key"}
]
}
Example for S3 (Doppler external vault):
{
"name": "AWS Production Access",
"description": "S3 access via Doppler",
"secret_type": "s3",
"auth_method": "s3_access_key",
"vault_connection_id": "uuid-of-doppler-connection",
"field_mappings": [
{"field_name": "access_key_id", "reference": "AWS_ACCESS_KEY_ID"},
{"field_name": "secret_access_key", "reference": "AWS_SECRET_ACCESS_KEY"}
]
}
Example for S3 (Infisical external vault):
{
"name": "AWS Production Access",
"description": "S3 access via Infisical",
"secret_type": "s3",
"auth_method": "s3_access_key",
"vault_connection_id": "uuid-of-infisical-connection",
"field_mappings": [
{"field_name": "access_key_id", "reference": "AWS_ACCESS_KEY_ID"},
{"field_name": "secret_access_key", "reference": "AWS_SECRET_ACCESS_KEY"}
]
}
Returns:
- 201 Created on success
- 400 Bad Request for validation errors
- 409 Conflict if a secret with the same name already exists in this team
The response will NOT include credentials.
Authorizations
Bearer authentication header of the form Bearer <token>, where <token> is your auth token.
Path Parameters
Body
Schema for creating a new secret.
Secrets can be created in two ways:
Option 1: Direct credentials (stored in AWS SSM Parameter Store)
Provide credentials dict with provider-specific fields.
Option 2: External vault reference (1Password, Doppler, Infisical)
Provide vault_connection_id and field_mappings to reference secrets
stored in your external vault.
Provider-specific credential fields (for Option 1):
AWS S3: { "access_key_id": "string", "secret_access_key": "string" }
Azure Blob Storage (Option 1 - Account Name/Key): { "account_name": "string", "account_key": "string" }
Azure Blob Storage (Option 2 - SAS URL - Recommended): { "sas_url": "https://account.blob.core.windows.net/container?sp=racwdl&st=2024-01-01&se=2025-01-01&..." }
Google Cloud Storage: { "service_account_json": "string" # JSON key file as string }
Cloudflare R2: { "access_key_id": "string", "secret_access_key": "string" }
Backblaze B2: { "application_key_id": "string", "application_key": "string" }
Wasabi (requires endpoint_url in location config): { "access_key_id": "string", "secret_access_key": "string" }
Railway (S3-compatible): { "access_key_id": "string", "secret_access_key": "string" }
Oracle Object Storage (S3-compatible): { "access_key_id": "string", "secret_access_key": "string" }
Secret name
1 - 255Type of credentials (s3, azure_blob, gcs, etc.)
s3, azure_blob, gcs, r2, b2, wasabi, railway, oracle_object_storage_s3, s3_compatible Authentication mechanism (e.g., azure_account_key, s3_access_key)
s3_access_key, r2_access_key, wasabi_access_key, railway_access_key, oracle_object_storage_s3_access_key, s3_compatible_access_key, azure_account_key, azure_sas_url, gcs_service_account, b2_application_key Optional description
2000Provider-specific credentials (NEVER returned in responses)
ID of the vault connection to use for resolving credentials
Mappings from credential field names to external vault references
Response
Successful Response
Schema for secret metadata response (without credentials).
Credentials are NEVER returned in any API response.
Cloud storage provider types.
s3, azure_blob, gcs, r2, b2, wasabi, railway, oracle_object_storage_s3, s3_compatible Authentication mechanism identifiers for cloud storage credentials.
Each provider may support one or more authentication methods. Explicit names ensure clarity and make it easy to add new methods.
s3_access_key, r2_access_key, wasabi_access_key, railway_access_key, oracle_object_storage_s3_access_key, s3_compatible_access_key, azure_account_key, azure_sas_url, gcs_service_account, b2_application_key