Vault | Node.js SDK
Vault
constructor(token: PangeaToken, config: PangeaConfig): VaultServiceCreates a new VaultService
with the given Pangea API token and
configuration.
const config = new PangeaConfig({ domain: "pangea_domain" });
const vault = new VaultService("pangea_token", config);
Asymmetric generate
asymmetricGenerate(algorithm: AsymmetricAlgorithm, purpose: KeyPurpose, name: string, options: GenerateOptions): Promise<PangeaResponse<GenerateResult>>Generate an asymmetric key.
const response = await vault.asymmetricGenerate(
Vault.AsymmetricAlgorithm.RSA2048_PKCS1V15_SHA256,
Vault.KeyPurpose.SIGNING,
"my-very-secret-secret",
{
folder: "/personal",
metadata: {
"created_by": "John Doe",
"used_in": "Google products"
},
tags: ["irs_2023", "personal"],
rotation_frequency: "10d",
rotation_state: Vault.ItemVersionState.DEACTIVATED,
expiration: "2025-01-01T10:00:00Z",
}
);
Asymmetric store
asymmetricStore(privateKey: string, publicKey: string, algorithm: AsymmetricAlgorithm, purpose: KeyPurpose, name: string, options: StoreOptions): Promise<PangeaResponse<StoreResult>>Import an asymmetric key.
const response = await vault.asymmetricStore(
"private key example",
"-----BEGIN PUBLIC KEY-----\nMCowBQYDK2VwAyEA8s5JopbEPGBylPBcMK+L5PqHMqPJW/5KYPgBHzZGncc=\n-----END PUBLIC KEY-----",
Vault.AsymmetricAlgorithm.RSA2048_PKCS1V15_SHA256,
Vault.KeyPurpose.SIGNING,
"my-very-secret-secret",
{
folder: "/personal",
metadata: {
"created_by": "John Doe",
"used_in": "Google products"
},
tags: ["irs_2023", "personal"],
rotation_frequency: "10d",
rotation_state: Vault.ItemVersionState.DEACTIVATED,
expiration: "2025-01-01T10:00:00Z",
}
);
Decrypt
decrypt(id: string, cipherText: string, options: DecryptOptions): Promise<PangeaResponse<DecryptResult>>Decrypt a message using a key.
const response = await vault.decrypt(
"pvi_p6g5i3gtbvqvc3u6zugab6qs6r63tqf5",
"lJkk0gCLux+Q+rPNqLPEYw==",
1
);
Decrypt structured
decryptStructured(request: EncryptStructuredRequest): Promise<PangeaResponse<EncryptStructuredResult<O>>>Decrypt parts of a JSON object.
const response = await vault.decryptStructured({
id: "pvi_[...]",
structured_data: {"field1": [1, 2, "[...]", "[...]"], "field2": "data2"},
filter: "$.field1[2:4]",
});
Decrypt transform
decryptTransform(request: DecryptTransformRequest): Promise<PangeaResponse<DecryptTransformResult>>Decrypt using a format-preserving algorithm (FPE).
const response = await vault.decryptTransform({
id: "pvi_[...]",
cipher_text: "tZB-UKVP-MzTM",
tweak: "MTIzMTIzMT==",
alphabet: Vault.TransformAlphabet.ALPHANUMERIC,
});
Delete
delete(id: string): Promise<PangeaResponse<DeleteResult>>Delete a secret or key.
const response = await vault.delete(
"pvi_p6g5i3gtbvqvc3u6zugab6qs6r63tqf5"
);
Encrypt
encrypt(id: string, plainText: string): Promise<PangeaResponse<EncryptResult>>Encrypt a message using a key.
const response = await vault.encrypt(
"pvi_p6g5i3gtbvqvc3u6zugab6qs6r63tqf5",
"lJkk0gCLux+Q+rPNqLPEYw=="
);
Encrypt structured
encryptStructured(request: EncryptStructuredRequest): Promise<PangeaResponse<EncryptStructuredResult<O>>>Encrypt parts of a JSON object.
const response = await vault.encryptStructured({
id: "pvi_[...]",
structured_data: {"field1": [1, 2, "true", "false"], "field2": "data2"},
filter: "$.field1[2:4]",
});
Encrypt transform
encryptTransform(request: EncryptTransformRequest): Promise<PangeaResponse<EncryptTransformResult>>Encrypt using a format-preserving algorithm (FPE).
const response = await vault.encryptTransform({
id: "pvi_[...]",
plain_text: "123-4567-8901",
tweak: "MTIzMTIzMT==",
alphabet: Vault.TransformAlphabet.ALPHANUMERIC,
});
Export
export(request: ExportRequest): Promise<PangeaResponse<ExportResult>>Export a symmetric or asymmetric key.
