Vault provides centralized encryption and storage of sensitive data such as API keys, database credentials, or personally identifiable information (PII). All data is encrypted using keys automatically provisioned based on the provided context of the object.
Represents an encrypted object stored by Vault.
const object = { id: 'secret_51B0AC67C2FB4247AC5ABDDD3C701BDC', metadata: { id: 'secret_51B0AC67C2FB4247AC5ABDDD3C701BDC', environmentId: 'environment_example_23456789', context: { organization_id: 'org_01EHZNVPK3SFK441A1RGBFSHRT', }, keyId: 'e2084ada-50c1-5f9a-b1c7-fa868d506e5a', updatedAt: '2025-02-21T12:04:09.165291Z', updatedBy: { id: 'user_01E4ZCR3C56J083X43JQXF3JK5', name: 'Marcelina Davis', }, versionId: 'Wq49AmJIR7QI0kSwfY9BZ6vNsOq6AO_X', }, name: 'secret-name', value: 'my secret value', };
interface ObjectCreate a new object, encrypted with the key(s) matching the provided key context.
import { WorkOS } from '@workos-inc/node'; const workos = new WorkOS('sk_example_123456789'); await workos.vault.createObject({ name: 'secret-name', value: 'my secret value', context: { organizationId: 'org_01EHZNVPK3SFK441A1RGBFSHRT' }, });
vaultParameters objectReturns Get an existing object. The stored value will be decrypted and returned.
import { WorkOS } from '@workos-inc/node'; const workos = new WorkOS('sk_example_123456789'); await workos.vault.readObject({ id: 'secret_51B0AC67C2FB4247AC5ABDDD3C701BDC', });
Update the value for an object. The key context of the original object will be used to encrypt the new data.
import { WorkOS } from '@workos-inc/node'; const workos = new WorkOS('sk_example_123456789'); await workos.vault.updateObject({ id: 'secret_51B0AC67C2FB4247AC5ABDDD3C701BDC', value: 'new value', versionCheck: 'Wq49AmJIR7QI0kSwfY9BZ6vNsOq6AO_X', });
Retrieve metadata about an object. The value itself is not returned.
import { WorkOS } from '@workos-inc/node'; const workos = new WorkOS('sk_example_123456789'); await workos.vault.describeObject({ id: 'secret_51B0AC67C2FB4247AC5ABDDD3C701BDC', });
Get list of object names stored in Vault.
import { WorkOS } from '@workos-inc/node'; const workos = new WorkOS('sk_example_123456789'); await workos.vault.listObjects();
vaultParameters objectReturns objectPermanently delete an object.
import { WorkOS } from '@workos-inc/node'; const workos = new WorkOS('sk_example_123456789'); await workos.vault.deleteObject({ id: 'secret_51B0AC67C2FB4247AC5ABDDD3C701BDC', });
vaultParameters objectReturns Represents a static version of an object stored by Vault.
const objectVersion = { createdAt: '2025-02-21T12:04:09.165291Z', currentVersion: true, etag: '"62b747b941ceefd67dacc026724044e4"', id: 'Wq49AmJIR7QI0kSwfY9BZ6vNsOq6AO_X', size: 271, };
Get list of versions for an object stored in Vault.
import { WorkOS } from '@workos-inc/node'; const workos = new WorkOS('sk_example_123456789'); await workos.vault.listObjectVersions({ id: 'secret_51B0AC67C2FB4247AC5ABDDD3C701BDC', });
vaultParameters objectReturns objectThe key management APIs can be used to generate isolated encryption keys for local encryption and decryption operations.
Generate a data key for local encryption based on the provided key context.
The encrypted data key MUST be stored by the application, as it cannot be retrieved after generation.
import { WorkOS } from '@workos-inc/node'; const workos = new WorkOS('sk_example_123456789'); await workos.vault.createDataKey({ context: { organizationId: 'org_01EHZNVPK3SFK441A1RGBFSHRT' }, });
vaultParameters objectReturns objectDecrypt a data key that was previously encrypted using WorkOS Vault.
import { WorkOS } from '@workos-inc/node'; const workos = new WorkOS('sk_example_123456789'); await workos.vault.decryptDataKey({ keys: 'V09TLkVLTS52MQBiZjUxY2NlYy03OGI0LTUyMDAtYjM4My0zNTczMGU3MWVmNjEBATEBJDU2OWYyNDdjLTFkY2QtNDQzMC04MjRmLWQ3N2MxZDNhZmU1NgF0NTY5ZjI0N2MtMWRjZC00NDMwLTgyNGYtZDc3YzFkM2FmZTU2pWvKMbiudRtpyjYexZCX/K9ggOEioUw2c0B62kEh+oj68uuAJQWNfPKTC+mapgJPxdnMKniKxzI7a6zmHgXTK7dSOmAzJBDhDgtEiaqyKTM=', });
vaultParameters objectReturns objectPerform a local encryption option. A data key is generated based on the provided key context and used to encrypt the data. The operation happens locally and neither the plaintext nor encrypted data are sent over the network.
import { WorkOS } from '@workos-inc/node'; const workos = new WorkOS('sk_example_123456789'); await workos.vault.encrypt('keep it secret, keep it safe', { organizationId: 'org_01EHZNVPK3SFK441A1RGBFSHRT', });
vaultParameters Returns Decrypt data that was previously encrypted with Vault. The data key in the ciphertext is decrypted using the Vault API and used to decrypt the remaining data. The decryption operations happen locally and neither the plaintext nor encrypted data are sent over the network.
import { WorkOS } from '@workos-inc/node'; const workos = new WorkOS('sk_example_123456789'); await workos.vault.decrypt( 'J/HGPfUVMxY1GGvViE3MDe31fOU9BuIUja0/ekDOraRaA3v13YRnwLvDWbnSPjWjzgFXT1MuRUtNLnYxAGQ0ZWNkYjkwLTMwZmMtNTYwYS04MGM0LWExYWQ2N2IyYjUzYwEBMQEkMDIxOTlmM2EtMjE4NS00ODg4LTkzNzgtZTA0ODAxOGRkN2M1AXQwMjE5OWYzYS0yMTg1LTQ4ODgtOTM3OC1lMDQ4MDE4ZGQ3YzWdnLz+Zc8ySzyfZYOVKmuz2k3rNFa6MAihjl9+5u6fiXOjmavMBUcSg0wLFDxznK0UToroLyHDaPOnpN8MTlKO8lN1Qz4KSCpQWawThmSIZ2wwwiR1jY3AOo9P/YygzE5v', );
vaultParameters Returns