Secrets

The Secrets API provides operations to manage Secrets for OPA Teams. Secrets are encrypted key-value pairs used to store sensitive information.

See Secrets.

Resolve Secret or Folder

Resolves the ID or path for a Secret or Secret Folder. Users must be authorized to perform this action by an existing Security Policy.

To resolve the ID, the request must include the named path. To resolve the path, the request must include the ID.

This endpoint requires one of the following roles: authenticated_client, authenticated_service_user, security_admin, delegated_security_admin.

SecuritybearerAuth
Request
path Parameters
team_name
required
string

The name of your Team

Request Body schema: application/json
id
string or null

The ID of the Secret or Secret Folder. Don't use this parameter if the request also includes a parent_folder_path, secret_folder_name, and secret_name.

parent_folder_path
string or null

The path to the parent directory. Don't use this parameter if the request also includes an id.

required
object (SecretResolveParent)
id
string

The UUID of the parent

name
string

The name of the parent

required
object (SecretResolveParent)
id
string

The UUID of the parent

name
string

The name of the parent

secret_folder_name
string

The name of the Secret Folder. Don't use this parameter if the request also includes an id or secret_name.

secret_name
string

The name of the Secret. Don't use this parameter if the request also includes an id or secret_folder_name.

Responses
200

OK

post/v1/teams/{team_name}/resolve_secret
Request samples
application/json
{
  • "id": "string",
  • "parent_folder_path": "string",
  • "project": {
    • "id": "string",
    • "name": "string"
    },
  • "resource_group": {
    • "id": "string",
    • "name": "string"
    },
  • "secret_folder_name": "string",
  • "secret_name": "string"
}
Response samples
application/json
{
  • "description": "string",
  • "id": "string",
  • "name": "string",
  • "path": [
    • {
      }
    ],
  • "project": {
    • "id": "string",
    • "missing": true,
    • "name": "string",
    • "type": "active_directory_connection"
    },
  • "resource_group": {
    • "id": "string",
    • "missing": true,
    • "name": "string",
    • "type": "active_directory_connection"
    },
  • "type": "folder"
}

List top-level Secret Folders for a Project

Lists all top-level Secret Folders for a Project. Users must be authorized to perform this action by an existing Security Policy.

This endpoint requires the following roles: authenticated_client, authenticated_service_user, end_user.

SecuritybearerAuth
Request
path Parameters
team_name
required
string

The name of your Team

resource_group_id
required
string

The UUID of a Resource Group

project_id
required
string

The UUID of a Project

Responses
200

OK

403

Forbidden

get/v1/teams/{team_name}/resource_groups/{resource_group_id}/projects/{project_id}/secret_folders
Request samples
Response samples
application/json
{
  • "list": [
    • {
      }
    ]
}

Create a Secret Folder

Creates a Secret Folder. Users must be authorized to perform this action by an existing Security Policy.

This endpoint requires the following roles: authenticated_client, authenticated_service_user, end_user.

SecuritybearerAuth
Request
path Parameters
team_name
required
string

The name of your Team

resource_group_id
required
string

The UUID of a Resource Group

project_id
required
string

The UUID of a Project

Request Body schema: application/json
description
string or null

A description of the Secret Folder

name
required
string

The name of the Secret Folder

parent_folder_id
string

The UUID of Secret Folder's parent folder

Responses
201

Created

403

Forbidden

post/v1/teams/{team_name}/resource_groups/{resource_group_id}/projects/{project_id}/secret_folders
Request samples
application/json
{
  • "description": "string",
  • "name": "string",
  • "parent_folder_id": "string"
}
Response samples
application/json
{
  • "created_at": "2023-08-25T12:00:00.000000Z",
  • "created_by": "string",
  • "description": "string",
  • "id": "string",
  • "name": "string",
  • "path": [
    • {
      }
    ],
  • "updated_at": "2023-08-25T12:00:00.000000Z",
  • "updated_by": "string"
}

Retrieve a Secret Folder

Retrieves the specified Secret Folder. Users must be authorized to perform this action by an existing Security Policy.

This endpoint requires the following roles: authenticated_client, authenticated_service_user, end_user.

