> ## Documentation Index
> Fetch the complete documentation index at: https://docs.dataraven.io/llms.txt
> Use this file to discover all available pages before exploring further.

# Create Secret

> Create a new secret with credentials stored in Vault or external vault.

**Required Role:** ADMIN or OWNER

**Tier Limits:**
- Free Tier: Maximum 5 secrets
- Pro Tier: Maximum 100 secrets

Secrets can be created in two ways:

**Option 1: Direct credentials** - Store credentials in AWS SSM Parameter Store
Request body should contain:
- name: Secret name (must be unique within the team)
- description: Optional description
- secret_type: Type of credentials (s3, azure_blob, gcs, etc.)
- auth_method: Authentication method for the provider
- credentials: Provider-specific credentials dict

**Option 2: External vault** - Reference secrets in 1Password, Doppler, or Infisical
Request body should contain:
- name: Secret name (must be unique within the team)
- description: Optional description
- secret_type: Type of credentials (s3, azure_blob, gcs, etc.)
- auth_method: Authentication method for the provider
- vault_connection_id: ID of the vault connection to use
- field_mappings: List of {field_name, reference} objects

Example for S3 (direct credentials):
```json
{
    "name": "AWS Production Access",
    "description": "S3 access for prod environment",
    "secret_type": "s3",
    "auth_method": "s3_access_key",
    "credentials": {
        "access_key_id": "AKIAIOSFODNN7EXAMPLE",
        "secret_access_key": "wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY"
    }
}
```

Example for S3 (1Password external vault):
```json
{
    "name": "AWS Production Access",
    "description": "S3 access via 1Password",
    "secret_type": "s3",
    "auth_method": "s3_access_key",
    "vault_connection_id": "uuid-of-1password-connection",
    "field_mappings": [
        {"field_name": "access_key_id", "reference": "op://DevOps/AWS-Prod/access_key_id"},
        {"field_name": "secret_access_key", "reference": "op://DevOps/AWS-Prod/secret_access_key"}
    ]
}
```

Example for S3 (Doppler external vault):
```json
{
    "name": "AWS Production Access",
    "description": "S3 access via Doppler",
    "secret_type": "s3",
    "auth_method": "s3_access_key",
    "vault_connection_id": "uuid-of-doppler-connection",
    "field_mappings": [
        {"field_name": "access_key_id", "reference": "AWS_ACCESS_KEY_ID"},
        {"field_name": "secret_access_key", "reference": "AWS_SECRET_ACCESS_KEY"}
    ]
}
```

Example for S3 (Infisical external vault):
```json
{
    "name": "AWS Production Access",
    "description": "S3 access via Infisical",
    "secret_type": "s3",
    "auth_method": "s3_access_key",
    "vault_connection_id": "uuid-of-infisical-connection",
    "field_mappings": [
        {"field_name": "access_key_id", "reference": "AWS_ACCESS_KEY_ID"},
        {"field_name": "secret_access_key", "reference": "AWS_SECRET_ACCESS_KEY"}
    ]
}
```

Returns:
- 201 Created on success
- 400 Bad Request for validation errors
- 409 Conflict if a secret with the same name already exists in this team

The response will NOT include credentials.



