Vault | Node.js SDK
Vault
constructor(token: PangeaToken, config: PangeaConfig): VaultServiceCreates a new VaultService with the given Pangea API token and
configuration.
const config = new PangeaConfig({ domain: "pangea_domain" });
const vault = new VaultService("pangea_token", config);Asymmetric generate
asymmetricGenerate(request: GenerateRequest): Promise<PangeaResponse<GenerateResult>>Generate an asymmetric key.
const response = await vault.asymmetricGenerate(
{
algorithm: Vault.AsymmetricAlgorithm.RSA2048_PKCS1V15_SHA256,
purpose: Vault.KeyPurpose.SIGNING,
name: "my-very-secret-secret",
folder: "/personal",
metadata: {
"created_by": "John Doe",
"used_in": "Google products"
},
tags: ["irs_2023", "personal"],
rotation_frequency: "10d",
rotation_state: Vault.ItemVersionState.DEACTIVATED,
expiration: "2025-01-01T10:00:00Z",
}
);Asymmetric store
asymmetricStore(request: StoreRequest): Promise<PangeaResponse<StoreResult>>Import an asymmetric key.
const response = await vault.asymmetricStore(
{
private_key: "private key example",
public_key: "-----BEGIN PUBLIC KEY-----\nMCowBQYDK2VwAyEA8s5JopbEPGBylPBcMK+L5PqHMqPJW/5KYPgBHzZGncc=\n-----END PUBLIC KEY-----",
algorithm: Vault.AsymmetricAlgorithm.RSA2048_PKCS1V15_SHA256,
purpose: Vault.KeyPurpose.SIGNING,
name: "my-very-secret-secret",
folder: "/personal",
metadata: {
"created_by": "John Doe",
"used_in": "Google products"
},
tags: ["irs_2023", "personal"],
rotation_frequency: "10d",
rotation_state: Vault.ItemVersionState.DEACTIVATED,
expiration: "2025-01-01T10:00:00Z",
}
);Decrypt
decrypt(request: DecryptRequest): Promise<PangeaResponse<DecryptResult>>Decrypt a message using a key.
const response = await vault.decrypt({
id: "pvi_p6g5i3gtbvqvc3u6zugab6qs6r63tqf5",
cipher_text: "lJkk0gCLux+Q+rPNqLPEYw==",
version: 1
});Decrypt structured
decryptStructured(request: EncryptStructuredRequest): Promise<PangeaResponse<EncryptStructuredResult<O>>>Decrypt parts of a JSON object.
const response = await vault.decryptStructured({
id: "pvi_[...]",
structured_data: {"field1": [1, 2, "[...]", "[...]"], "field2": "data2"},
filter: "$.field1[2:4]",
});Decrypt transform
decryptTransform(request: DecryptTransformRequest): Promise<PangeaResponse<DecryptTransformResult>>Decrypt using a format-preserving algorithm (FPE).
const response = await vault.decryptTransform({
id: "pvi_[...]",
cipher_text: "tZB-UKVP-MzTM",
tweak: "MTIzMTIzMT==",
alphabet: Vault.TransformAlphabet.ALPHANUMERIC,
});Delete
delete(id: string): Promise<PangeaResponse<DeleteResult>>Delete a secret or key.
const response = await vault.delete(
"pvi_p6g5i3gtbvqvc3u6zugab6qs6r63tqf5"
);Encrypt
encrypt(request: EncryptRequest): Promise<PangeaResponse<EncryptResult>>Encrypt a message using a key.
const response = await vault.encrypt({
id: "pvi_p6g5i3gtbvqvc3u6zugab6qs6r63tqf5",
plain_text: "lJkk0gCLux+Q+rPNqLPEYw=="
});Encrypt structured
encryptStructured(request: EncryptStructuredRequest): Promise<PangeaResponse<EncryptStructuredResult<O>>>Encrypt parts of a JSON object.
const response = await vault.encryptStructured({
id: "pvi_[...]",
structured_data: {"field1": [1, 2, "true", "false"], "field2": "data2"},
filter: "$.field1[2:4]",
});Encrypt transform
encryptTransform(request: EncryptTransformRequest): Promise<PangeaResponse<EncryptTransformResult>>Encrypt using a format-preserving algorithm (FPE).
const response = await vault.encryptTransform({
id: "pvi_[...]",
plain_text: "123-4567-8901",
tweak: "MTIzMTIzMT==",
alphabet: Vault.TransformAlphabet.ALPHANUMERIC,
});Export
export(request: ExportRequest): Promise<PangeaResponse<ExportResult>>Export a symmetric or asymmetric key.
