Returns the agent's RSA key pair for decrypting vault item secrets. Only available for AGENT-scoped API keys.
GET /api/v1/machine/vault/encryption-key| Header | Type | Required | Description |
|---|---|---|---|
X-API-Key | string | Yes | Your AGENT-scoped API key |
Success (200 OK)
{
"encryptionKeyId": "507f1f77bcf86cd799439015",
"privateKey": "-----BEGIN RSA PRIVATE KEY-----\nMIIEpAIBAAKCAQEA...\n-----END RSA PRIVATE KEY-----",
"publicKey": "-----BEGIN RSA PUBLIC KEY-----\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A...\n-----END RSA PUBLIC KEY-----"
}| Field | Type | Description |
|---|---|---|
encryptionKeyId | string | The encryption key ID |
privateKey | string | PEM-encoded RSA private key for decrypting vault item secrets |
publicKey | string | PEM-encoded RSA public key for encrypting vault item secrets |
403 Forbidden - Not an AGENT-scoped API key
{
"error": {
"code": "agent_scope_required",
"message": "This endpoint is only available for AGENT-scoped API keys."
}
}404 Not Found - Agent or encryption key not found
{
"error": {
"code": "encryption_key_not_found",
"message": "No encryption key found for this agent."
}
}curl -X GET "https://r4.dev/api/v1/machine/vault/encryption-key" \
-H "X-API-Key: rk_abc123def456.ghijklmnopqrstuvwxyz"import crypto from 'crypto'
// 1. Get the encryption key
const keyResponse = await fetch('https://r4.dev/api/v1/machine/vault/encryption-key', {
headers: { 'X-API-Key': API_KEY },
}).then(r => r.json())
// 2. Get a vault item with encrypted fields
const item = await fetch(`https://r4.dev/api/v1/machine/vault/${vaultId}/items/${itemId}`, {
headers: { 'X-API-Key': API_KEY },
}).then(r => r.json())
// 3. Decrypt secret field values
for (const field of item.fields) {
if (field.isSecret && field.value) {
const decrypted = crypto.privateDecrypt(
keyResponse.privateKey,
Buffer.from(field.value, 'base64'),
)
console.log(`${field.name}: ${decrypted.toString('utf8')}`)
}
}