Skip to main content

Overview

The vault sub-client stores upstream service credentials encrypted by the Grantex auth service. List and get operations return metadata only; they never return stored raw tokens.
Set VAULT_ENCRYPTION_KEY to a stable production secret before storing credentials. Rotating or losing that key without a migration makes stored ciphertext unusable.

Store or Update a Credential

Credentials are upserted by principal and service.
principalId, service, and accessToken are required. credentialType defaults on the server when omitted.

List Credential Metadata

Both filters are optional. Returned VaultCredential records include identifiers, type, expiry, metadata, and timestamps—not access or refresh tokens.

Get or Delete

Exchange with a Grant Token

exchange() is intentionally authorized with a grant token rather than the developer API key. The grant must belong to the principal and include the service scope required by the server.
The response includes the decrypted access token, service, credential type, expiry, and metadata. Keep it in memory only for the upstream request and never send it to a browser or log it.

API Reference

Last modified on July 11, 2026