// Generate an exportable key.
const generated = await vault.asymmetricGenerate(
Vault.AsymmetricAlgorithm.RSA4096_OAEP_SHA512,
Vault.KeyPurpose.ENCRYPTION,
"a-name-for-the-key",
{ exportable: true }
);
// Then it can be exported whenever needed.
const exported = await vault.export({ id: generated.result.id });Create
folderCreate(request: CreateRequest): Promise<PangeaResponse<CreateResult>>Creates a folder.
const createParentResp = await vault.folderCreate({
name: "folder_name",
folder: "parent/folder/name",
});Get Bulk
getBulk(request: GetBulkRequest): Promise<PangeaResponse<ListResult>>Retrieve a list of secrets, keys and folders.
const response = await vault.getBulk(
{
filter: {
folder: "/",
type: "asymmetric_key",
name__contains: "test",
metadata_key1: "value1",
created_at__lt: "2023-12-12T00:00:00Z",
},
last: "WyIvdGVzdF8yMDdfc3ltbWV0cmljLyJd",
order: Vault.ItemOrder.ASC,
order_by: Vault.ItemOrderby.NAME,
size=20,
}
);Retrieve
getItem(request: GetRequest): Promise<PangeaResponse<GetResult>>Retrieve a secret or key, and any associated information.
const response = await vault.getItem(
{
id: "pvi_p6g5i3gtbvqvc3u6zugab6qs6r63tqf5",
version: 1,
version_state: Vault.ItemVersionState.ACTIVE,
verbose: true,
}
);JWT Retrieve
jwkGet(request: GetRequest): Promise<PangeaResponse<GetResult>>Retrieve a key in JWK format.
const response = await vault.jwkGet(
"pvi_p6g5i3gtbvqvc3u6zugab6qs6r63tqf5"
);JWT Sign
jwtSign(id: string, payload: string): Promise<PangeaResponse<SignResult>>Sign a JSON Web Token (JWT) using a key.
const response = await vault.jwtSign(
"pvi_p6g5i3gtbvqvc3u6zugab6qs6r63tqf5",
"{\"sub\": \"1234567890\",\"name\": \"John Doe\",\"admin\": true}"
);JWT Verify
jwtVerify(jws: string): Promise<PangeaResponse<VerifyResult>>Verify the signature of a JSON Web Token (JWT).
const response = await vault.jwtVerify(
"ewogICJhbGciO..."
);Key rotate
keyRotate(request: RotateRequest): Promise<PangeaResponse<RotateResult>>Manually rotate a symmetric or asymmetric key.
const response = await vault.keyRotate(
"pvi_p6g5i3gtbvqvc3u6zugab6qs6r63tqf5",
{
rotation_state: Vault.ItemVersionState.DEACTIVATED,
key: "lJkk0gCLux+Q+rPNqLPEYw==",
}
);List
list(request: ListRequest): Promise<PangeaResponse<ListResult>>Look up a list of secrets, keys and folders, and their associated information.
const response = await vault.list(
{
filter: {
folder: "/",
type: "asymmetric_key",
name__contains: "test",
metadata_key1: "value1",
created_at__lt: "2023-12-12T00:00:00Z",
},
last: "WyIvdGVzdF8yMDdfc3ltbWV0cmljLyJd",
order: Vault.ItemOrder.ASC,
order_by: Vault.ItemOrderby.NAME,
size=20,
}
);Secret rotate
secretRotate(request: RotateRequest): Promise<PangeaResponse<RotateResult>>Rotate a secret.
const response = await vault.secretRotate(
{
id: "pvi_p6g5i3gtbvqvc3u6zugab6qs6r63tqf5",
secret: "12sdfgs4543qv@#%$casd",
rotation_state: Vault.ItemVersionState.DEACTIVATED,
}
);Secret store
secretStore(request: StoreRequest): Promise<PangeaResponse<StoreResult>>Import a secret.
const response = await vault.secretStore(
{
secret: "12sdfgs4543qv@#%$casd",
name: "my-very-secret-secret",
folder: "/personal",
metadata: {
"created_by": "John Doe",
"used_in": "Google products"
},
tags: ["irs_2023", "personal"],
rotation_frequency: "10d",
rotation_state: Vault.ItemVersionState.DEACTIVATED,
expiration: "2025-01-01T10:00:00Z",
}
);Sign
sign(id: string, message: string): Promise<PangeaResponse<SignResult>>Sign a message using a key.
const response = await vault.sign(
"pvi_p6g5i3gtbvqvc3u6zugab6qs6r63tqf5",
"lJkk0gCLux+Q+rPNqLPEYw=="
);State change
stateChange(request: StateChangeRequest): Promise<PangeaResponse<StateChangeResult>>Change the state of a specific version of a secret or key.