## OpenAPI

````yaml POST /v1/teams/{team_id}/secrets
openapi: 3.1.0
info:
  title: Data Raven API
  description: Cloud-to-cloud data transfer platform powered by RClone
  version: 0.5.0
servers: []
security: []
paths:
  /v1/teams/{team_id}/secrets:
    post:
      tags:
        - Secrets
      summary: Create Secret
      description: >-
        Create a new secret with credentials stored in Vault or external vault.


        **Required Role:** ADMIN or OWNER


        **Tier Limits:**

        - Free Tier: Maximum 5 secrets

        - Pro Tier: Maximum 100 secrets


        Secrets can be created in two ways:


        **Option 1: Direct credentials** - Store credentials in AWS SSM
        Parameter Store

        Request body should contain:

        - name: Secret name (must be unique within the team)

        - description: Optional description

        - secret_type: Type of credentials (s3, azure_blob, gcs, etc.)

        - auth_method: Authentication method for the provider

        - credentials: Provider-specific credentials dict


        **Option 2: External vault** - Reference secrets in 1Password, Doppler,
        or Infisical

        Request body should contain:

        - name: Secret name (must be unique within the team)

        - description: Optional description

        - secret_type: Type of credentials (s3, azure_blob, gcs, etc.)

        - auth_method: Authentication method for the provider

        - vault_connection_id: ID of the vault connection to use

        - field_mappings: List of {field_name, reference} objects


        Example for S3 (direct credentials):

        ```json

        {
            "name": "AWS Production Access",
            "description": "S3 access for prod environment",
            "secret_type": "s3",
            "auth_method": "s3_access_key",
            "credentials": {
                "access_key_id": "AKIAIOSFODNN7EXAMPLE",
                "secret_access_key": "wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY"
            }
        }

        ```


        Example for S3 (1Password external vault):

        ```json

        {
            "name": "AWS Production Access",
            "description": "S3 access via 1Password",
            "secret_type": "s3",
            "auth_method": "s3_access_key",
            "vault_connection_id": "uuid-of-1password-connection",
            "field_mappings": [
                {"field_name": "access_key_id", "reference": "op://DevOps/AWS-Prod/access_key_id"},
                {"field_name": "secret_access_key", "reference": "op://DevOps/AWS-Prod/secret_access_key"}
            ]
        }

        ```


        Example for S3 (Doppler external vault):

        ```json

        {
            "name": "AWS Production Access",
            "description": "S3 access via Doppler",
            "secret_type": "s3",
            "auth_method": "s3_access_key",
            "vault_connection_id": "uuid-of-doppler-connection",
            "field_mappings": [
                {"field_name": "access_key_id", "reference": "AWS_ACCESS_KEY_ID"},
                {"field_name": "secret_access_key", "reference": "AWS_SECRET_ACCESS_KEY"}
            ]
        }

        ```


        Example for S3 (Infisical external vault):

        ```json

        {
            "name": "AWS Production Access",
            "description": "S3 access via Infisical",
            "secret_type": "s3",
            "auth_method": "s3_access_key",
            "vault_connection_id": "uuid-of-infisical-connection",
            "field_mappings": [
                {"field_name": "access_key_id", "reference": "AWS_ACCESS_KEY_ID"},
                {"field_name": "secret_access_key", "reference": "AWS_SECRET_ACCESS_KEY"}
            ]
        }

        ```


        Returns:

        - 201 Created on success

        - 400 Bad Request for validation errors

        - 409 Conflict if a secret with the same name already exists in this
        team


        The response will NOT include credentials.
      operationId: create_secret_v1_teams__team_id__secrets_post
      parameters:
        - name: team_id
          in: path
          required: true
          schema:
            type: string
            format: uuid
            title: Team Id
      requestBody:
        required: true
        content:
          application/json:
            schema:
              $ref: '#/components/schemas/SecretCreate'
      responses:
        '201':
          description: Successful Response
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/SecretResponse'
        '400':
          description: Invalid secret data
        '409':
          description: Secret with this name already exists
        '422':
          description: Validation Error
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/HTTPValidationError'
        '500':
          description: Failed to create secret
      security:
        - HTTPBearer: []
components:
  schemas:
    SecretCreate:
      properties:
        name:
          type: string
          maxLength: 255
          minLength: 1
          title: Name
          description: Secret name
        description:
          anyOf:
            - type: string
              maxLength: 2000
            - type: 'null'
          title: Description
          description: Optional description
        secret_type:
          $ref: '#/components/schemas/LocationType'
          description: Type of credentials (s3, azure_blob, gcs, etc.)
        auth_method:
          $ref: '#/components/schemas/AuthMethod'
          description: Authentication mechanism (e.g., azure_account_key, s3_access_key)
        credentials:
          anyOf:
            - additionalProperties: true
              type: object
            - type: 'null'
          title: Credentials
          description: Provider-specific credentials (NEVER returned in responses)
        vault_connection_id:
          anyOf:
            - type: string
              format: uuid
            - type: 'null'
          title: Vault Connection Id
          description: ID of the vault connection to use for resolving credentials
        field_mappings:
          anyOf:
