Overview
The vault sub-client stores upstream service credentials encrypted by the Grantex auth service. List and get operations return metadata only; they never return stored raw tokens.
Set VAULT_ENCRYPTION_KEY to a stable production secret before storing credentials. Rotating or losing that key without a migration makes stored ciphertext unusable.
Store or Update a Credential
Credentials are upserted by principal and service.
principalId, service, and accessToken are required. credentialType defaults on the server when omitted.
Both filters are optional. Returned VaultCredential records include identifiers, type, expiry, metadata, and timestamps—not access or refresh tokens.
Get or Delete
Exchange with a Grant Token
exchange() is intentionally authorized with a grant token rather than the developer API key. The grant must belong to the principal and include the service scope required by the server.
The response includes the decrypted access token, service, credential type, expiry, and metadata. Keep it in memory only for the upstream request and never send it to a browser or log it.
API Reference