Reference

API Reference

The EnvVault REST API powers the dashboard, CLI, and SDKs. Base URL: https://api.envvault.com. All endpoints return JSON. Use the CLI's ENVVAULT_API_URL override for self-hosted deployments.

Authentication

Send the API key as a Bearer token:

Authorization: Bearer evk_xxxxxxxxxxxxxxxxx

Create keys at /dashboard/api-keys. The CLI prefix /api/v1/cli serves the CLI/SDK surface. Browser clients use /api/v1 with an authenticated session cookie.

Rate Limits

Default limits per IP:

/api/v1/secrets and /api/v1/cli/secrets — 100 requests / 15 minutes
All other endpoints — 1000 requests / 15 minutes

Exceeded limits return 429 Too Many Requests with a Retry-After header.

CLI & SDK Endpoints (`/api/v1/cli`)

Method	Path	Description
GET	/cli/verify	Validate the bearer token; returns org and user info.
GET	/cli/projects	List projects accessible to the key.
GET	/cli/projects/:id/environments/:env	List variables in a project + environment.
POST	/cli/env	Set / update a project variable.
GET	/cli/secrets	List org secrets metadata (paginated).
GET	/cli/secrets/:key	Read a single org secret value.
POST	/cli/secrets	Create / update an org secret. Auto-versions.
POST	/cli/secrets/batch	Batch read up to 100 secret keys.
DELETE	/cli/secrets/:key	Delete an org secret.

Browser Endpoints (`/api/v1`)

These endpoints back the dashboard. They accept session cookies, not bearer tokens.

Auth

Method	Path	Description
POST	/auth/register	Create a new user + organization.
POST	/auth/login	Sign in. Returns 2FA challenge if enabled.
POST	/auth/login/verify-2fa	Submit TOTP code to complete login.

Projects

Method	Path	Description
GET	/projects	List projects in the active organization.
POST	/projects	Create a project.
PUT	/projects/:id	Rename / update a project.
DELETE	/projects/:id	Delete a project (and its variables).
GET	/projects/:id/environments	List environments under a project.
POST	/projects/:id/environments	Create a custom environment.
DELETE	/projects/:id/environments/:envId	Delete a custom environment.

Secrets

Method	Path	Description
GET	/secrets	List org secrets.
POST	/secrets	Create / update an org secret.
GET	/secrets/:key	Read a secret value.
POST	/secrets/batch	Batch read.
DELETE	/secrets/:key	Delete an org secret.

Team

Method	Path	Description
GET	/teams/members	List org members.
POST	/teams/invitations	Send invitation by email.
PUT	/teams/member/:id/access	Change a member's role.
DELETE	/teams/member/:id	Remove a member.
DELETE	/teams/member/revoke-invitation/:invId	Revoke a pending invite.

API Keys

Method	Path	Description
GET	/tokens/list-tokens	List API keys.
POST	/tokens	Create an API key.
POST	/tokens/edit-token	Update key scope or expiry.
DELETE	/tokens/revoke-token	Revoke an API key.

Audit Logs

Method	Path	Description
POST	/audit-logs	List logs with filters in the body.
GET	/audit-logs/categories	List event categories.

Error Shape

All errors share the same envelope:

{
  "error": {
    "code": "NOT_FOUND",
    "message": "Secret 'STRIPE_SECRET_KEY' not found in environment 'production'",
    "requestId": "req_3hSXh..."
  }
}

Common HTTP statuses: 400 (validation), 401 (auth), 403 (role), 404 (not found), 409 (conflict), 429 (rate limit), 500 (server).

Limits

Secret key length	256 chars
Secret value size	1 MB
Description length	512 chars
Tags per secret	20
Batch get size	100 keys

Admin-only endpoints (organization management, support tickets, internal analytics) are intentionally undocumented here — they are not part of the public contract. If you need access, contact support@envvault.com.