            - items:
                $ref: '#/components/schemas/FieldMapping'
              type: array
            - type: 'null'
          title: Field Mappings
          description: Mappings from credential field names to external vault references
      type: object
      required:
        - name
        - secret_type
        - auth_method
      title: SecretCreate
      description: |-
        Schema for creating a new secret.

        Secrets can be created in two ways:

        **Option 1: Direct credentials (stored in AWS SSM Parameter Store)**
        Provide `credentials` dict with provider-specific fields.

        **Option 2: External vault reference (1Password, Doppler, Infisical)**
        Provide `vault_connection_id` and `field_mappings` to reference secrets
        stored in your external vault.

        Provider-specific credential fields (for Option 1):

        AWS S3:
            {
                "access_key_id": "string",
                "secret_access_key": "string"
            }

        Azure Blob Storage (Option 1 - Account Name/Key):
            {
                "account_name": "string",
                "account_key": "string"
            }

        Azure Blob Storage (Option 2 - SAS URL - Recommended):
            {
                "sas_url": "https://account.blob.core.windows.net/container?sp=racwdl&st=2024-01-01&se=2025-01-01&..."
            }

        Google Cloud Storage:
            {
                "service_account_json": "string"  # JSON key file as string
            }

        Cloudflare R2:
            {
                "access_key_id": "string",
                "secret_access_key": "string"
            }

        Backblaze B2:
            {
                "application_key_id": "string",
                "application_key": "string"
            }

        Wasabi (requires endpoint_url in location config):
            {
                "access_key_id": "string",
                "secret_access_key": "string"
            }

        Railway (S3-compatible):
            {
                "access_key_id": "string",
                "secret_access_key": "string"
            }

        Oracle Object Storage (S3-compatible):
            {
                "access_key_id": "string",
                "secret_access_key": "string"
            }
    SecretResponse:
      properties:
        id:
          type: string
          format: uuid
          title: Id
        name:
          type: string
          title: Name
        description:
          anyOf:
            - type: string
            - type: 'null'
          title: Description
        secret_type:
          $ref: '#/components/schemas/LocationType'
        auth_method:
          $ref: '#/components/schemas/AuthMethod'
        created_at:
          type: string
          format: date-time
          title: Created At
        created_by:
          type: string
          format: uuid
          title: Created By
      type: object
      required:
        - id
        - name
        - description
        - secret_type
        - auth_method
        - created_at
        - created_by
      title: SecretResponse
      description: |-
        Schema for secret metadata response (without credentials).

        Credentials are NEVER returned in any API response.
    HTTPValidationError:
      properties:
        detail:
          items:
            $ref: '#/components/schemas/ValidationError'
          type: array
          title: Detail
      type: object
      title: HTTPValidationError
    LocationType:
      type: string
      enum:
        - s3
        - azure_blob
        - gcs
        - r2
        - b2
        - wasabi
        - railway
        - oracle_object_storage_s3
        - s3_compatible
        - tigris
        - digitalocean_spaces
        - hetzner
        - rabata
      title: LocationType
      description: Cloud storage provider types.
    AuthMethod:
      type: string
      enum:
        - s3_access_key
        - r2_access_key
        - wasabi_access_key
        - railway_access_key
        - oracle_object_storage_s3_access_key
        - s3_compatible_access_key
        - tigris_access_key
        - digitalocean_spaces_access_key
        - hetzner_access_key
        - rabata_access_key
        - azure_account_key
        - azure_sas_url
        - gcs_service_account
        - b2_application_key
      title: AuthMethod
      description: |-
        Authentication mechanism identifiers for cloud storage credentials.

        Each provider may support one or more authentication methods.
        Explicit names ensure clarity and make it easy to add new methods.
    FieldMapping:
      properties:
        field_name:
          type: string
          maxLength: 100
          minLength: 1
          title: Field Name
          description: Credential field name (e.g., access_key_id, secret_access_key)
        reference:
          type: string
          maxLength: 500
          minLength: 1
          title: Reference
          description: >-
            External vault reference (op:// URI for 1Password, secret name for
            Doppler/Infisical)
      type: object
      required:
        - field_name
        - reference
      title: FieldMapping
      description: |-
        Mapping from a credential field name to an external vault reference.

        For 1Password: references are op:// URIs (e.g., op://vault/item/field)
        For Doppler: references are secret names (e.g., AWS_ACCESS_KEY_ID)
        For Infisical: references are secret names (e.g., AWS_ACCESS_KEY_ID)
    ValidationError:
      properties:
        loc:
          items:
            anyOf:
              - type: string
              - type: integer
          type: array
          title: Location
        msg:
          type: string
          title: Message
        type:
          type: string
          title: Error Type
        input:
          title: Input
        ctx:
          type: object
          title: Context
      type: object
      required:
        - loc
        - msg
        - type
      title: ValidationError
  securitySchemes:
    HTTPBearer:
      type: http
      scheme: bearer

````