Skip to main content
POST
/
secrets
Create a secret
curl --request POST \
  --url https://api.superserve.ai/secrets \
  --header 'Content-Type: application/json' \
  --header 'X-API-Key: <api-key>' \
  --data '
{
  "name": "<string>",
  "value": "<string>",
  "provider": "<string>",
  "auth": {
    "header": "<string>",
    "prefix": "<string>",
    "username": "<string>",
    "headers": {}
  },
  "hosts": [
    "<string>"
  ]
}
'
{
  "id": "3c90c3cc-0d44-4b50-8888-8dd25736052a",
  "name": "<string>",
  "auth_config": {},
  "hosts": [
    "<string>"
  ],
  "created_at": "2023-11-07T05:31:56Z",
  "updated_at": "2023-11-07T05:31:56Z",
  "provider_shortcut": "<string>",
  "last_used_at": "2023-11-07T05:31:56Z"
}

Authorizations

X-API-Key
string
header
required

Body

application/json
name
string
required

Identifier used to reference the secret later (e.g. in the secrets map on POST /sandboxes).

Maximum string length: 128
Pattern: ^[A-Za-z_][A-Za-z0-9_-]*$
value
string
required

Cleartext credential. Encrypted at rest; never returned.

Maximum string length: 8192
provider
string

Built-in provider shortcut (e.g. anthropic, openai, github, stripe). When set, auto-fills auth scheme and allowed upstream hosts. Mutually exclusive with auth and hosts. github emits a per_host config so the same PAT works for both api.github.com REST (Bearer) and github.com git over HTTPS (Basic with x-access-token).

auth
object

Egress auth shape. Use the single-rule form (type + type-specific fields) for credentials that authenticate the same way on every host. Use per_host when the same credential needs different auth schemes on different hosts of the same provider — for example one host accepts Bearer while another accepts Basic with a fixed username. Single-rule and per_host are mutually exclusive.

hosts
string[]

Upstream allow list. Required when auth is set. Each entry is a hostname or single-level wildcard (e.g. api.example.com, *.example.com).

Maximum array length: 16

Response

Secret created

id
string<uuid>
required
name
string
required
auth_type
enum<string>
required

per_host indicates a multi-rule secret; the resolved rules are in auth_config.per_host.

Available options:
bearer,
basic,
api-key,
custom,
per_host
auth_config
object
required

Resolved auth scheme details (no cleartext value).

hosts
string[]
required
created_at
string<date-time>
required
updated_at
string<date-time>
required
provider_shortcut
string | null

Provider shortcut used at creation, if any.

last_used_at
string<date-time> | null

Timestamp of the most recent egress that used this secret.