Vault API
DRAFT — Internal Developer Use Only
This API reference is for internal development teams.
Overview
What it is: The vault API manages credential safe integrations. Discovery connects to external vaults (CyberArk, BeyondTrust, etc.) to securely store and retrieve privileged credentials.
Endpoints
| Method | Path | Description | Auth required |
|---|---|---|---|
GET | /internal/v1/vault/credential/handlers | List credential safe handlers | JWT + API token |
GET | /internal/v1/vault/credential/safe/:safeid/capabilities | List safe capabilities | JWT + API token |
POST | /internal/v1/vault/credential/safe/:safeid/capabilities | Validate a safe capability | JWT + API token |
POST | /internal/v1/vault/credential/safe/:safeid/accounts | Add an account to a vault safe | JWT + API token |
GET /internal/v1/vault/credential/handlers
List all registered credential safe handlers. Handlers represent the available vault integrations.
Request:
http
GET /internal/v1/vault/credential/handlers
Authorization: Bearer <token>Response (200):
json
{
"handlers": [
{
"id": "cyberark",
"name": "CyberArk Privileged Access",
"type": "pam",
"capabilities": ["store", "retrieve", "rotate"]
},
{
"id": "beyondtrust",
"name": "BeyondTrust Password Safe",
"type": "pam",
"capabilities": ["store", "retrieve"]
}
]
}POST /internal/v1/vault/credential/safe/:safeid/accounts
Add a discovered account to a vault safe for credential onboarding.
Path parameters:
| Parameter | Type | Description |
|---|---|---|
safeid | string | Vault safe identifier |
Request:
http
POST /internal/v1/vault/credential/safe/safe-001/accounts
Authorization: Bearer <token>
Content-Type: application/json
{
"accountId": "acc-uuid-001",
"accountName": "svc-database-admin",
"platform": "SQL Server",
"address": "db-prod-01.example.com"
}Response (201):
json
{
"status": "onboarded",
"vaultAccountId": "vault-acc-uuid"
}