// Generate an exportable key.
const generated = await vault.asymmetricGenerate(
Vault.AsymmetricAlgorithm.RSA4096_OAEP_SHA512,
Vault.KeyPurpose.ENCRYPTION,
"a-name-for-the-key",
{ exportable: true }
);
// Then it can be exported whenever needed.
const exported = await vault.export({ id: generated.result.id });
Create
folderCreate(request: CreateRequest): Promise<PangeaResponse<CreateResult>>Creates a folder.
const createParentResp = await vault.folderCreate({
name: "folder_name",
folder: "parent/folder/name",
});
Retrieve
getItem(id: string, options: GetOptions): Promise<PangeaResponse<GetResult>>Retrieve a secret or key, and any associated information.
const response = await vault.getItem(
"pvi_p6g5i3gtbvqvc3u6zugab6qs6r63tqf5",
{
version: 1,
version_state: Vault.ItemVersionState.ACTIVE,
verbose: true,
}
);
JWT Retrieve
jwkGet(id: string, options: GetOptions): Promise<PangeaResponse<GetResult>>Retrieve a key in JWK format.
const response = await vault.jwkGet(
"pvi_p6g5i3gtbvqvc3u6zugab6qs6r63tqf5"
);
JWT Sign
jwtSign(id: string, payload: string): Promise<PangeaResponse<SignResult>>Sign a JSON Web Token (JWT) using a key.
const response = await vault.jwtSign(
"pvi_p6g5i3gtbvqvc3u6zugab6qs6r63tqf5",
"{\"sub\": \"1234567890\",\"name\": \"John Doe\",\"admin\": true}"
);
JWT Verify
jwtVerify(jws: string): Promise<PangeaResponse<VerifyResult>>Verify the signature of a JSON Web Token (JWT).
const response = await vault.jwtVerify(
"ewogICJhbGciO..."
);
Key rotate
keyRotate(id: string, options: RotateOptions): Promise<PangeaResponse<RotateResult>>Manually rotate a symmetric or asymmetric key.
const response = await vault.keyRotate(
"pvi_p6g5i3gtbvqvc3u6zugab6qs6r63tqf5",
{
rotation_state: Vault.ItemVersionState.DEACTIVATED,
key: "lJkk0gCLux+Q+rPNqLPEYw==",
}
);
List
list(options: ListOptions): Promise<PangeaResponse<ListResult>>Look up a list of secrets, keys and folders, and their associated information.
const response = await vault.list(
{
filter: {
folder: "/",
type: "asymmetric_key",
name__contains: "test",
metadata_key1: "value1",
created_at__lt: "2023-12-12T00:00:00Z",
},
last: "WyIvdGVzdF8yMDdfc3ltbWV0cmljLyJd",
order: Vault.ItemOrder.ASC,
order_by: Vault.ItemOrderby.NAME,
size=20,
}
);
Token rotate
pangeaTokenRotate(id: string, rotation_grace_period: string): Promise<PangeaResponse<RotateResult>>Rotate a Pangea token.
const response = await vault.pangeaTokenRotate(
"pvi_p6g5i3gtbvqvc3u6zugab6qs6r63tqf5",
"1d"
);
Pangea token store
pangeaTokenStore(pangeaToken: string, name: string, options: StoreOptions): Promise<PangeaResponse<StoreResult>>Import a secret.
const response = await vault.pangeaTokenStore(
"ptv_x6fdiizbon6j3bsdvnpmwxsz2aan7fqd",
"my-very-secret-secret",
{
folder: "/personal",
metadata: {
"created_by": "John Doe",
"used_in": "Google products"
},
tags: ["irs_2023", "personal"],
rotation_frequency: "10d",
rotation_state: Vault.ItemVersionState.DEACTIVATED,
expiration: "2025-01-01T10:00:00Z",
}
);
Secret rotate
secretRotate(id: string, secret: string, options: RotateOptions): Promise<PangeaResponse<RotateResult>>Rotate a secret.
const response = await vault.secretRotate(
"pvi_p6g5i3gtbvqvc3u6zugab6qs6r63tqf5",
"12sdfgs4543qv@#%$casd",
{
rotation_state: Vault.ItemVersionState.DEACTIVATED,
}
);
Secret store
secretStore(secret: string, name: string, options: StoreOptions): Promise<PangeaResponse<StoreResult>>Import a secret.
const response = await vault.secretStore(
"12sdfgs4543qv@#%$casd",
"my-very-secret-secret",
{
folder: "/personal",
metadata: {
"created_by": "John Doe",
"used_in": "Google products"
},
tags: ["irs_2023", "personal"],
rotation_frequency: "10d",
rotation_state: Vault.ItemVersionState.DEACTIVATED,
expiration: "2025-01-01T10:00:00Z",
}
);
Sign
sign(id: string, message: string): Promise<PangeaResponse<SignResult>>Sign a message using a key.
