Secrets

The Secrets API provides operations to manage Secrets for Okta Privileged Access teams. Secrets are encrypted key-value pairs used to store sensitive information.

See Secrets.

Resolve Secret or Folder
Admin roles:
  • security_admin
  • delegated_security_admin

Resolves the ID or path for a secret or secret folder. Users must be authorized to perform this action by an existing security policy.

To resolve the ID, the request must include the named path. To resolve the path, the request must include the ID.

SecuritybearerAuth
Request
path Parameters
team_name
required
string

The name of your team

Request Body schema: application/json
id
string or null

The ID of the secret or secret folder. Don't use this parameter if the request also includes a parent_folder_path, secret_folder_name, and secret_name.

parent_folder_path
string or null

The path to the parent directory. Don't use this parameter if the request also includes an id.

required
object (SecretResolveParent)
id
string

The UUID of the parent

name
string

The name of the parent

required
object (SecretResolveParent)
id
string

The UUID of the parent

name
string

The name of the parent

secret_folder_name
string

The name of the secret folder. Don't use this parameter if the request also includes an id or secret_name.

secret_name
string

The name of the secret. Don't use this parameter if the request also includes an id or secret_folder_name.

Responses
200

OK

post/v1/teams/{team_name}/resolve_secret
Request samples
application/json
{
  • "id": "string",
  • "parent_folder_path": "string",
  • "project": {
    • "id": "string",
    • "name": "string"
    },
  • "resource_group": {
    • "id": "string",
    • "name": "string"
    },
  • "secret_folder_name": "string",
  • "secret_name": "string"
}
Response samples
application/json
{
  • "description": "string",
  • "id": "string",
  • "name": "string",
  • "path": [
    • {
      }
    ],
  • "project": {
    • "id": "string",
    • "missing": true,
    • "name": "string",
    • "type": "active_directory_connection"
    },
  • "resource_group": {
    • "id": "string",
    • "missing": true,
    • "name": "string",
    • "type": "active_directory_connection"
    },
  • "type": "folder"
}

List top-level secret folders for a project
Admin roles:
  • end_user

Lists all top-level secret folders for a project. Users must be authorized to perform this action by an existing security policy.

SecuritybearerAuth
Request
path Parameters
team_name
required
string

The name of your team

resource_group_id
required
string

The UUID of a resource group

project_id
required
string

The UUID of a project

Responses
200

OK

403

Forbidden

get/v1/teams/{team_name}/resource_groups/{resource_group_id}/projects/{project_id}/secret_folders
Request samples 
Response samples 
application/json
{
  • "list": [
    • {
      }
    ]
}
Create a secret folder
Admin roles: 
  • end_user
Creates a secret folder. Users must be authorized to perform this action by an existing security policy.


SecuritybearerAuth 
Request 
path Parameters
team_name
required
string
The name of your team


 
resource_group_id
required
string
The UUID of a resource group


 
project_id
required
string
The UUID of a project


 
Request Body schema: application/json
description
string or null
A description of the secret folder


 
name
required
string
The name of the secret folder


 
parent_folder_id
string
The UUID of secret folder's parent folder


 
Responses 
201
Created


403
Forbidden


post/v1/teams/{team_name}/resource_groups/{resource_group_id}/projects/{project_id}/secret_folders
Request samples 
application/json
{
  • "description": "string",
  • "name": "string",
  • "parent_folder_id": "string"
}
Response samples 
application/json
{
  • "created_at": "2023-08-25T12:00:00.000000Z",
  • "created_by": "string",
  • "description": "string",
  • "id": "string",
  • "name": "string",
  • "path": [
    • {
      }
    ],
  • "updated_at": "2023-08-25T12:00:00.000000Z",
  • "updated_by": "string"
}
Retrieve a secret folder
Admin roles: 
  • end_user
Retrieves the specified secret folder. Users must be authorized to perform this action by an existing security policy.


