Skip to main content
POST
/
vault-integrations
/
{id}
/
secrets
Push Secret to Vault
curl --request POST \
  --url https://api.example.com/vault-integrations/{id}/secrets \
  --header 'Content-Type: application/json' \
  --data '
{
  "path": "<string>",
  "mount": "<string>",
  "data": {},
  "metadata": {}
}
'
{
  "path": "<string>",
  "mount": "<string>",
  "version": 123
}

Overview

Writes a KV secret to the vault behind a registered integration. This is the only channel through which a raw username/password ever enters ScrapEngine — the payload is forwarded to your vault in the same request and not persisted on our side. For HashiCorp KV v2 (the default) the secret lands at <mount>/data/<path>; use this endpoint to seed the vault entries that your credential records reference.

Path Parameters

id
string
required
Integration ID (UUID) of the vault to write to.

Body

path
string
required
Vault KV path without the mount or /data/ prefix. 1-200 characters. For KV v2 mounted at secret, this is stored under secret/data/<path>.
mount
string
default:"secret"
KV mount point. Defaults to secret.
data
object
required
Key/value pairs to store under the path. All values must be strings. This is the only channel in which the raw secret enters our system; it is forwarded to your vault and never stored by us.
metadata
object
Optional custom_metadata (KV v2) for free-form labels — name, description, owner, etc. All values must be strings.

Example Request

curl -X POST "https://api.scrapengine.io/api/v1/vault-integrations/5f8c6a74-5f2e-4f5a-9e58-5b9c3c7d2a11/secrets" \
  -H "Authorization: Bearer $SCRAPENGINE_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{
    "path": "login-alice",
    "mount": "secret",
    "data": {
      "username": "[email protected]",
      "password": "hunter2"
    },
    "metadata": {
      "name": "Alice login",
      "description": "app.example.com invoices flow"
    }
  }'

Response

Success Response (201)

path
string
The path the secret was written to (as supplied).
mount
string
The mount point used — either what you supplied or the default (secret).
version
integer
KV v2 version assigned by vault. Omitted for backends that don’t version secrets.
Example Response: 
{
  "path": "login-alice",
  "mount": "secret",
  "version": 1
}

Error Responses

StatusDescription
400Invalid body — non-string value in data / metadata, path too long, or the underlying vault rejected the write.
401Unauthorized — invalid or missing API key.
404Integration not found or not owned by the caller.