> ## Documentation Index
> Fetch the complete documentation index at: https://docs.dataraven.io/llms.txt
> Use this file to discover all available pages before exploring further.

# Create Vault Connection

> Create a new external vault connection.

**Required Role:** ADMIN or OWNER

**Tier Limits:**
- Free Tier: Maximum 1 vault connection
- Pro Tier: Maximum 10 vault connections

Connects your team to an external vault provider (1Password, Doppler, or Infisical).
Credentials are stored encrypted and never returned in API responses.

**1Password:**
- Requires a service account token (starts with "ops_")
- No additional configuration needed

**Doppler:**
- Requires a service token (starts with "dp.st.")
- Requires project and config

**Infisical (Universal Auth / Machine Identity):**
- Create a Machine Identity in Project Settings -> Access Control -> Machine Identities
- client_id: UUID from Machine Identity
- client_secret: Secret string from Machine Identity
- project_id: Project ID (UUID) from Project Settings -> General
- environment: Environment slug (e.g., "dev", "staging", "prod", "sandbox")
- Optional: secret_path (defaults to "/")

Example for 1Password:
```json
{
    "name": "1Password Production",
    "vault_type": "onepassword",
    "access_token": "ops_xxx..."
}
```

Example for Doppler:
```json
{
    "name": "Doppler Production",
    "vault_type": "doppler",
    "access_token": "dp.st.xxx...",
    "project": "my-project",
    "config": "production"
}
```

Example for Infisical:
```json
{
    "name": "Infisical Production",
    "vault_type": "infisical",
    "client_id": "a1b2c3d4-e5f6-7890-abcd-ef1234567890",
    "client_secret": "st.abc123xyz...",
    "project_id": "f1e2d3c4-b5a6-7890-abcd-ef1234567890",
    "environment": "prod",
    "secret_path": "/aws"
}
```



