Skip to main content
PATCH
/
v1
/
teams
/
{team_id}
/
secrets
/
{secret_id}
Update Secret
curl --request PATCH \
  --url https://api.dataraven.io/v1/teams/{team_id}/secrets/{secret_id} \
  --header 'Authorization: Bearer <token>' \
  --header 'Content-Type: application/json' \
  --data '
{
  "name": "<string>",
  "description": "<string>",
  "secret_type": "s3",
  "auth_method": "s3_access_key",
  "credentials": {},
  "field_mappings": [
    {
      "field_name": "<string>",
      "reference": "<string>"
    }
  ]
}
'
{
  "id": "3c90c3cc-0d44-4b50-8888-8dd25736052a",
  "name": "<string>",
  "description": "<string>",
  "secret_type": "s3",
  "auth_method": "s3_access_key",
  "created_at": "2023-11-07T05:31:56Z",
  "created_by": "3c90c3cc-0d44-4b50-8888-8dd25736052a"
}

Authorizations

Authorization
string
header
required

Bearer authentication header of the form Bearer <token>, where <token> is your auth token.

Path Parameters

secret_id
string<uuid>
required
team_id
string<uuid>
required

Body

application/json

Schema for updating secret properties and/or rotating credentials.

All fields are optional - only include fields you want to update.

Updatable fields:

  • name: Rename the secret
  • description: Update description
  • secret_type: Change provider type (validates linked locations match)
  • auth_method: Change auth mechanism (validates it's valid for secret_type)
  • credentials: Rotate credentials (AWS SSM Parameter Store secrets only)
  • field_mappings: Update vault references (external vault secrets only)

Validation rules:

  • If changing secret_type, all linked locations must have matching location_type
  • If changing auth_method, must be valid for the (new or existing) secret_type
  • If providing credentials, they are validated against the (new or existing) auth_method
  • External vault secrets cannot have credentials updated (manage in your vault)
  • AWS SSM Parameter Store secrets cannot have field_mappings updated (use credentials)
  • Cannot provide both credentials and field_mappings in the same update
name
string | null
Required string length: 1 - 255
description
string | null
Maximum string length: 2000
secret_type
enum<string> | null

Change provider type

Available options:
s3,
azure_blob,
gcs,
r2,
b2,
wasabi,
railway,
oracle_object_storage_s3,
s3_compatible,
tigris,
digitalocean_spaces,
hetzner,
rabata
auth_method
enum<string> | null

Change auth mechanism

Available options:
s3_access_key,
r2_access_key,
wasabi_access_key,
railway_access_key,
oracle_object_storage_s3_access_key,
s3_compatible_access_key,
tigris_access_key,
digitalocean_spaces_access_key,
hetzner_access_key,
rabata_access_key,
azure_account_key,
azure_sas_url,
gcs_service_account,
b2_application_key
credentials
Credentials · object

New credentials (AWS SSM Parameter Store only)

field_mappings
FieldMapping · object[] | null

Updated field mappings (external vault only)

Response

Successful Response

Schema for secret metadata response (without credentials).

Credentials are NEVER returned in any API response.

id
string<uuid>
required
name
string
required
description
string | null
required
secret_type
enum<string>
required

Cloud storage provider types.

Available options:
s3,
azure_blob,
gcs,
r2,
b2,
wasabi,
railway,
oracle_object_storage_s3,
s3_compatible,
tigris,
digitalocean_spaces,
hetzner,
rabata
auth_method
enum<string>
required

Authentication mechanism identifiers for cloud storage credentials.

Each provider may support one or more authentication methods. Explicit names ensure clarity and make it easy to add new methods.

Available options:
s3_access_key,
r2_access_key,
wasabi_access_key,
railway_access_key,
oracle_object_storage_s3_access_key,
s3_compatible_access_key,
tigris_access_key,
digitalocean_spaces_access_key,
hetzner_access_key,
rabata_access_key,
azure_account_key,
azure_sas_url,
gcs_service_account,
b2_application_key
created_at
string<date-time>
required
created_by
string<uuid>
required