const response = await vault.sign(
"pvi_p6g5i3gtbvqvc3u6zugab6qs6r63tqf5",
"lJkk0gCLux+Q+rPNqLPEYw=="
);
State change
stateChange(id: string, state: ItemVersionState, options: StateChangeOptions): Promise<PangeaResponse<StateChangeResult>>Change the state of a specific version of a secret or key.
const response = await vault.stateChange(
"pvi_p6g5i3gtbvqvc3u6zugab6qs6r63tqf5",
Vault.ItemVersionState.DEACTIVATED
);
Symmetric generate
symmetricGenerate(algorithm: SymmetricAlgorithm, purpose: KeyPurpose, name: string, options: GenerateOptions): Promise<PangeaResponse<GenerateResult>>Generate a symmetric key.
const response = await vault.symmetricGenerate(
Vault.SymmetricAlgorithm.AES128_CFB,
Vault.KeyPurpose.ENCRYPTION,
"my-very-secret-secret",
{
folder: "/personal",
metadata: {
"created_by": "John Doe",
"used_in": "Google products"
},
tags: ["irs_2023", "personal"],
rotation_frequency: "10d",
rotation_state: Vault.ItemVersionState.DEACTIVATED,
expiration: "2025-01-01T10:00:00Z",
}
);
Symmetric store
symmetricStore(key: string, algorithm: SymmetricAlgorithm, purpose: KeyPurpose, name: string, options: StoreOptions): Promise<PangeaResponse<StoreResult>>Import a symmetric key.
const response = await vault.symmetricStore(
"lJkk0gCLux+Q+rPNqLPEYw==",
Vault.SymmetricAlgorithm.AES128_CFB,
Vault.KeyPurpose.ENCRYPTION,
"my-very-secret-secret",
{
folder: "/personal",
metadata: {
"created_by": "John Doe",
"used_in": "Google products"
},
tags: ["irs_2023", "personal"],
rotation_frequency: "10d",
rotation_state: Vault.ItemVersionState.DEACTIVATED,
expiration: "2025-01-01T10:00:00Z",
}
);
Update
update(id: string, options: UpdateOptions): Promise<PangeaResponse<UpdateResult>>Update information associated with a secret or key.
const response = await vault.update(
"pvi_p6g5i3gtbvqvc3u6zugab6qs6r63tqf5",
{
name: "my-very-secret-secret",
folder: "/personal",
metadata: {
"created_by": "John Doe",
"used_in": "Google products"
},
tags: ["irs_2023", "personal"],
rotation_frequency: "10d",
rotation_state: Vault.ItemVersionState.DEACTIVATED,
rotation_grace_period: "1d",
expiration: "2025-01-01T10:00:00Z",
item_state: Vault.ItemState.DISABLED,
}
);
Verify
verify(id: string, message: string, signature: string, options: VerifyOptions): Promise<PangeaResponse<VerifyResult>>Verify a signature using a key.
const response = await vault.verify(
"pvi_p6g5i3gtbvqvc3u6zugab6qs6r63tqf5",
"lJkk0gCLux+Q+rPNqLPEYw=="
"FfWuT2Mq/+cxa7wIugfhzi7ktZxVf926idJNgBDCysF/knY9B7M6wxqHMMPDEBs86D8OsEGuED21y3J7IGOpCQ==",
);
Namespace Asymmetric
AsymmetricNamespace Common
CommonNamespace Folder
FolderNamespace JWK
JWKNamespace JWT
JWTNamespace Key
KeyNamespace Secret
SecretNamespace Symmetric
SymmetricEnum AsymmetricAlgorithm
AsymmetricAlgorithmEd25519
= "ED25519"
Ed25519_DILITHIUM2_BETA
= "ED25519-DILITHIUM2-BETA"
Ed448_DILITHIUM3_BETA
= "ED448-DILITHIUM3-BETA"
ES256
= "ES256"
ES256K
= "ES256K"
ES384
= "ES384"
ES512
= "ES512"
FALCON_1024_BETA
= "FALCON-1024-BETA"
RSA
= "RSA-PKCS1V15-2048-SHA256"