SecuritybearerAuth
Request
path Parameters
team_name
required
string

The name of your Team

resource_group_id
required
string

The UUID of a Resource Group

project_id
required
string

The UUID of a Project

secret_folder_id
required
string

The UUID of a Secret Folder

Responses
200

OK

403

Forbidden

get/v1/teams/{team_name}/resource_groups/{resource_group_id}/projects/{project_id}/secret_folders/{secret_folder_id}
Request samples
Response samples
application/json
{
  • "created_at": "2023-08-25T12:00:00.000000Z",
  • "created_by": "string",
  • "description": "string",
  • "id": "string",
  • "name": "string",
  • "path": [
    • {
      }
    ],
  • "updated_at": "2023-08-25T12:00:00.000000Z",
  • "updated_by": "string"
}

Update a Secret Folder

Updates the specified Secret Folder. Users must be authorized to perform this action by an existing Security Policy.

This endpoint requires the following roles: authenticated_client, authenticated_service_user, end_user.

SecuritybearerAuth
Request
path Parameters
team_name
required
string

The name of your Team

resource_group_id
required
string

The UUID of a Resource Group

project_id
required
string

The UUID of a Project

secret_folder_id
required
string

The UUID of a Secret Folder

Request Body schema: application/json
description
string or null

A description of the Secret Folder

name
required
string

The name of the Secret Folder

Responses
200

OK

403

Forbidden

put/v1/teams/{team_name}/resource_groups/{resource_group_id}/projects/{project_id}/secret_folders/{secret_folder_id}
Request samples
application/json
{
  • "description": "string",
  • "name": "string"
}
Response samples
application/json
{
  • "created_at": "2023-08-25T12:00:00.000000Z",
  • "created_by": "string",
  • "description": "string",
  • "id": "string",
  • "name": "string",
  • "path": [
    • {
      }
    ],
  • "updated_at": "2023-08-25T12:00:00.000000Z",
  • "updated_by": "string"
}

Delete a Secret Folder

Deletes the specified Secret Folder. Users must be authorized to perform this action by an existing Security Policy.

This endpoint requires the following roles: authenticated_client, authenticated_service_user, end_user.

SecuritybearerAuth
Request
path Parameters
team_name
required
string

The name of your Team

resource_group_id
required
string

The UUID of a Resource Group

project_id
required
string

The UUID of a Project

secret_folder_id
required
string

The UUID of a Secret Folder

Responses
204

No Content

403

Forbidden

delete/v1/teams/{team_name}/resource_groups/{resource_group_id}/projects/{project_id}/secret_folders/{secret_folder_id}
Request samples
Response samples
application/json
{
  • "list": [
    • {
      }
    ]
}

List all items in a Secret Folder

Lists all items in a Secret Folder. Users must be authorized to perform this action by an existing Security Policy.

This endpoint requires the following roles: authenticated_client, authenticated_service_user, end_user.

SecuritybearerAuth
Request
path Parameters
team_name
required
string

The name of your Team

resource_group_id
required
string

The UUID of a Resource Group

project_id
required
string

The UUID of a Project

secret_folder_id
required
string

The UUID of a Secret Folder

query Parameters
count
integer <int32>

The number of objects per page

descending
boolean

The object order

offset
string

The offset value for pagination. The rel="next" and rel="prev" Link headers define the offset for subsequent or previous pages.

prev
boolean

The direction of paging

Responses
200

OK

403

Forbidden

get/v1/teams/{team_name}/resource_groups/{resource_group_id}/projects/{project_id}/secret_folders/{secret_folder_id}/items
Request samples
Response samples
application/json
{
  • "list": [
    • {
      }
    ]
}

Create a Secret

Creates a Secret. Users must be authorized to perform this action by an existing Security Policy.

This endpoint requires one of the following roles: authenticated_client, authenticated_service_user, end_user.

