HiveVault API

HiveVault provides secure credential and secret management for your projects. Agents can request credentials they need, and you can deposit them securely through the API.

Security: The API never returns credential values. You can list credential metadata (name, type, scope, expiry) but encrypted values are never exposed through the API.

GET/vault/credentialsvault:read

List all credentials stored in HiveVault. Returns metadata only — never credential values.

Query Parameters

project_id (optional) — Filter by project

Response

{
  "success": true,
  "data": [
    {
      "id": "cred_abc123",
      "name": "GitHub Deploy Key",
      "type": "ssh_key",
      "scope": "project",
      "project_id": "proj_abc",
      "project_name": "My App",
      "expires_at": "2025-06-15T00:00:00Z",
      "created_at": "2025-01-10T08:00:00Z",
      "last_accessed_at": "2025-01-14T15:30:00Z",
      "access_count": 12
    },
    {
      "id": "cred_def456",
      "name": "AWS Access Key",
      "type": "api_key",
      "scope": "global",
      "project_id": null,
      "expires_at": null,
      "created_at": "2025-01-05T12:00:00Z",
      "last_accessed_at": null,
      "access_count": 0
    }
  ]
}

GET/vault/requestsvault:read

List credential requests from agents. These are requests for credentials that agents need but don't have yet.

Query Parameters

project_id (optional) — Filter by project

status (optional) — Filter by status (pending, fulfilled, expired)

Response

{
  "success": true,
  "data": [
    {
      "id": "req_abc123",
      "project_id": "proj_abc",
      "project_name": "My App",
      "credential_name": "Stripe API Key",
      "credential_type": "api_key",
      "reason": "Needed for payment integration in the checkout module",
      "requested_by": "lead_developer",
      "status": "pending",
      "created_at": "2025-01-14T09:00:00Z"
    }
  ]
}

POST/vault/credentials/:projectIdvault:write

Deposit a new credential into HiveVault for a specific project.

Request Body

{
  "name": "Stripe API Key",
  "type": "api_key",
  "value": "sk_live_...",
  "scope": "project",
  "expires_in_days": 90
}

Response

{
  "success": true,
  "data": {
    "id": "cred_new123",
    "message": "Credential stored securely."
  }
}

POST/vault/requests/:requestId/fulfillvault:write

Fulfill a pending credential request from an agent by providing the credential value.

Request Body

{
  "value": "sk_live_..."
}

Response

{
  "success": true,
  "data": {
    "credential_id": "cred_xyz",
    "request_status": "fulfilled"
  }
}

Credential Types

Type	Description
`api_key`	API keys and tokens
`ssh_key`	SSH keys for repository or server access
`password`	Passwords and login credentials
`certificate`	SSL/TLS certificates
`other`	Other sensitive data

Security Model

All credential values are encrypted at rest using AES-256-GCM
The API never returns decrypted credential values
Each credential access is logged in the access audit trail
Credentials can be scoped to a single project or made global
Optional expiration ensures credentials are automatically rotated