Create Vault Connection
Create a new external vault connection.
Required Role: ADMIN or OWNER
Tier Limits:
- Free Tier: Maximum 1 vault connection
- Pro Tier: Maximum 10 vault connections
Connects your team to an external vault provider (1Password, Doppler, or Infisical). Credentials are stored encrypted and never returned in API responses.
1Password:
- Requires a service account token (starts with “ops_”)
- No additional configuration needed
Doppler:
- Requires a service token (starts with “dp.st.”)
- Requires project and config
Infisical (Universal Auth / Machine Identity):
- Create a Machine Identity in Project Settings -> Access Control -> Machine Identities
- client_id: UUID from Machine Identity
- client_secret: Secret string from Machine Identity
- project_id: Project ID (UUID) from Project Settings -> General
- environment: Environment slug (e.g., “dev”, “staging”, “prod”, “sandbox”)
- Optional: secret_path (defaults to ”/”)
Example for 1Password:
{
"name": "1Password Production",
"vault_type": "onepassword",
"access_token": "ops_xxx..."
}
Example for Doppler:
{
"name": "Doppler Production",
"vault_type": "doppler",
"access_token": "dp.st.xxx...",
"project": "my-project",
"config": "production"
}
Example for Infisical:
{
"name": "Infisical Production",
"vault_type": "infisical",
"client_id": "a1b2c3d4-e5f6-7890-abcd-ef1234567890",
"client_secret": "st.abc123xyz...",
"project_id": "f1e2d3c4-b5a6-7890-abcd-ef1234567890",
"environment": "prod",
"secret_path": "/aws"
}
Documentation Index
Fetch the complete documentation index at: https://docs.dataraven.io/llms.txt
Use this file to discover all available pages before exploring further.
Authorizations
Bearer authentication header of the form Bearer <token>, where <token> is your auth token.
Path Parameters
Body
Schema for creating a new vault connection.
Credentials are stored encrypted in AWS SSM Parameter Store - they are NEVER returned in API responses.
Provider-specific configuration:
1Password:
- access_token: Service account token (starts with "ops_")
- No additional configuration needed
Doppler:
- access_token: Service token (starts with "dp.st.")
- project: Doppler project slug (required)
- config: Doppler config name (required)
Infisical (Universal Auth / Machine Identity):
- client_id: UUID from Machine Identity
- client_secret: Secret string from Machine Identity
- project_id: Infisical project ID - UUID (required)
- environment: Environment slug e.g., "dev", "staging", "prod", "sandbox" (required)
- secret_path: Path to secrets folder, e.g., "/" or "/aws" (optional, defaults to "/")
Connection name
1 - 255Vault provider type (onepassword, doppler, or infisical)
onepassword, doppler, infisical Optional description
2000Vault access token (required for 1Password and Doppler)
1 - 4096Infisical client ID from Machine Identity (required for Infisical)
255Infisical client secret from Machine Identity (required for Infisical)
1000Doppler project slug (required for Doppler)
255Doppler config name (required for Doppler)
255Infisical project ID (required for Infisical)
255Infisical environment slug (required for Infisical)
100Infisical secret path (optional, defaults to '/')
500Response
Successful Response
Schema for vault connection response (without sensitive data).
External vault provider types for credential storage.
ONEPASSWORD: 1Password via service account SDK DOPPLER: Doppler secrets manager via service token INFISICAL: Infisical via machine identity (Universal Auth)
onepassword, doppler, infisical