seekrit

REST API

The API is a Cloudflare Worker. All application endpoints are under /v1 and require authentication. Values are always ciphertext — the API neither encrypts nor decrypts.

Authentication

Send one of:

  • Authorization: Bearer <jwt> — a Stytch B2B session JWT (web sessions).
  • Authorization: Bearer skt_… — a service token.
  • x-seekrit-dev-user: <email> — local dev only, when the worker runs with AUTH_MODE=dev.

Errors use { "error": { "code": "...", "message": "..." } } with a matching HTTP status (400, 401, 403, 404, 409, 500). Organizations you don't belong to return 404.

Health

MethodPathDescription
GET/healthLiveness check (no auth).

Identity

MethodPathDescription
GET/v1/meThe current user and their organizations.
GET/v1/me/keysYour public key and passphrase-encrypted private key.
PUT/v1/me/keysUpload your keys (one-time key setup).

Organizations

MethodPathDescription
GET/v1/orgsList organizations you can access.
POST/v1/orgsCreate an organization (creator becomes owner).
GET/v1/orgs/:orgIdGet one organization and your role.
GET/v1/orgs/:orgId/membersList members (includes public keys, for granting).

Applications & environments

MethodPathDescription
GET/v1/orgs/:orgId/appsList applications.
POST/v1/orgs/:orgId/appsCreate an application. (admin)
GET/v1/orgs/:orgId/apps/:appIdGet an application and its environments.
DELETE/v1/orgs/:orgId/apps/:appIdDelete an application. (admin)
GET/v1/orgs/:orgId/apps/:appId/envsList environments.
POST/v1/orgs/:orgId/apps/:appId/envsCreate an environment (body includes the wrapped DEK). (admin)
GET/v1/orgs/:orgId/envs/:envIdGet an environment.
DELETE/v1/orgs/:orgId/envs/:envIdDelete an environment. (admin)

Secrets

Values are opaque ciphertext blobs produced by the client.

MethodPathDescription
GET/v1/orgs/:orgId/envs/:envId/secretsList secrets (with ciphertext).
PUT/v1/orgs/:orgId/envs/:envId/secrets/:nameCreate or update a secret (appends a version).
DELETE/v1/orgs/:orgId/envs/:envId/secrets/:nameDelete a secret.

Key grants

MethodPathDescription
GET/v1/orgs/:orgId/envs/:envId/keyThe calling principal's own wrapped DEK.
GET/v1/orgs/:orgId/envs/:envId/keysList all grants for the environment. (admin)
POST/v1/orgs/:orgId/envs/:envId/keysGrant a wrapped DEK to a principal. (admin)
DELETE/v1/orgs/:orgId/envs/:envId/keys/:grantIdRevoke a grant. (admin)

Service tokens

MethodPathDescription
GET/v1/orgs/:orgId/tokensList service tokens. (admin)
POST/v1/orgs/:orgId/tokensRegister a token (client sends hash + public key). (admin)
DELETE/v1/orgs/:orgId/tokens/:tokenIdRevoke a token. (admin)

Audit

MethodPathDescription
GET/v1/orgs/:orgId/auditPaginated audit entries. (admin) Query: cursor, limit, action, resourceType.
note

Token creation is client-driven: the client generates the keypair and token string locally and submits only the token id, a SHA-256 hash, and the public key. The server never sees the token secret.