const response = await vault.stateChange( {
id: "pvi_p6g5i3gtbvqvc3u6zugab6qs6r63tqf5",
state: Vault.ItemVersionState.DEACTIVATED
});Symmetric generate
symmetricGenerate(request: GenerateRequest): Promise<PangeaResponse<GenerateResult>>Generate a symmetric key.
const response = await vault.symmetricGenerate(
{
algorithm: Vault.SymmetricAlgorithm.AES128_CFB,
purpose: Vault.KeyPurpose.ENCRYPTION,
name: "my-very-secret-secret",
folder: "/personal",
metadata: {
"created_by": "John Doe",
"used_in": "Google products"
},
tags: ["irs_2023", "personal"],
rotation_frequency: "10d",
rotation_state: Vault.ItemVersionState.DEACTIVATED,
expiration: "2025-01-01T10:00:00Z",
}
);Symmetric store
symmetricStore(request: StoreRequest): Promise<PangeaResponse<StoreResult>>Import a symmetric key.
const response = await vault.symmetricStore(
{
keY: "lJkk0gCLux+Q+rPNqLPEYw==",
algorithm: Vault.SymmetricAlgorithm.AES128_CFB,
purpose: Vault.KeyPurpose.ENCRYPTION,
name: "my-very-secret-secret",
folder: "/personal",
metadata: {
"created_by": "John Doe",
"used_in": "Google products"
},
tags: ["irs_2023", "personal"],
rotation_frequency: "10d",
rotation_state: Vault.ItemVersionState.DEACTIVATED,
expiration: "2025-01-01T10:00:00Z",
}
);Update
update(request: UpdateRequest): Promise<PangeaResponse<UpdateResult>>Update information associated with a secret or key.
const response = await vault.update(
{
id: "pvi_p6g5i3gtbvqvc3u6zugab6qs6r63tqf5",
name: "my-very-secret-secret",
folder: "/personal",
metadata: {
"created_by": "John Doe",
"used_in": "Google products"
},
tags: ["irs_2023", "personal"],
rotation_frequency: "10d",
rotation_state: Vault.ItemVersionState.DEACTIVATED,
rotation_grace_period: "1d",
expiration: "2025-01-01T10:00:00Z",
item_state: Vault.ItemState.DISABLED,
}
);Verify
verify(request: VerifyRequest): Promise<PangeaResponse<VerifyResult>>Verify a signature using a key.
const response = await vault.verify({
id: "pvi_p6g5i3gtbvqvc3u6zugab6qs6r63tqf5",
message: "lJkk0gCLux+Q+rPNqLPEYw=="
signature: "FfWuT2Mq/+cxa7wIugfhzi7ktZxVf926idJNgBDCysF/knY9B7M6wxqHMMPDEBs86D8OsEGuED21y3J7IGOpCQ==",
});Namespace Asymmetric
AsymmetricNamespace Common
CommonNamespace Folder
FolderNamespace JWK
JWKNamespace JWT
JWTNamespace Key
KeyNamespace Secret
SecretNamespace Symmetric
SymmetricEnum AsymmetricAlgorithm
AsymmetricAlgorithmEd25519 = "ED25519"
Ed25519_DILITHIUM2_BETA = "ED25519-DILITHIUM2-BETA"
Ed448_DILITHIUM3_BETA = "ED448-DILITHIUM3-BETA"
ES256 = "ES256"
ES256K = "ES256K"
ES384 = "ES384"
ES512 = "ES512"
FALCON_1024_BETA = "FALCON-1024-BETA"
RSA = "RSA-PKCS1V15-2048-SHA256"
RSA2048_OAEP_SHA1 = "RSA-OAEP-2048-SHA1"
RSA2048_OAEP_SHA256 = "RSA-OAEP-2048-SHA256"
RSA2048_OAEP_SHA512 = "RSA-OAEP-2048-SHA512"
RSA2048_PKCS1V15_SHA256 = "RSA-PKCS1V15-2048-SHA256"
RSA2048_PSS_SHA256 = "RSA-PSS-2048-SHA256"
RSA3072_OAEP_SHA1 = "RSA-OAEP-3072-SHA1"
RSA3072_OAEP_SHA256 = "RSA-OAEP-3072-SHA256"
