Vault | C# SDK

Vault

VaultClient

Vault client.

var config = new Config("pangea_token", "pangea_domain");
var builder = new VaultClient.Builder(config);
var client = builder.Build();

Change state

VaultClient.StateChange(string, int, ItemVersionState)

Change the state of a specific version of a secret or key.

required parameters

id

string

The item ID

version

int

The item version

state

ItemVersionState

The new state of the item version

Response Object

Task<Response<StateChangeResult>>

Response<StateChangeResult>

var response = await client.StateChange(
    "pvi_p6g5i3gtbvqvc3u6zugab6qs6r63tqf5",
    1,
    ItemVersionState.Deactivated
);

Delete

VaultClient.Delete(string)

Delete a secret, key or folder.

required parameters

id

string

The item ID

Response Object

Task<Response<DeleteResult>>

Response<DeleteResult>

await client.Delete("pvi_p6g5i3gtbvqvc3u6zugab6qs6r63tqf5");

Retrieve

VaultClient.Get(GetRequest)

Retrieve a secret, key or folder, and any associated information.

required parameters

request

GetRequest

The request to the '/get' endpoint.

Response Object

Task<Response<GetResult>>

The response containing the retrieved information.

var request = new GetRequest
    ("pvi_p6g5i3gtbvqvc3u6zugab6qs6r63tqf5")
    ;
var response = await client.Get(request);

Get Bulk

VaultClient.GetBulk(GetBulkRequest)

Retrieve a list of secrets, keys and folders.

required parameters

request

GetBulkRequest

The request to the '/get_bulk' endpoint.

Response Object

Task<Response<GetBulkResult>>

The response containing the retrieved information.

var response = await client.GetBulk(new()
{
    Filter = new Dictionary<string, string>()
        {
            { "id", "pvi_123" }
        }
});

List

VaultClient.List(ListRequest)

Retrieve a list of secrets, keys and folders, and their associated information.

required parameters

request

ListRequest

The request parameters to send to the '/list' endpoint.

Response Object

Task<Response<ListResult>>

The response containing the list of items and their information.

var request = new ListRequest();
var response = await client.List(request);

Update

VaultClient.Update(UpdateRequest)

Update information associated with a secret, key or folder.

required parameters

request

UpdateRequest

The request parameters to send to the update endpoint.

Response Object

Task<Response<UpdateResult>>

The response containing the updated information.

var request = new UpdateRequest
    ("pvi_p6g5i3gtbvqvc3u6zugab6qs6r63tqf5")
    .WithFolder("/personal")
    ;
var response = await client.Update(request);

Secret store

VaultClient.SecretStore(SecretStoreRequest)

Store a secret in the vault service.

required parameters

request

SecretStoreRequest

The request parameters to send to the '/secret/store' endpoint.

Response Object

Task<Response<SecretStoreResult>>

The response containing the stored secret information.

var request = new SecretStoreRequest
    ("12sdfgs4543qv@#%$casd", "my-very-secret-secret")
    ;
var response = await client.SecretStore(request);

Secret rotate

VaultClient.SecretRotate(SecretRotateRequest)

Rotate a secret in the vault service.

required parameters

request

SecretRotateRequest

The secret rotate request.

Response Object

Task<Response<SecretRotateResult>>

The response containing the rotated secret information.

var request = new SecretRotateRequest(
        "pvi_p6g5i3gtbvqvc3u6zugab6qs6r63tqf5",
        "12sdfgs4543qv@#%$casd")
    .WithRotationState(ItemVersionState.Deactivated)
    ;
var response = await client.SecretRotate(request);

Symmetric generate

VaultClient.SymmetricGenerate(SymmetricGenerateRequest)

Generate a symmetric key.

required parameters

request

SymmetricGenerateRequest

The request parameters to send to the '/key/generate' endpoint.

Response Object

Task<Response<SymmetricGenerateResult>>

The response containing the generated symmetric key information.

SymmetricGenerateRequest request = new SymmetricGenerateRequest
    (
        SymmetricAlgorithm.AES128_CFB,
        KeyPurpose.Encryption,
        "my-very-secret-secret")
    ;
var response = await client.SymmetricGenerate(request);

Asymmetric generate

VaultClient.AsymmetricGenerate(AsymmetricGenerateRequest)

Generate an asymmetric key.

required parameters

request

AsymmetricGenerateRequest

The request parameters to send to the '/key/generate' endpoint.

Response Object

Task<Response<AsymmetricGenerateResult>>

The response containing the generated asymmetric key information.