SecuritybearerAuth 
Request 
path Parameters
team_name
required
string
The name of your team


 
resource_group_id
required
string
The UUID of a resource group


 
project_id
required
string
The UUID of a project


 
secret_folder_id
required
string
The UUID of a secret folder


 
Responses 
200
OK


403
Forbidden


get/v1/teams/{team_name}/resource_groups/{resource_group_id}/projects/{project_id}/secret_folders/{secret_folder_id}
Request samples 
Response samples 
application/json
{
  • "created_at": "2023-08-25T12:00:00.000000Z",
  • "created_by": "string",
  • "description": "string",
  • "id": "string",
  • "name": "string",
  • "path": [
    • {
      }
    ],
  • "updated_at": "2023-08-25T12:00:00.000000Z",
  • "updated_by": "string"
}
Update a secret folder
Admin roles: 
  • end_user
Updates the specified secret folder. Users must be authorized to perform this action by an existing security policy.


SecuritybearerAuth 
Request 
path Parameters
team_name
required
string
The name of your team


 
resource_group_id
required
string
The UUID of a resource group


 
project_id
required
string
The UUID of a project


 
secret_folder_id
required
string
The UUID of a secret folder


 
Request Body schema: application/json
description
string or null
A description of the secret folder


 
name
required
string
The name of the secret folder


 
Responses 
200
OK


403
Forbidden


put/v1/teams/{team_name}/resource_groups/{resource_group_id}/projects/{project_id}/secret_folders/{secret_folder_id}
Request samples 
application/json
{
  • "description": "string",
  • "name": "string"
}
Response samples 
application/json
{
  • "created_at": "2023-08-25T12:00:00.000000Z",
  • "created_by": "string",
  • "description": "string",
  • "id": "string",
  • "name": "string",
  • "path": [
    • {
      }
    ],
  • "updated_at": "2023-08-25T12:00:00.000000Z",
  • "updated_by": "string"
}
Delete a secret folder
Admin roles: 
  • end_user
Deletes the specified secret folder. Users must be authorized to perform this action by an existing security policy.


SecuritybearerAuth 
Request 
path Parameters
team_name
required
string
The name of your team


 
resource_group_id
required
string
The UUID of a resource group


 
project_id
required
string
The UUID of a project


 
secret_folder_id
required
string
The UUID of a secret folder


 
Responses 
204
No Content


403
Forbidden


delete/v1/teams/{team_name}/resource_groups/{resource_group_id}/projects/{project_id}/secret_folders/{secret_folder_id}
Request samples 
Response samples 
application/json
{
  • "list": [
    • {
      }
    ]
}
List all items in a secret folder
Admin roles: 
  • end_user
Lists all items in a secret folder. Users must be authorized to perform this action by an existing security policy.


SecuritybearerAuth 
Request 
path Parameters
team_name
required
string
The name of your team


 
resource_group_id
required
string
The UUID of a resource group


 
project_id
required
string
The UUID of a project


 
secret_folder_id
required
string
The UUID of a secret folder


 
query Parameters
count
integer <int32> 
The number of objects per page


 
descending
boolean
The object order


 
offset
string
The offset value for pagination. The rel="next" and rel="prev" Link headers define the offset for subsequent or previous pages.


 
prev
boolean
The direction of paging


 
Responses 
200
OK


403
Forbidden


get/v1/teams/{team_name}/resource_groups/{resource_group_id}/projects/{project_id}/secret_folders/{secret_folder_id}/items
Request samples 
Response samples 
application/json
{
  • "list": [
    • {
      }
    ]
}
Create a secret
Admin roles: 
  • end_user
Creates a secret. Users must be authorized to perform this action by an existing security policy.


SecuritybearerAuth 
Request 
path Parameters
team_name
required
string
The name of your team


 
resource_group_id
required
string
The UUID of a resource group


 
project_id
required
string
The UUID of a project


 
Request Body schema: application/json
description
string or null
The description of the secret


 
name
required
string
The name of the secret


 
parent_folder_id
required
string
The UUID of the secret's parent folder


 
secret_jwe
required
string
The encrypted secret is a fully serialized JWE. The secret is encrypted using a public key provided by the Retrieve the vault JWKS resource on the client side. Typically, the secret encryption is performed by the Okta Privileged Access (OPA) client or the Terraform provider.


