API Reference
The vaultctl REST API is served at /api/v1. All requests and responses use JSON.
Base URL
https://your-vault-server.com/api/v1Authentication
All endpoints except auth and health require a JWT access token in the Authorization header:
curl -H "Authorization: Bearer <access_token>" \
https://vault.example.com/api/v1/vaultsConventions
| Convention | Details |
|---|---|
| Content-Type | application/json |
| Timestamps | ISO 8601 UTC (2026-04-06T12:00:00Z) |
| Binary data | Base64 standard encoding (with = padding) |
| Encrypted blobs | Base64-encoded wire format: version(1B) || alg_id(1B) || nonce || ciphertext || tag |
Rate Limits
| Scope | Limit |
|---|---|
| Per IP | 60 req/min |
| Per email (auth) | 5 attempts / 15 min |
All Endpoints
Public
| Method | Path | Description |
|---|---|---|
GET | /health | Health check |
GET | /config | Server config |
POST | /auth/register | Create account |
GET | /auth/prelogin?email= | Get KDF params |
POST | /auth/login | Log in |
POST | /auth/refresh | Refresh tokens |
POST | /auth/logout | Log out |
POST | /invites/redeem | Redeem invite token |
Authenticated (JWT)
Authentication
| Method | Path | Description |
|---|---|---|
POST | /auth/step-up | Re-verify password |
POST | /auth/totp/setup | Generate TOTP (step-up) |
POST | /auth/totp/enable | Enable 2FA |
POST | /auth/totp/disable | Disable 2FA (step-up) |
POST | /auth/totp/verify | Verify TOTP code |
POST | /auth/password/change | Change password (step-up) |
Vaults
| Method | Path | Description |
|---|---|---|
GET | /vaults | List vaults |
POST | /vaults | Create vault |
POST | /vaults/:id/members | Share vault (add member) |
DELETE | /vaults/:id/members/:userId | Remove member |
POST | /vaults/:id/rekey | Rekey vault after member removal |
Items
| Method | Path | Description |
|---|---|---|
GET | /vaults/:id/items | List items |
POST | /vaults/:id/items | Create item |
GET | /vaults/:id/items/:id | Get item |
PUT | /vaults/:id/items/:id | Update item |
DELETE | /vaults/:id/items/:id | Trash item |
GET | /vaults/:id/trash | List trash |
POST | /vaults/:id/trash/:id/restore | Restore item |
DELETE | /vaults/:id/trash/:id | Purge item (step-up) |
DELETE | /vaults/:id/trash | Bulk purge expired trash (step-up) |
Folders
| Method | Path | Description |
|---|---|---|
GET | /vaults/:id/folders | List folders |
POST | /vaults/:id/folders | Create folder |
PUT | /vaults/:id/folders/:id | Rename folder |
DELETE | /vaults/:id/folders/:id | Delete folder |
Users
| Method | Path | Description |
|---|---|---|
GET | /users/me | Get user profile |
PUT | /users/me | Update user profile |
GET | /users/me/sessions | List active sessions |
DELETE | /users/me/sessions/:id | Revoke session |
Organizations
| Method | Path | Description |
|---|---|---|
POST | /orgs | Create organization |
GET | /orgs/:id/members | List org members |
PUT | /orgs/:id/members/:userId | Update member role |
GET | /orgs/:id/members/:userId/pubkey | Get member public key |
Invites
| Method | Path | Description |
|---|---|---|
POST | /invites | Create invite |
GET | /invites?orgId= | List invites |
DELETE | /invites/:id | Revoke invite |
POST | /invites/redeem | Redeem invite (public) |
API Keys
| Method | Path | Description |
|---|---|---|
POST | /api-keys | Create API key |
GET | /api-keys | List API keys |
DELETE | /api-keys/:id | Delete API key |
Import/Export
| Method | Path | Description |
|---|---|---|
GET | /export | Export vault data (step-up) |
Admin
| Method | Path | Description |
|---|---|---|
POST | /admin/backup | Trigger backup (CLI only, returns 501) |