SecuritybearerAuth
Request
path Parameters
team_name
required
string

The name of your Team

resource_group_id
required
string

The UUID of a Resource Group

project_id
required
string

The UUID of a Project

Request Body schema: application/json
description
string or null

The description of the Secret

name
required
string

The name of the Secret

parent_folder_id
required
string

The UUID of the Secret's parent folder

secret_jwe
required
string

The encrypted Secret as a fully serialized JWE. The secret is encrypted using a public key provided by Okta Privileged Access at /v1/teams/:team_name/vault/jwks.json. The data is encrypted client-side. Generally, it's intended for the secret encryption to be performed by the sft client or Terraform provider.

Responses
201

Created

403

Forbidden

post/v1/teams/{team_name}/resource_groups/{resource_group_id}/projects/{project_id}/secrets
Request samples
application/json
{
  • "description": "string",
  • "name": "string",
  • "parent_folder_id": "string",
  • "secret_jwe": "string"
}
Response samples
application/json
{
  • "created_at": "2023-08-25T12:00:00.000000Z",
  • "created_by": "string",
  • "description": "string",
  • "id": "string",
  • "name": "string",
  • "path": [
    • {
      }
    ],
  • "updated_at": "2023-08-25T12:00:00.000000Z",
  • "updated_by": "string"
}

Retrieve a Secret

Retrieves the specified Secret. Users must be authorized to perform this action by an existing Security Policy.

This endpoint requires one of the following roles: authenticated_client, authenticated_service_user, end_user.

SecuritybearerAuth
Request
path Parameters
team_name
required
string

The name of your Team

resource_group_id
required
string

The UUID of a Resource Group

project_id
required
string

The UUID of a Project

secret_id
required
string

The UUID of a Secret

Responses
200

OK

403

Forbidden

get/v1/teams/{team_name}/resource_groups/{resource_group_id}/projects/{project_id}/secrets/{secret_id}
Request samples
Response samples
application/json
{
  • "created_at": "2023-08-25T12:00:00.000000Z",
  • "created_by": "string",
  • "description": "string",
  • "id": "string",
  • "name": "string",
  • "path": [
    • {
      }
    ],
  • "updated_at": "2023-08-25T12:00:00.000000Z",
  • "updated_by": "string"
}

Reveal a Secret

Reveals the specified Secret. Users must be authorized to perform this action by an existing Security Policy.

This endpoint requires one of the following roles: authenticated_client, authenticated_service_user, end_user.

SecuritybearerAuth
Request
path Parameters
team_name
required
string

The name of your Team

resource_group_id
required
string

The UUID of a Resource Group

project_id
required
string

The UUID of a Project

secret_id
required
string

The UUID of a Secret

Request Body schema: application/json
required
object (RawJSONWebKey)

A JSON Web Key formatted in accordance with RFC 7517.

alg
string (alg)

The algorithm of the key

Value: "RSA-OAEP-256"
crv
string (curve)

The curve used by the key

Enum: "P-256" "P-384" "P-521"
d
string <byte>

The exponent of the private key

dp
string <byte>

The first factor CRT exponent of the private key

dq
string <byte>

The second factor CRT exponent of the private key

e
string <byte>

The exponent of the public key

k
string <byte>

The key

kid
string <regex> ^[0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[1-5][0-9a-fA-...

The key ID

kty
string (kty)