AsymmetricGenerateRequest request = new AsymmetricGenerateRequest
    (
        AsymmetricAlgorithm.ED25519,
        KeyPurpose.Signing,
        "my-very-secret-secret")
    ;
var response = await client.AsymmetricGenerate(request);

Asymmetric store

VaultClient.AsymmetricStore(AsymmetricStoreRequest)

Import an asymmetric key.

required parameters

request

AsymmetricStoreRequest

The request parameters to send to the '/key/store' endpoint.

Response Object

Task<Response<AsymmetricStoreResult>>

The response containing the stored asymmetric key information.

AsymmetricStoreRequest request = new AsymmetricStoreRequest
    (
        "encoded private key",
        "-----BEGIN PUBLIC KEY-----\nMCowBQYDK2VwAyEA8s5JopbEPGBylPBcMK+L5PqHMqPJW/5KYPgBHzZGncc=\n-----END PUBLIC KEY-----",
        AsymmetricAlgorithm.RSA4096_OAEP_SHA256,
        KeyPurpose.Signing,
        "my-very-secret-secret")
    ;
var response = await client.AsymmetricStore(request);

Symmetric store

VaultClient.SymmetricStore(SymmetricStoreRequest)

Import a symmetric key.

required parameters

request

SymmetricStoreRequest

The request parameters to send to the '/key/store' endpoint.

Response Object

Task<Response<SymmetricStoreResult>>

The response containing the stored symmetric key information.

SymmetricStoreRequest request = new SymmetricStoreRequest
    (
        "lJkk0gCLux+Q+rPNqLPEYw==",
        SymmetricAlgorithm.AES128_CFB,
        KeyPurpose.Encryption,
        "my-very-secret-secret")
    ;
var response = await client.SymmetricStore(request);

Rotate

VaultClient.KeyRotate(KeyRotateRequest)

Manually rotate a symmetric or asymmetric key.

required parameters

request

KeyRotateRequest

The request parameters to send to the '/key/rotate' endpoint.

Response Object

Task<Response<KeyRotateResult>>

The response containing the rotated key information.

KeyRotateRequest request = new KeyRotateRequest
    (
        "pvi_p6g5i3gtbvqvc3u6zugab6qs6r63tqf5",
        ItemVersionState.Deactivated)
    .WithEncodedSymmetricKey("lJkk0gCLux+Q+rPNqLPEYw==")
    ;
var response = await client.KeyRotate(request);

Encrypt

VaultClient.Encrypt(EncryptRequest)

Encrypt a message using a key.

required parameters

request

EncryptRequest

The request parameters to send to the '/key/encrypt' endpoint.

Response Object

Task<Response<EncryptResult>>

The response containing the encrypted message.

EncryptRequest request = new EncryptRequest
    (
        "pvi_p6g5i3gtbvqvc3u6zugab6qs6r63tqf5",
        "lJkk0gCLux+Q+rPNqLPEYw==")
    .WithVersion(2)
    ;
var response = await client.Encrypt(request);

Decrypt

VaultClient.Decrypt(DecryptRequest)

Decrypt a message using a key.

required parameters

request

DecryptRequest

The request parameters to send to the '/key/decrypt' endpoint.

Response Object

Task<Response<DecryptResult>>

The response containing the decrypted message.

DecryptRequest request = new DecryptRequest
    (
        "pvi_p6g5i3gtbvqvc3u6zugab6qs6r63tqf5",
        "lJkk0gCLux+Q+rPNqLPEYw==")
    .WithVersion(2)
    ;
var response = await client.Decrypt(request);

Sign

VaultClient.Sign(SignRequest)

Sign a message using a key.

required parameters

request

SignRequest

The request parameters to send to the '/key/sign' endpoint.

Response Object

Task<Response<SignResult>>

The response containing the signed message.

SignRequest request = new SignRequest
    (
        "pvi_p6g5i3gtbvqvc3u6zugab6qs6r63tqf5",
        "lJkk0gCLux+Q+rPNqLPEYw==")
    ;
var response = await client.Sign(request);

JWT Sign

VaultClient.JWTSign(string, string)

Sign a JSON Web Token (JWT) using a key.

required parameters

id

string

The key ID to sign the payload.

payload

string

The JWT payload (in JSON).

Response Object

Task<Response<JWTSignResult>>

The response containing the signed JWT.

string payload = "{\"sub\": \"1234567890\",\"name\": \"John Doe\",\"admin\": true}";
var response = await client
    .JWTSign("pvi_p6g5i3gtbvqvc3u6zugab6qs6r63tqf5", payload);

Verify

VaultClient.Verify(VerifyRequest)

Verify a signature using a key.

required parameters

request

VerifyRequest

The request containing the key ID, message, and signature to verify.