 
Responses 
201
Created


403
Forbidden


post/v1/teams/{team_name}/resource_groups/{resource_group_id}/projects/{project_id}/secrets
Request samples 
application/json
{
  • "description": "string",
  • "name": "string",
  • "parent_folder_id": "string",
  • "secret_jwe": "string"
}
Response samples 
application/json
{
  • "created_at": "2023-08-25T12:00:00.000000Z",
  • "created_by": "string",
  • "description": "string",
  • "id": "string",
  • "name": "string",
  • "path": [
    • {
      }
    ],
  • "updated_at": "2023-08-25T12:00:00.000000Z",
  • "updated_by": "string"
}
Retrieve a Secret
Admin roles: 
  • end_user
Retrieves the specified secret. Users must be authorized to perform this action by an existing security policy.


SecuritybearerAuth 
Request 
path Parameters
team_name
required
string
The name of your team


 
resource_group_id
required
string
The UUID of a resource group


 
project_id
required
string
The UUID of a project


 
secret_id
required
string
The UUID of a Secret


 
Responses 
200
OK


403
Forbidden


get/v1/teams/{team_name}/resource_groups/{resource_group_id}/projects/{project_id}/secrets/{secret_id}
Request samples 
Response samples 
application/json
{
  • "created_at": "2023-08-25T12:00:00.000000Z",
  • "created_by": "string",
  • "description": "string",
  • "id": "string",
  • "name": "string",
  • "path": [
    • {
      }
    ],
  • "updated_at": "2023-08-25T12:00:00.000000Z",
  • "updated_by": "string"
}
Reveal a Secret
Admin roles: 
  • end_user
Reveals the specified secret. Users must be authorized to perform this action by an existing security policy.


SecuritybearerAuth 
Request 
path Parameters
team_name
required
string
The name of your team


 
resource_group_id
required
string
The UUID of a resource group


 
project_id
required
string
The UUID of a project


 
secret_id
required
string
The UUID of a Secret


 
Request Body schema: application/json
required
object (RawJSONWebKey) 
A JSON Web Key formatted in accordance with RFC 7517.


 
alg
string (alg) 
The algorithm of the key


 Value: "RSA-OAEP-256"  
crv
string (curve) 
The curve used by the key


 Enum: "P-256" "P-384" "P-521"  
d
string <byte> 
The exponent of the private key


 
dp
string <byte> 
The first factor CRT exponent of the private key


 
dq
string <byte> 
The second factor CRT exponent of the private key


 
e
string <byte> 
The exponent of the public key


 
k
string <byte> 
The key


 
kid
string <regex> ^[0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[1-5][0-9a-fA-...
The key ID