RSA3072_OAEP_SHA512 = "RSA-OAEP-3072-SHA512"
RSA3072_PSS_SHA256 = "RSA-PSS-3072-SHA256"
RSA4096_OAEP_SHA1 = "RSA-OAEP-4096-SHA1"
RSA4096_OAEP_SHA256 = "RSA-OAEP-4096-SHA256"
RSA4096_OAEP_SHA512 = "RSA-OAEP-4096-SHA512"
RSA4096_PSS_SHA256 = "RSA-PSS-4096-SHA256"
RSA4096_PSS_SHA512 = "RSA-PSS-4096-SHA512"
SPHINCSPLUS_128F_SHA256_ROBUST_BETA = "SPHINCSPLUS-128F-SHA256-ROBUST-BETA"
SPHINCSPLUS_128F_SHA256_SIMPLE_BETA = "SPHINCSPLUS-128F-SHA256-SIMPLE-BETA"
SPHINCSPLUS_128F_SHAKE256_ROBUST_BETA = "SPHINCSPLUS-128F-SHAKE256-ROBUST-BETA"
SPHINCSPLUS_128F_SHAKE256_SIMPLE_BETA = "SPHINCSPLUS-128F-SHAKE256-SIMPLE-BETA"
SPHINCSPLUS_192F_SHA256_ROBUST_BETA = "SPHINCSPLUS-192F-SHA256-ROBUST-BETA"
SPHINCSPLUS_192F_SHA256_SIMPLE_BETA = "SPHINCSPLUS-192F-SHA256-SIMPLE-BETA"
SPHINCSPLUS_192F_SHAKE256_ROBUST_BETA = "SPHINCSPLUS-192F-SHAKE256-ROBUST-BETA"
SPHINCSPLUS_192F_SHAKE256_SIMPLE_BETA = "SPHINCSPLUS-192F-SHAKE256-SIMPLE-BETA"
SPHINCSPLUS_256F_SHA256_ROBUST_BETA = "SPHINCSPLUS-256F-SHA256-ROBUST-BETA"
SPHINCSPLUS_256F_SHA256_SIMPLE_BETA = "SPHINCSPLUS-256F-SHA256-SIMPLE-BETA"
SPHINCSPLUS_256F_SHAKE256_ROBUST_BETA = "SPHINCSPLUS-256F-SHAKE256-ROBUST-BETA"
SPHINCSPLUS_256F_SHAKE256_SIMPLE_BETA = "SPHINCSPLUS-256F-SHAKE256-SIMPLE-BETA"
Enum ExportEncryptionAlgorithm
ExportEncryptionAlgorithmRSA4096_NO_PADDING_KEM = "RSA-NO-PADDING-4096-KEM"
RSA4096_OAEP_SHA512 = "RSA-OAEP-4096-SHA512"
Enum ExportEncryptionType
ExportEncryptionTypeASYMMETRIC = "asymmetric"
KEM = "kem"
Enum ItemOrder
ItemOrderASC = "asc"
DESC = "desc"
Enum ItemOrderBy
ItemOrderByCREATED_AT = "created_at"
DESTROYED_AT = "destroyed_at"
EXPIRATION = "expiration"
FOLDER = "folder"
LAST_ROTATED = "last_rotated"
NAME = "name"
NEXT_ROTATION = "next_rotation"
PURPOSE = "purpose"
TYPE = "type"
VERSION = "version"
Enum ItemState
ItemStateDISABLED = "disabled"
ENABLED = "enabled"
Enum ItemType
ItemTypeASYMMETRIC_KEY = "asymmetric_key"
FOLDER = "folder"
PANGEA_CLIENT_SECRET = "pangea_client_secret"
PANGEA_PLATFORM_CLIENT_SECRET = "pangea_platform_client_secret"
PANGEA_TOKEN = "pangea_token"
SECRET = "secret"
SYMMETRIC_KEY = "symmetric_key"
Enum ItemVersionState
ItemVersionStateACTIVE = "active"
COMPROMISED = "compromised"
DEACTIVATED = "deactivated"
DESTROYED = "destroyed"
INHERITED = "inherited"
SUSPENDED = "suspended"
Enum KeyPurpose
KeyPurposeENCRYPTION = "encryption"
FPE = "fpe"
JWT = "jwt"
SIGNING = "signing"
Enum SymmetricAlgorithm
SymmetricAlgorithmAES = "AES-CFB-128"
AES128_CBC = "AES-CBC-128"
AES128_CFB = "AES-CFB-128"
AES128_FF3_1 = "AES-FF3-1-128-BETA"
AES256_CBC = "AES-CBC-256"
AES256_CFB = "AES-CFB-256"
AES256_FF3_1 = "AES-FF3-1-256-BETA"
AES256_GCM = "AES-GCM-256"
HS256 = "HS256"
HS384 = "HS384"
HS512 = "HS512"
Enum TransformAlphabet
TransformAlphabetALPHA_LOWER = "alphalower"
ALPHA_UPPER = "alphaupper"
ALPHANUMERIC = "alphanumeric"
ALPHANUMERIC_LOWER = "alphanumericlower"
ALPHANUMERIC_UPPER = "alphanumericupper"
NUMERIC = "numeric"