RSA2048_OAEP_SHA1
= "RSA-OAEP-2048-SHA1"
RSA2048_OAEP_SHA256
= "RSA-OAEP-2048-SHA256"
RSA2048_OAEP_SHA512
= "RSA-OAEP-2048-SHA512"
RSA2048_PKCS1V15_SHA256
= "RSA-PKCS1V15-2048-SHA256"
RSA2048_PSS_SHA256
= "RSA-PSS-2048-SHA256"
RSA3072_OAEP_SHA1
= "RSA-OAEP-3072-SHA1"
RSA3072_OAEP_SHA256
= "RSA-OAEP-3072-SHA256"
RSA3072_OAEP_SHA512
= "RSA-OAEP-3072-SHA512"
RSA3072_PSS_SHA256
= "RSA-PSS-3072-SHA256"
RSA4096_OAEP_SHA1
= "RSA-OAEP-4096-SHA1"
RSA4096_OAEP_SHA256
= "RSA-OAEP-4096-SHA256"
RSA4096_OAEP_SHA512
= "RSA-OAEP-4096-SHA512"
RSA4096_PSS_SHA256
= "RSA-PSS-4096-SHA256"
RSA4096_PSS_SHA512
= "RSA-PSS-4096-SHA512"
SPHINCSPLUS_128F_SHA256_ROBUST_BETA
= "SPHINCSPLUS-128F-SHA256-ROBUST-BETA"
SPHINCSPLUS_128F_SHA256_SIMPLE_BETA
= "SPHINCSPLUS-128F-SHA256-SIMPLE-BETA"
SPHINCSPLUS_128F_SHAKE256_ROBUST_BETA
= "SPHINCSPLUS-128F-SHAKE256-ROBUST-BETA"
SPHINCSPLUS_128F_SHAKE256_SIMPLE_BETA
= "SPHINCSPLUS-128F-SHAKE256-SIMPLE-BETA"
SPHINCSPLUS_192F_SHA256_ROBUST_BETA
= "SPHINCSPLUS-192F-SHA256-ROBUST-BETA"
SPHINCSPLUS_192F_SHA256_SIMPLE_BETA
= "SPHINCSPLUS-192F-SHA256-SIMPLE-BETA"
SPHINCSPLUS_192F_SHAKE256_ROBUST_BETA
= "SPHINCSPLUS-192F-SHAKE256-ROBUST-BETA"
SPHINCSPLUS_192F_SHAKE256_SIMPLE_BETA
= "SPHINCSPLUS-192F-SHAKE256-SIMPLE-BETA"
SPHINCSPLUS_256F_SHA256_ROBUST_BETA
= "SPHINCSPLUS-256F-SHA256-ROBUST-BETA"
SPHINCSPLUS_256F_SHA256_SIMPLE_BETA
= "SPHINCSPLUS-256F-SHA256-SIMPLE-BETA"
SPHINCSPLUS_256F_SHAKE256_ROBUST_BETA
= "SPHINCSPLUS-256F-SHAKE256-ROBUST-BETA"
SPHINCSPLUS_256F_SHAKE256_SIMPLE_BETA
= "SPHINCSPLUS-256F-SHAKE256-SIMPLE-BETA"
Enum ExportEncryptionAlgorithm
ExportEncryptionAlgorithmRSA4096_OAEP_SHA512
= "RSA-OAEP-4096-SHA512"
Enum ItemOrder
ItemOrderASC
= "asc"
DESC
= "desc"
Enum ItemOrderBy
ItemOrderByCREATED_AT
= "created_at"
DESTROYED_AT
= "destroyed_at"
EXPIRATION
= "expiration"
FOLDER
= "folder"
LAST_ROTATED
= "last_rotated"
NAME
= "name"
NEXT_ROTATION
= "next_rotation"
PURPOSE
= "purpose"
TYPE
= "type"
VERSION
= "version"
Enum ItemState
ItemStateDISABLED
= "disabled"
ENABLED
= "enabled"
Enum ItemType
ItemTypeASYMMETRIC_KEY
= "asymmetric_key"
PANGEA_TOKEN
= "pangea_token"
SECRET
= "secret"
SYMMETRIC_KEY
= "symmetric_key"
Enum ItemVersionState
ItemVersionStateACTIVE
= "active"
COMPROMISED
= "compromised"
DEACTIVATED
= "deactivated"
DESTROYED
= "destroyed"
INHERITED
= "inherited"
SUSPENDED
= "suspended"
Enum KeyPurpose
KeyPurposeENCRYPTION
= "encryption"
FPE
= "fpe"
JWT
= "jwt"
SIGNING
= "signing"
Enum SymmetricAlgorithm
SymmetricAlgorithmAES
= "AES-CFB-128"
AES128_CBC
= "AES-CBC-128"
AES128_CFB
= "AES-CFB-128"
AES128_FF3_1
= "AES-FF3-1-128-BETA"
AES256_CBC
= "AES-CBC-256"
AES256_CFB
= "AES-CFB-256"
AES256_FF3_1
= "AES-FF3-1-256-BETA"
AES256_GCM
= "AES-GCM-256"
HS256
= "HS256"
HS384
= "HS384"
HS512
= "HS512"
Enum TransformAlphabet
TransformAlphabetALPHA_LOWER
= "alphalower"
ALPHA_UPPER
= "alphaupper"
ALPHANUMERIC
= "alphanumeric"
ALPHANUMERIC_LOWER
= "alphanumericlower"
ALPHANUMERIC_UPPER
= "alphanumericupper"
NUMERIC
= "numeric"