## OpenAPI

````yaml POST /v1/teams/{team_id}/vault-connections
openapi: 3.1.0
info:
  title: Data Raven API
  description: Cloud-to-cloud data transfer platform powered by RClone
  version: 0.5.0
servers: []
security: []
paths:
  /v1/teams/{team_id}/vault-connections:
    post:
      tags:
        - Vault Connections
      summary: Create Vault Connection
      description: >-
        Create a new external vault connection.


        **Required Role:** ADMIN or OWNER


        **Tier Limits:**

        - Free Tier: Maximum 1 vault connection

        - Pro Tier: Maximum 10 vault connections


        Connects your team to an external vault provider (1Password, Doppler, or
        Infisical).

        Credentials are stored encrypted and never returned in API responses.


        **1Password:**

        - Requires a service account token (starts with "ops_")

        - No additional configuration needed


        **Doppler:**

        - Requires a service token (starts with "dp.st.")

        - Requires project and config


        **Infisical (Universal Auth / Machine Identity):**

        - Create a Machine Identity in Project Settings -> Access Control ->
        Machine Identities

        - client_id: UUID from Machine Identity

        - client_secret: Secret string from Machine Identity

        - project_id: Project ID (UUID) from Project Settings -> General

        - environment: Environment slug (e.g., "dev", "staging", "prod",
        "sandbox")

        - Optional: secret_path (defaults to "/")


        Example for 1Password:

        ```json

        {
            "name": "1Password Production",
            "vault_type": "onepassword",
            "access_token": "ops_xxx..."
        }

        ```


        Example for Doppler:

        ```json

        {
            "name": "Doppler Production",
            "vault_type": "doppler",
            "access_token": "dp.st.xxx...",
            "project": "my-project",
            "config": "production"
        }

        ```


        Example for Infisical:

        ```json

        {
            "name": "Infisical Production",
            "vault_type": "infisical",
            "client_id": "a1b2c3d4-e5f6-7890-abcd-ef1234567890",
            "client_secret": "st.abc123xyz...",
            "project_id": "f1e2d3c4-b5a6-7890-abcd-ef1234567890",
            "environment": "prod",
            "secret_path": "/aws"
        }

        ```
      operationId: create_vault_connection_v1_teams__team_id__vault_connections_post
      parameters:
        - name: team_id
          in: path
          required: true
          schema:
            type: string
            format: uuid
            title: Team Id
      requestBody:
        required: true
        content:
          application/json:
            schema:
              $ref: '#/components/schemas/VaultConnectionCreate'
      responses:
        '201':
          description: Successful Response
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/VaultConnectionResponse'
        '400':
          description: Invalid data or duplicate name
        '422':
          description: Validation Error
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/HTTPValidationError'
        '500':
          description: Failed to create connection
      security:
        - HTTPBearer: []
components:
  schemas:
    VaultConnectionCreate:
      properties:
        name:
          type: string
          maxLength: 255
          minLength: 1
          title: Name
          description: Connection name
        description:
          anyOf:
            - type: string
              maxLength: 2000
            - type: 'null'
          title: Description
          description: Optional description
        vault_type:
          $ref: '#/components/schemas/VaultType'
          description: Vault provider type (onepassword, doppler, or infisical)
        access_token:
          anyOf:
            - type: string
              maxLength: 4096
              minLength: 1
            - type: 'null'
          title: Access Token
          description: Vault access token (required for 1Password and Doppler)
        client_id:
          anyOf:
            - type: string
              maxLength: 255
            - type: 'null'
          title: Client Id
          description: Infisical client ID from Machine Identity (required for Infisical)
        client_secret:
          anyOf:
            - type: string
              maxLength: 1000
            - type: 'null'
          title: Client Secret
          description: >-
            Infisical client secret from Machine Identity (required for
            Infisical)
        project:
          anyOf:
            - type: string
              maxLength: 255
            - type: 'null'
          title: Project
          description: Doppler project slug (required for Doppler)
        config:
          anyOf:
            - type: string
              maxLength: 255
            - type: 'null'
          title: Config
          description: Doppler config name (required for Doppler)
        project_id:
          anyOf:
            - type: string
              maxLength: 255
            - type: 'null'
          title: Project Id
          description: Infisical project ID (required for Infisical)
        environment:
          anyOf:
            - type: string
              maxLength: 100
            - type: 'null'
          title: Environment
          description: Infisical environment slug (required for Infisical)
        secret_path:
          anyOf:
            - type: string
              maxLength: 500
            - type: 'null'
          title: Secret Path
          description: Infisical secret path (optional, defaults to '/')
      type: object
      required:
        - name
        - vault_type
      title: VaultConnectionCreate
      description: >-
        Schema for creating a new vault connection.


        Credentials are stored encrypted in AWS SSM Parameter Store - they are
        NEVER

        returned in API responses.


        Provider-specific configuration:


        **1Password:**

        - access_token: Service account token (starts with "ops_")

        - No additional configuration needed


        **Doppler:**

        - access_token: Service token (starts with "dp.st.")

        - project: Doppler project slug (required)

        - config: Doppler config name (required)


        **Infisical (Universal Auth / Machine Identity):**

        - client_id: UUID from Machine Identity

        - client_secret: Secret string from Machine Identity

        - project_id: Infisical project ID - UUID (required)

        - environment: Environment slug e.g., "dev", "staging", "prod",
        "sandbox" (required)

        - secret_path: Path to secrets folder, e.g., "/" or "/aws" (optional,
        defaults to "/")
    VaultConnectionResponse:
      properties:
        id:
          type: string
          format: uuid
          title: Id
        name:
          type: string
          title: Name
        description:
          anyOf:
            - type: string
            - type: 'null'
          title: Description
        vault_type:
          $ref: '#/components/schemas/VaultType'
        last_verified_at:
          anyOf:
            - type: string
              format: date-time
            - type: 'null'
          title: Last Verified At
        created_at:
          type: string
          format: date-time
          title: Created At
        created_by:
          type: string
          format: uuid
          title: Created By
      type: object
      required:
        - id
        - name
        - description
        - vault_type
        - last_verified_at
        - created_at
        - created_by
      title: VaultConnectionResponse
      description: Schema for vault connection response (without sensitive data).
    HTTPValidationError:
      properties:
        detail:
          items:
            $ref: '#/components/schemas/ValidationError'
          type: array
          title: Detail
      type: object
      title: HTTPValidationError
    VaultType:
      type: string
      enum:
        - onepassword
        - doppler
        - infisical
      title: VaultType
      description: |-
        External vault provider types for credential storage.

        ONEPASSWORD: 1Password via service account SDK
        DOPPLER: Doppler secrets manager via service token
        INFISICAL: Infisical via machine identity (Universal Auth)
    ValidationError:
      properties:
        loc:
          items:
            anyOf:
              - type: string
              - type: integer
          type: array
          title: Location
        msg:
          type: string
          title: Message
        type:
          type: string
          title: Error Type
        input:
          title: Input
        ctx:
          type: object
          title: Context
      type: object
      required:
        - loc
        - msg
        - type
      title: ValidationError
  securitySchemes:
    HTTPBearer:
      type: http
      scheme: bearer

````