 
kty
string (kty) 
The key type


 Enum: "EC" "OKP" "RSA" "oct"  
n
string <byte> 
The modulus of the public key


 
p
string <byte> 
The first prime factor of the private key


 
q
string <byte> 
The second prime factor of the private key


 
qi
string <byte> 
The first CRT coefficient of the private key


 
use
string
The intended use of the key


 
x
string <byte> 
The x coordinate of the key


 
x5c
Array of strings
A list of X.509 certificates


 
x5t
string
The SHA-1 thumbprint of the X.509 certificate


 
x5t#S256
string
The SHA-256 thumbprint of the X.509 certificate


 
x5u
string
The URL of the X.509 certificates


 
y
string <byte> 
The y coordinate of the key


 
Responses 
200
OK


403
Forbidden


post/v1/teams/{team_name}/resource_groups/{resource_group_id}/projects/{project_id}/secrets/{secret_id}
Request samples 
application/json
{
  • "public_key": {
    • "alg": "RSA-OAEP-256",
    • "crv": "P-256",
    • "d": "string",
    • "dp": "string",
    • "dq": "string",
    • "e": "string",
    • "k": "string",
    • "kid": "/regex/",
    • "kty": "EC",
    • "n": "string",
    • "p": "string",
    • "q": "string",
    • "qi": "string",
    • "use": "string",
    • "x": "string",
    • "x5c": [
      ],
    • "x5t": "string",
    • "x5t#S256": "string",
    • "x5u": "string",
    • "y": "string"
    }
}
Response samples 
application/json
{
  • "created_at": "2023-08-25T12:00:00.000000Z",
  • "created_by": "string",
  • "description": "string",
  • "id": "string",
  • "name": "string",
  • "path": [
    • {
      }
    ],
  • "updated_at": "2023-08-25T12:00:00.000000Z",
  • "updated_by": "string",
  • "secret_jwe": "string"
}
Update a Secret
Admin roles: 
  • end_user
Updates the specified secret. Users must be authorized to perform this action by an existing security policy.


SecuritybearerAuth 
Request 
path Parameters
team_name
required
string
The name of your team


 
resource_group_id
required
string
The UUID of a resource group


 
project_id
required
string
The UUID of a project


 
secret_id
required
string
The UUID of a Secret


 
Request Body schema: application/json
description
string or null
The description of the secret


 
name
required
string
The name of the secret


 
parent_folder_id
required
string
The UUID of the secret's parent folder


 
secret_jwe
required
string
The encrypted secret is a fully serialized JWE. The secret is encrypted using a public key provided by the Retrieve the vault JWKS resource on the client side. Typically, the secret encryption is performed by the Okta Privileged Access (OPA) client or the Terraform provider.


 
Responses 
200
OK


403
Forbidden


put/v1/teams/{team_name}/resource_groups/{resource_group_id}/projects/{project_id}/secrets/{secret_id}
Request samples 
application/json
{
  • "description": "string",
  • "name": "string",
  • "parent_folder_id": "string",
  • "secret_jwe": "string"
}
Response samples 
application/json
{
  • "created_at": "2023-08-25T12:00:00.000000Z",
  • "created_by": "string",
  • "description": "string",
  • "id": "string",
  • "name": "string",
  • "path": [
    • {
      }
    ],
  • "updated_at": "2023-08-25T12:00:00.000000Z",
  • "updated_by": "string"
}
Delete a Secret
Admin roles: 
  • end_user
Deletes the specified secret. Users must be authorized to perform this action by an existing security policy.


SecuritybearerAuth 
Request 
path Parameters
team_name
required
string
The name of your team


 
resource_group_id
required
string
The UUID of a resource group


 
project_id
required
string
The UUID of a project


 
secret_id
required
string
The UUID of a Secret


 
Responses 
204
No Content


403
Forbidden


delete/v1/teams/{team_name}/resource_groups/{resource_group_id}/projects/{project_id}/secrets/{secret_id}
Request samples 
Response samples 
application/json
{
  • "list": [
    • {
      }
    ]
}
List top-level secret folders for team
Admin roles: 
  • security_admin
Lists all top-level secret folders for a team


SecuritybearerAuth 
Request 
path Parameters
team_name
required
string
The name of your team


 
Responses 
200
OK


get/v1/teams/{team_name}/secret_folders
Request samples 
Response samples 
application/json
{
  • "list": [
    • {
      }
    ]
}
List top-level secret folders for user
Admin roles: 
  • end_user
Lists all top-level secret folders for a user. Users must be authorized to perform this action by an existing security policy.


SecuritybearerAuth 
Request 
path Parameters
team_name
required
string
The name of your team


 
query Parameters
count
integer <int32> 
The number of objects per page


 
descending
boolean
The object order


 
offset
string
The offset value for pagination. The rel="next" and rel="prev" Link headers define the offset for subsequent or previous pages.


 
prev
boolean
The direction of paging


 
Responses 
200
OK


get/v1/teams/{team_name}/secrets
Request samples 
Response samples 
application/json
{
  • "list": [
    • {
      }
    ]
}