Response Object

Task<Response<VerifyResult>>

The response indicating whether the signature is valid or not.

var request = new VerifyRequest
    (
        "pvi_p6g5i3gtbvqvc3u6zugab6qs6r63tqf5",
        "data2verify",
        "signature")
    ;
var response = await client.Verify(request);

JWT Verify

VaultClient.JWTVerify(JWTVerifyRequest)

Verify the signature of a JSON Web Token (JWT).

required parameters

request

JWTVerifyRequest

The request containing the JWT signature to verify.

Response Object

Task<Response<JWTVerifyResult>>

The response containing the verification result.

var request = new JWTVerifyRequest
    ("ewogICJhbGciO...")
    ;
var verifyResponse = await client.JWTVerify(request);

JWT Retrieve

VaultClient.JWKGet(JWKGetRequest)

Retrieve a key in JWK format.

required parameters

request

JWKGetRequest

The request containing the item ID and version to retrieve.

Response Object

Task<Response<JWKGetResult>>

The response containing the JWK key.

var request = new JWKGetRequest
    ("jwkid")
    .WithVersion("2")
    ;
var response = await client.JWKGet(request)

Create

VaultClient.FolderCreate(FolderCreateRequest)

Creates a folder.

required parameters

request

FolderCreateRequest

The request parameters to send to the '/folder/create' endpoint.

Response Object

Task<Response<FolderCreateResult>>

The response containing the created folder information.

var request = new FolderCreateRequest
    (
        "folder_name",
        "parent/folder/name")
    ;
var response = await client.FolderCreate(request);

Encrypt structured

VaultClient.EncryptStructured<T>(EncryptStructuredRequest<T>, CancellationToken)

Encrypt parts of a JSON object.

required parameters

request

EncryptStructuredRequest<T>

Request parameters.

cancellationToken

CancellationToken

Cancellation token.

Response Object

Task<Response<EncryptStructuredResult<T>>>

Encrypted result.

var data = new SomeModel { Name = "...", Occupation = "..." };
var request = new EncryptStructuredRequest<SomeModel>(encryptionKeyId, data, "$.name");
var response = await client.EncryptStructured(request);

Decrypt structured

VaultClient.DecryptStructured<T>(EncryptStructuredRequest<T>, CancellationToken)

Decrypt parts of a JSON object.

required parameters

request

EncryptStructuredRequest<T>

Request parameters.

cancellationToken

CancellationToken

Cancellation token.

Response Object

Task<Response<EncryptStructuredResult<T>>>

Decrypted result.

var data = new SomeModel { Name = "...", Occupation = "..." };
var request = new EncryptStructuredRequest<SomeModel>(encryptionKeyId, data, "$.name");
var response = await client.DecryptStructured(request);

Encrypt transform

VaultClient.EncryptTransform(EncryptTransformRequest, CancellationToken)

Encrypt using a format-preserving algorithm (FPE).

required parameters

request

EncryptTransformRequest

Request parameters.

cancellationToken

CancellationToken

Cancellation token.

Response Object

Task<Response<EncryptTransformResult>>

Encrypted result.

var request = new EncryptTransformRequest
{
    ID = "pvi_[...]",
    PlainText = "123-4567-8901",
    Tweak = "MTIzMTIzMT==",
    Alphabet = TransformAlphabet.ALPHANUMERIC
};
var encrypted = await client.EncryptTransform(request);

Decrypt transform

VaultClient.DecryptTransform(DecryptTransformRequest, CancellationToken)

Decrypt using a format-preserving algorithm (FPE).

required parameters

request

DecryptTransformRequest

Request parameters.

cancellationToken

CancellationToken

Cancellation token.

Response Object

Task<Response<DecryptTransformResult>>

Decrypted result.

var request = new DecryptTransformRequest
{
    ID = "pvi_[...]",
    CipherText = "123-4567-8901",
    Tweak = "MTIzMTIzMT==",
    Alphabet = TransformAlphabet.ALPHANUMERIC
};
var decrypted = await client.DecryptTransform(decryptRequest);

Export

VaultClient.Export(ExportRequest, CancellationToken)

Export a symmetric or asymmetric key.

required parameters

request

ExportRequest

Request parameters.

cancellationToken

CancellationToken

Cancellation token.

Response Object

Task<Response<ExportResult>>

Exported result.

// Generate an exportable key.
var generateRequest = new AsymmetricGenerateRequest(
    AsymmetricAlgorithm.RSA4096_PSS_SHA512,
    KeyPurpose.Encryption,
    "a-name-for-the-key"
).WithExportable(true);
var generated = await client.AsymmetricGenerate(generateRequest);
var key = generated.Result.ID;

// Then it can be exported whenever needed.
var exported = await client.Export(new ExportRequest(id: key));