Unsorted (new)
The Secrets tag group covers the endpoints you use to register
project-scoped secrets, rotate their values into new versions, and
read back metadata. Plaintext values are accepted only on create and
update, and are never returned by API reads. For exact request and
response shapes, see the
Redoc reference for secrets.
Typical flow
POST /v1/projects/{project}/secrets— register a new secret and its first enabled version. The request body carries avaluesobject whose values are strings; the response returns metadata only.GET /v1/projects/{project}/secrets/{secret}— fetch metadata by secret ID or project-scoped name. Values are never included.PATCH /v1/projects/{project}/secrets/{secret}— rotate by sending replacementvalues; this creates a new enabledSecretVersion. Omitvaluesto update metadata only.GET /v1/projects/{project}/secrets/{secret}/versions— list version metadata to audit rotation history. Each version reports its lifecycle state (ENABLED,DISABLED,DESTROYED) and a SHA-256 of the canonical plaintext for change detection.
Authentication
All operations require an authenticated request. Unauthenticated
calls return 401 Unauthorized.
Common errors
| Code | HTTP | Cause | Fix |
|---|---|---|---|
| Bad Request | 400 | Request body fails schema validation, or values is empty. | Send a non-empty values object whose values are strings. |
| Unauthorized | 401 | Missing or invalid credentials. | Attach a valid API key for the project's org. |
| Not Found | 404 | Project, secret, or version is unknown or not visible. | Confirm the project handle, secret ID/name, and version. |
| Conflict | 409 | Secret name already exists in the project on create or update. | Choose a different name or update the existing secret. |
See also
- Secrets — the Redoc reference for every operation, parameter, and schema in this tag group.