The key type

Enum: "EC" "OKP" "RSA" "oct"
n
string <byte>

The modulus of the public key

p
string <byte>

The first prime factor of the private key

q
string <byte>

The second prime factor of the private key

qi
string <byte>

The first CRT coefficient of the private key

use
string

The intended use of the key

x
string <byte>

The x coordinate of the key

x5c
Array of strings

A list of X.509 certificates

x5t
string

The SHA-1 thumbprint of the X.509 certificate

x5t#S256
string

The SHA-256 thumbprint of the X.509 certificate

x5u
string

The URL of the X.509 certificates

y
string <byte>

The y coordinate of the key

Responses
200

OK

403

Forbidden

post/v1/teams/{team_name}/resource_groups/{resource_group_id}/projects/{project_id}/secrets/{secret_id}
Request samples
application/json
{
  • "public_key": {
    • "alg": "RSA-OAEP-256",
    • "crv": "P-256",
    • "d": "string",
    • "dp": "string",
    • "dq": "string",
    • "e": "string",
    • "k": "string",
    • "kid": "/regex/",
    • "kty": "EC",
    • "n": "string",
    • "p": "string",
    • "q": "string",
    • "qi": "string",
    • "use": "string",
    • "x": "string",
    • "x5c": [
      ],
    • "x5t": "string",
    • "x5t#S256": "string",
    • "x5u": "string",
    • "y": "string"
    }
}
Response samples
application/json
{
  • "created_at": "2023-08-25T12:00:00.000000Z",
  • "created_by": "string",
  • "description": "string",
  • "id": "string",
  • "name": "string",
  • "path": [
    • {
      }
    ],
  • "updated_at": "2023-08-25T12:00:00.000000Z",
  • "updated_by": "string",
  • "secret_jwe": "string"
}

Update a Secret

Updates the specified Secret. Users must be authorized to perform this action by an existing Security Policy.

This endpoint requires one of the following roles: authenticated_client, authenticated_service_user, end_user.

SecuritybearerAuth
Request
path Parameters
team_name
required
string

The name of your Team

resource_group_id
required
string

The UUID of a Resource Group

project_id
required
string

The UUID of a Project

secret_id
required
string

The UUID of a Secret

Request Body schema: application/json
description
string or null

The description of the Secret

name
required
string

The name of the Secret

parent_folder_id
required
string

The UUID of the Secret's parent folder

secret_jwe
required
string

The encrypted Secret as a fully serialized JWE. The secret is encrypted using a public key provided by Okta Privileged Access at /v1/teams/:team_name/vault/jwks.json. The data is encrypted client-side. Generally, it's intended for the secret encryption to be performed by the sft client or Terraform provider.

Responses
200

OK

403

Forbidden

put/v1/teams/{team_name}/resource_groups/{resource_group_id}/projects/{project_id}/secrets/{secret_id}
Request samples
application/json
{
  • "description": "string",
  • "name": "string",
  • "parent_folder_id": "string",
  • "secret_jwe": "string"
}
Response samples
application/json
{
  • "created_at": "2023-08-25T12:00:00.000000Z",
  • "created_by": "string",
  • "description": "string",
  • "id": "string",
  • "name": "string",
  • "path": [
    • {
      }
    ],
  • "updated_at": "2023-08-25T12:00:00.000000Z",
  • "updated_by": "string"
}

Delete a Secret

Deletes the specified Secret. Users must be authorized to perform this action by an existing Security Policy.

This endpoint requires one of the following roles: authenticated_client, authenticated_service_user, end_user.

SecuritybearerAuth
Request
path Parameters
team_name
required
string

The name of your Team

resource_group_id
required
string

The UUID of a Resource Group

project_id
required
string

The UUID of a Project

secret_id
required
string

The UUID of a Secret

Responses
204

No Content

403

Forbidden

delete/v1/teams/{team_name}/resource_groups/{resource_group_id}/projects/{project_id}/secrets/{secret_id}
Request samples
Response samples
application/json
{
  • "list": [
    • {
      }
    ]
}

List top-level Secret Folders for Team

Lists all top-level Secret Folders for a Team

This endpoint requires the following roles: security_admin.

SecuritybearerAuth
Request
path Parameters
team_name
required
string

The name of your Team

Responses
200

OK

get/v1/teams/{team_name}/secret_folders
Request samples
Response samples
application/json
{
  • "list": [
    • {
      }
    ]
}

List top-level Secret Folders for User

Lists all top-level Secret Folders for a User. Users must be authorized to perform this action by an existing Security Policy.

This endpoint requires one of the following roles: authenticated_client, authenticated_service_user, end_user.

SecuritybearerAuth
Request
path Parameters
team_name
required
string

The name of your Team

query Parameters
count
integer <int32>

The number of objects per page

descending
boolean

The object order

offset
string

The offset value for pagination. The rel="next" and rel="prev" Link headers define the offset for subsequent or previous pages.

prev
boolean

The direction of paging

Responses
200

OK

get/v1/teams/{team_name}/secrets
Request samples
Response samples
application/json
{
  • "list": [
    • {
      }
    ]
}