moxxy

Vault API

Manage encrypted secrets programmatically.

List Secrets

bash
GET /api/agents/:name/vault

Response

json
{
  "secrets": [
    {
      "key": "OPENAI_API_KEY",
      "created_at": "2024-01-15T10:00:00Z",
      "updated_at": "2024-01-15T10:00:00Z"
    },
    {
      "key": "TELEGRAM_TOKEN",
      "created_at": "2024-01-15T11:00:00Z",
      "updated_at": "2024-01-15T11:00:00Z"
    }
  ]
}

::: note Secret values are never returned in list endpoints. :::

Get Secret

bash
GET /api/agents/:name/vault/:key

Response

json
{
  "key": "OPENAI_API_KEY",
  "value": "sk-xxxxxxxxxxxx",
  "created_at": "2024-01-15T10:00:00Z",
  "updated_at": "2024-01-15T10:00:00Z"
}

Store Secret

bash
POST /api/agents/:name/vault

Request

json
{
  "key": "DATABASE_PASSWORD",
  "value": "supersecret123"
}

Response

json
{
  "success": true,
  "key": "DATABASE_PASSWORD",
  "created_at": "2024-01-15T12:00:00Z"
}

Update Secret

bash
PUT /api/agents/:name/vault/:key

Request

json
{
  "value": "newsecret456"
}

Response

json
{
  "success": true,
  "key": "DATABASE_PASSWORD",
  "updated_at": "2024-01-15T12:30:00Z"
}

Delete Secret

bash
DELETE /api/agents/:name/vault/:key

Response

json
{
  "success": true,
  "message": "Secret 'OLD_KEY' deleted"
}

Check Secret Exists

bash
HEAD /api/agents/:name/vault/:key

Response

  • 200 OK - Secret exists
  • 404 Not Found - Secret does not exist

Batch Operations

Store Multiple Secrets

bash
POST /api/agents/:name/vault/batch

Request

json
{
  "secrets": {
    "API_KEY_1": "value1",
    "API_KEY_2": "value2",
    "API_KEY_3": "value3"
  }
}

Response

json
{
  "success": true,
  "created": 3,
  "keys": ["API_KEY_1", "API_KEY_2", "API_KEY_3"]
}

Delete Multiple Secrets

bash
DELETE /api/agents/:name/vault/batch

Request

json
{
  "keys": ["OLD_KEY_1", "OLD_KEY_2"]
}

Export/Import

Export Secrets (Metadata Only)

bash
GET /api/agents/:name/vault/export

Response

json
{
  "agent": "default",
  "exported_at": "2024-01-15T12:00:00Z",
  "secrets": [
    {"key": "OPENAI_API_KEY"},
    {"key": "TELEGRAM_TOKEN"}
  ]
}

::: note Full secret values are never exported via API for security. :::

Predefined Secret Keys

These secrets have special meaning:

KeyPurpose
openai_api_keyOpenAI API key
google_api_keyGoogle API key
xai_api_keyZ.Ai (Grok) API key
llm_modelDefault LLM model
llm_providerActive LLM provider
llm_temperatureTemperature setting
telegram_tokenTelegram bot token
discord_tokenDiscord bot token
slack_bot_tokenSlack bot token
slack_app_tokenSlack app token
gateway_hostAPI bind address
gateway_portAPI port
web_ui_portWeb dashboard port
whisper_modelWhisper model for voice
embedding_modelEmbedding model for LTM
stm_window_sizeSTM context window
webhook_secretWebhook authentication

Security Notes

  1. Transport - Always use HTTPS in production
  2. Access - Vault requires agent-level access
  3. Audit - All vault operations are logged
  4. Encryption - Secrets are encrypted at rest
  5. Memory - Values cleared from memory after use

Error Responses

Secret Not Found

json
{
  "success": false,
  "error": {
    "code": "SECRET_NOT_FOUND",
    "message": "Secret 'UNKNOWN_KEY' not found"
  }
}

Invalid Key Name

json
{
  "success": false,
  "error": {
    "code": "INVALID_KEY",
    "message": "Key must be alphanumeric with underscores"
  }
}

Open source · Self-hosted · Data sovereign

© 2026 Moxxy. Built with Rust.