Skip to main content

API Overview

The Keyway REST API allows you to programmatically manage vaults, secrets, and environments.

Base URL

https://api.keyway.sh/v1

Authentication

All API requests require authentication. Include your token in the Authorization header:

Authorization: Bearer <token>

Token types

TypeHow to obtainUse case
Keyway JWTkeyway login then check ~/.config/keyway/config.jsonCLI, scripts
GitHub PATCreate a fine-grained PATCI/CD, automation

Both token types work interchangeably.

Response format

All successful responses follow this structure:

{
  "data": { ... },
  "meta": {
    "requestId": "550e8400-e29b-41d4-a716-446655440000"
  }
}

Paginated responses

List endpoints include pagination metadata in the meta object:

{
  "data": [...],
  "meta": {
    "requestId": "550e8400-e29b-41d4-a716-446655440000",
    "pagination": {
      "total": 100,
      "limit": 25,
      "offset": 0,
      "hasMore": true
    }
  }
}

Use ?limit=N&offset=M query parameters to paginate.

No Content responses

Some endpoints (like DELETE operations) return 204 No Content with an empty body.

Error format

Errors follow RFC 7807 Problem Details:

{
  "type": "https://keyway.sh/errors/not-found",
  "title": "Not Found",
  "status": 404,
  "detail": "Vault not found for repository owner/repo",
  "instance": "/v1/vaults/owner/repo",
  "requestId": "550e8400-e29b-41d4-a716-446655440000"
}

Common error codes

StatusTypeDescription
400bad-requestInvalid request body or parameters
401unauthorizedMissing or invalid authentication
403forbiddenInsufficient permissions
404not-foundResource not found
409conflictResource already exists
429rate-limitedToo many requests

Rate limits

EndpointLimit
General100 requests / 15 minutes
Device verify5 requests / minute

When rate limited, you'll receive a 429 response with a Retry-After header.

API sections