Browse docs+

Update Vault

Updates vault metadata such as the vault name or data classification.

PATCH /api/v1/machine/vault/:id/update

Important

This is a zero-trust metadata write. The request must include fresh signed directoryCheckpoint and summaryCheckpoint payloads.
The checkpoint signer must be an active user key owned by the acting org user.
Use this route for vault-level metadata changes such as renaming the vault. Field edits happen through PATCH /api/v1/machine/vault-item/:id/update.
The vault name in this request is metadata, so it is not end-to-end encrypted. Only field values are end-to-end encrypted.

Headers

Header	Type	Required	Description
`X-API-Key`	string	Yes	Your machine API key
`Content-Type`	string	Yes	Must be `application/json`

Path Parameters

Parameter	Type	Required	Description
`id`	string	Yes	The unique identifier of the vault to update

Request Body

Field	Type	Required	Description
`directoryCheckpoint`	object	Yes	Signed replacement directory checkpoint for list-level metadata such as the vault name
`summaryCheckpoint`	object	Yes	Signed replacement summary checkpoint for vault metadata and item/group membership
`name`	string	Yes	The new vault name
`dataClassification`	string	No	Optional classification: `PUBLIC`, `INTERNAL`, `CONFIDENTIAL`, or `CUI`

Response

Success (200 OK)

No response body is returned on success.

Notes

directoryCheckpoint.checkpoint.name and summaryCheckpoint.checkpoint.name must both match the requested name.
If dataClassification is provided, both checkpoints must carry the same value.
This endpoint requires machine.vault.write plus ADMIN access to the target vault.

Example Request

curl -X PATCH "https://r4.dev/api/v1/machine/vault/507f1f77bcf86cd799439011/update" \
  -H "X-API-Key: rk_abc123def456.ghijklmnopqrstuvwxyz" \
  -H "Content-Type: application/json" \
  -d '{
    "directoryCheckpoint": {
      "checkpoint": {
        "vaultId": "507f1f77bcf86cd799439011",
        "version": 7,
        "name": "Production Secrets",
        "groupId": null,
        "dataClassification": "CONFIDENTIAL"
      },
      "signerUserKeyPairId": "507f1f77bcf86cd799439099",
      "signature": "base64-signature"
    },
    "summaryCheckpoint": {
      "checkpoint": {
        "vaultId": "507f1f77bcf86cd799439011",
        "version": 10,
        "name": "Production Secrets",
        "dataClassification": "CONFIDENTIAL",
        "currentDekVersion": 3,
        "items": [],
        "groups": []
      },
      "signerUserKeyPairId": "507f1f77bcf86cd799439099",
      "signature": "base64-signature"
    },
    "name": "Production Secrets",
    "dataClassification": "CONFIDENTIAL"
  }'