Skip to main content
GET
/
vault
Get vault entries
curl --request GET \
  --url https://api.cloudcruise.com/vault \
  --header 'cc-key: <api-key>'
[
  {
    "id": "3c90c3cc-0d44-4b50-8888-8dd25736052a",
    "permissioned_user_id": "<string>",
    "user_name": "<string>",
    "password": "<string>",
    "domain": "<string>",
    "user_alias": "<string>",
    "tfa_secret": "<string>",
    "tfa_email": "<string>",
    "tfa_phone_number": "<string>",
    "workspace_id": "3c90c3cc-0d44-4b50-8888-8dd25736052a",
    "user_id": "3c90c3cc-0d44-4b50-8888-8dd25736052a",
    "created_at": "2023-11-07T05:31:56Z",
    "updated_at": "2023-11-07T05:31:56Z",
    "session_storage": {},
    "local_storage": {},
    "cookies": [
      {
        "name": "<string>",
        "value": "<string>",
        "domain": "<string>",
        "path": "<string>",
        "httpOnly": true,
        "hostOnly": true,
        "secure": true,
        "session": true,
        "storeId": "<string>",
        "sameSite": "<string>",
        "expirationDate": 123
      }
    ],
    "persist_local_storage": true,
    "persist_cookies": true,
    "persist_session_storage": true,
    "skip_csrf_cookies": true,
    "cookie_domain_to_store": "<string>",
    "allow_multiple_sessions": true,
    "max_concurrency": 123,
    "prevent_concurrency_during_login": true,
    "expiry_time_from_last_use": "<string>",
    "expiry_time_from_session_data_set": "<string>",
    "effective_expires_at": "2023-11-07T05:31:56Z",
    "session_data_set_at": "2023-11-07T05:31:56Z",
    "ip_address": "<string>",
    "location": "<string>",
    "proxy_string": "<string>",
    "proxy_value": "<string>",
    "secret_provider_id": "3c90c3cc-0d44-4b50-8888-8dd25736052a",
    "secret_ref": "<string>",
    "secret_cache_ttl_seconds": 123
  }
]
Note:
  • If the query parameters are omitted, all vault entries will be returned.
  • If both parameters are provided, the response will be a single vault entry record (not a list).

Authorizations

cc-key
string
header
required

API key-based authentication. Provide your CloudCruise API key in the cc-key header.

Query Parameters

permissioned_user_id
string

Unique identifier for the vault entry. Optional, but if provided, 'domain' must also be provided.

domain
string

Target domain to filter vault entries. Optional, but if provided, 'permissioned_user_id' must also be provided.

Response

Vault entries successfully retrieved.

  • If no query parameters are provided, returns an array of all vault entries.
  • If both permissioned_user_id and domain are provided, returns a single vault entry object.

Complete vault entry including system-generated fields

id
string<uuid>

System-generated unique identifier for the vault entry

permissioned_user_id
string

Unique identifier for referencing this vault entry in workflow executions

user_name
string | null

Encrypted username

password
string | null

Encrypted password

domain
string

Target domain for vault entry credentials

user_alias
string | null

Human readable identifier

tfa_secret
string | null

Two-factor authenticator secret key (TOTP). Required when tfa_method is AUTHENTICATOR. This should be encrypted with your encryption key prior to sending to the API, similar to other credentials. The secret is typically provided in base32 format from authenticator apps.

tfa_method
enum<string> | null

Two-factor authentication method

Available options:
AUTHENTICATOR,
EMAIL,
MAGIC_LINK,
SMS
tfa_email
string | null

Computed email address for TFA codes when tfa_method is EMAIL. CloudCruise generates this as info+{permissioned_user_id}+{site_identifier}@cloudcruise.com, where site_identifier is derived from the vault entry domain. This field is read-only and cannot be set via the API.

tfa_phone_number
string | null

Computed phone number for TFA codes when tfa_method is SMS. This is automatically determined based on workspace configuration or defaults to CloudCruise's default phone number. This field is read-only and cannot be set via the API.

workspace_id
string<uuid>

The workspace this vault entry belongs to

user_id
string<uuid> | null

The user who created this vault entry

created_at
string<date-time> | null

Timestamp when the vault entry was created

updated_at
string<date-time> | null

Timestamp when the vault entry was last updated

session_storage
object

Session storage data

local_storage
object

Local storage data

cookies
object[] | null

Active vault entry cookies

persist_local_storage
boolean

Whether to maintain local storage across sessions

persist_cookies
boolean

Whether to maintain cookies across sessions

persist_session_storage
boolean

Whether to maintain session storage across sessions

skip_csrf_cookies
boolean

Whether to skip injecting CSRF-related cookies (e.g. XSRF-TOKEN) during session restore, allowing the server to generate fresh tokens

cookie_domain_to_store
string | null

Specific domain to use when storing cookies

allow_multiple_sessions
boolean

Whether to allow multiple concurrent sessions

max_concurrency
integer | null

Maximum number of concurrent sessions allowed (null for unlimited)

prevent_concurrency_during_login
boolean | null

Whether to prevent other sessions from starting while login is in progress

expiry_time_from_last_use
string | null

Session expiry interval from last activity (e.g., "01:30:00" for 1.5 hours). Set to null for no expiry from last use.

expiry_time_from_session_data_set
string | null

Session expiry interval from creation (e.g., "7 days 00:00:00" for 7 days). Set to null for no expiry from session data set.

effective_expires_at
string<date-time> | null

Computed timestamp when the session data expires based on expiry settings

session_data_set_at
string<date-time> | null

Timestamp when the session data (cookies, storage) was last set

ip_address
string | null

Legacy field for target IP address (deprecated, use proxy.target_ip instead)

location
string | null

Geographic location associated with this vault entry

proxy_string
string | null

The assigned proxy connection string for this vault entry. This is automatically assigned based on the proxy configuration provided when creating/updating the entry. Format: ip:port (e.g., "91.124.2.237:61234")

proxy_setting
enum<string> | null

The proxy mode for this vault entry.

  • random / static / country: use CloudCruise's managed proxy pool.
  • custom: use the bring-your-own proxy URL stored in proxy_value (Enterprise only).
Available options:
random,
static,
country,
custom
proxy_value
string | null

The proxy selector for this entry, interpreted per proxy_setting. Not set for random.

  • static: the target IP address (plaintext).
  • country: the country code (plaintext).
  • custom: the bring-your-own proxy URL, returned encrypted with the workspace's AES-256 key (the same scheme as password). Decrypt it client-side with your key.
secret_provider_id
string<uuid> | null

The external secret provider connection this entry is bound to (e.g. 1Password), or null for a directly-stored credential. When set, user_name/password are null and resolved live at run time.

secret_ref
string | null

Reference to the bound item within the secret provider (e.g. op://<vaultId>/<itemId> for 1Password). Null unless secret_provider_id is set.

secret_cache_ttl_seconds
integer | null

Per-entry override for how long resolved secrets are cached (seconds), or null to use the connection default.