AeontelAeontel Docs

Secrets

REST endpoints for secrets. Bearer-auth required.

GET /api/secrets

List secrets with pagination. Values are never returned.

Query parameters

  • limit (optional): Page size (1–100, default 100).
  • after (optional): Keyset cursor — return the page after this row (next page).
  • before (optional): Keyset cursor — return the page before this row (prev page).
  • ids (optional): Comma-separated list of IDs. Narrows results to these IDs within the caller's accessible scope (does not bypass access checks).
  • filter (optional): Nested filter expression (<Entity>Filter): AND/OR/NOT + per-field comparison operators + relation traversal. JSON-encoded on the query string.
  • orderBy (optional): Multi-key sort (<Entity>OrderBy[]): array of { field: direction } applied in order. Directions: asc/desc plus the four explicit nulls variants. JSON-encoded on the query string.
  • workspace_id (optional): Filter secrets to this workspace.
  • include_deleted (optional): Soft-deleted secret visibility. false (default) — active rows only. true — active plus soft-deleted. only — soft-deleted only.
  • name (optional): Case-insensitive substring match on name.
  • created_by (optional): Shorthand: filter where createdBy equals this value.

Response

JSON
{
  "data": [
    {
      "id": "<...>",
      "workspaceId": "<...>",
      "name": "<...>",
      "hint": "<...>",
      "metadata": "<...>",
      "createdBy": "<...>",
      "createdAt": "<...>",
      "updatedAt": "<...>"
    }
  ],
  "pageInfo": {
    "total": "number",
    "hasNextPage": "boolean",
    "hasPreviousPage": "boolean",
    "startCursor": "string",
    "endCursor": "string"
  }
}

POST /api/secrets

Create a secret

Request body

JSON
{
  "workspaceId": "string",
  "name": "string",
  "value": "string",
  "metadata?": {}
}

Response

JSON
{
  "id": "string",
  "workspaceId": "string",
  "name": "string",
  "hint": "string",
  "metadata": {},
  "createdBy": "string",
  "createdAt": "string",
  "updatedAt": "string"
}

GET /api/secrets/{id}

Get a single secret by ID (metadata only — never the value).

Path parameters

  • id (required): Secret to retrieve.

Response

JSON
{
  "id": "string",
  "workspaceId": "string",
  "name": "string",
  "hint": "string",
  "metadata": {},
  "createdBy": "string",
  "createdAt": "string",
  "updatedAt": "string"
}

PATCH /api/secrets/{id}

Update a secret

Path parameters

  • id (required): The secret's prefixed ID.

Request body

JSON
{
  "name?": "string",
  "value?": "string",
  "metadata?": {}
}

Response

JSON
{
  "id": "string",
  "workspaceId": "string",
  "name": "string",
  "hint": "string",
  "metadata": {},
  "createdBy": "string",
  "createdAt": "string",
  "updatedAt": "string"
}

DELETE /api/secrets/{id}

Soft-delete a secret.

Path parameters

  • id (required): Secret to soft-delete.

Response

JSON
{
  "success": "boolean"
}

DELETE /api/secrets/{id}/purge

Permanently delete a soft-deleted secret (erasure — removes the ciphertext).

Path parameters

  • id (required): Soft-deleted secret to permanently delete.

Response

JSON
{
  "success": "boolean"
}

POST /api/secrets/{id}/restore

Restore a soft-deleted secret.

Path parameters

  • id (required): Soft-deleted secret to restore.

Response

JSON
{
  "id": "string",
  "workspaceId": "string",
  "name": "string",
  "hint": "string",
  "metadata": {},
  "createdBy": "string",
  "createdAt": "string",
  "updatedAt": "string"
}