Skip to main content

Vault | Node.js SDK | Keys Endpoints

Keys Endpoints

Asymmetric generate

asymmetricGenerate(request: GenerateRequest): Promise<PangeaResponse<GenerateResult>>

Generate an asymmetric key.

GenerateRequest

Promise<PangeaResponse<GenerateResult>>
const response = await vault.asymmetricGenerate(
  {
    algorithm: Vault.AsymmetricAlgorithm.RSA2048_PKCS1V15_SHA256,
    purpose: Vault.KeyPurpose.SIGNING,
    name: "my-very-secret-secret",
    folder: "/personal",
    metadata: {
      "created_by": "John Doe",
      "used_in": "Google products"
    },
    tags: ["irs_2023", "personal"],
    rotation_frequency: "10d",
    rotation_state: Vault.ItemVersionState.DEACTIVATED,
    expiration: "2025-01-01T10:00:00Z",
  }
);

Asymmetric store

asymmetricStore(request: StoreRequest): Promise<PangeaResponse<StoreResult>>

Import an asymmetric key.

StoreRequest

The following options are supported:

  • private_key (Vault.EncodedPrivateKey): The private key in PEM format
  • public_key (Vault.EncodedPublicKey): The public key in PEM format
  • algorithm (Vault.AsymmetricAlgorithm): The algorithm of the key. Options listed in Vault documentation.
  • purpose (Vault.KeyPurpose): The purpose of this key. signing, encryption, or jwt.
  • name (string): The name of this item
  • folder (string): The folder where this item is stored
  • metadata (object): User-provided metadata
  • tags (string[]): A list of user-defined tags
  • rotation_frequency (string): Period of time between item rotations, or never to disallow rotation
  • rotation_state (Vault.ItemVersionState): State to which the previous version should transition upon rotation.
  • expiration (string): Expiration timestamp

Promise<PangeaResponse<StoreResult>>
const response = await vault.asymmetricStore(
  {
    private_key: "private key example",
    public_key: "-----BEGIN PUBLIC KEY-----\nMCowBQYDK2VwAyEA8s5JopbEPGBylPBcMK+L5PqHMqPJW/5KYPgBHzZGncc=\n-----END PUBLIC KEY-----",
    algorithm: Vault.AsymmetricAlgorithm.RSA2048_PKCS1V15_SHA256,
    purpose: Vault.KeyPurpose.SIGNING,
    name: "my-very-secret-secret",
    folder: "/personal",
    metadata: {
      "created_by": "John Doe",
      "used_in": "Google products"
    },
    tags: ["irs_2023", "personal"],
    rotation_frequency: "10d",
    rotation_state: Vault.ItemVersionState.DEACTIVATED,
    expiration: "2025-01-01T10:00:00Z",
  }
);

Decrypt

decrypt(request: DecryptRequest): Promise<PangeaResponse<DecryptResult>>

Decrypt a message using a key.

DecryptRequest

Supported options:

  • id (string): The item ID
  • cipher_text (string): A message encrypted by Vault (in base64)
  • version (number): The item version

Promise<PangeaResponse<DecryptResult>>
const response = await vault.decrypt({
  id: "pvi_p6g5i3gtbvqvc3u6zugab6qs6r63tqf5",
  cipher_text: "lJkk0gCLux+Q+rPNqLPEYw==",
  version: 1
});

Decrypt structured

decryptStructured(request: EncryptStructuredRequest): Promise<PangeaResponse<EncryptStructuredResult<O>>>

Decrypt parts of a JSON object.

EncryptStructuredRequest

Request parameters.

Promise<PangeaResponse<EncryptStructuredResult<O>>>
const response = await vault.decryptStructured({
  id: "pvi_[...]",
  structured_data: {"field1": [1, 2, "[...]", "[...]"], "field2": "data2"},
  filter: "$.field1[2:4]",
});

Encrypt

encrypt(request: EncryptRequest): Promise<PangeaResponse<EncryptResult>>

Encrypt a message using a key.

EncryptRequest

Supported options:

  • id (string) The item ID
  • plainText (string): A message to be in encrypted (in base64)

Promise<PangeaResponse<EncryptResult>>
const response = await vault.encrypt({
  id: "pvi_p6g5i3gtbvqvc3u6zugab6qs6r63tqf5",
  plain_text: "lJkk0gCLux+Q+rPNqLPEYw=="
});

Encrypt structured

encryptStructured(request: EncryptStructuredRequest): Promise<PangeaResponse<EncryptStructuredResult<O>>>

Encrypt parts of a JSON object.

EncryptStructuredRequest

Request parameters.

Promise<PangeaResponse<EncryptStructuredResult<O>>>
const response = await vault.encryptStructured({
  id: "pvi_[...]",
  structured_data: {"field1": [1, 2, "true", "false"], "field2": "data2"},
  filter: "$.field1[2:4]",
});

Key rotate

keyRotate(request: RotateRequest): Promise<PangeaResponse<RotateResult>>

Manually rotate a symmetric or asymmetric key.

RotateRequest

Supported options:

  • id (string): The ID of the item
  • rotation_state (Vault.ItemVersionState): State to which the previous version should transition upon rotation. deactivated, suspended, or destroyed. Default is deactivated.
  • public_key (string): The public key (in PEM format)
  • private_key: (string): The private key (in PEM format)
  • key: (string): The key material (in base64)

Promise<PangeaResponse<RotateResult>>
const response = await vault.keyRotate(
  "pvi_p6g5i3gtbvqvc3u6zugab6qs6r63tqf5",
  {
    rotation_state: Vault.ItemVersionState.DEACTIVATED,
    key: "lJkk0gCLux+Q+rPNqLPEYw==",
  }
);

Sign

sign(id: string, message: string): Promise<PangeaResponse<SignResult>>

Sign a message using a key.

string

The item ID

string

The message to be signed, in base64

Promise<PangeaResponse<SignResult>>
const response = await vault.sign(
  "pvi_p6g5i3gtbvqvc3u6zugab6qs6r63tqf5",
  "lJkk0gCLux+Q+rPNqLPEYw=="
);

Symmetric generate

symmetricGenerate(request: GenerateRequest): Promise<PangeaResponse<GenerateResult>>

Generate a symmetric key.

GenerateRequest

The following options are supported:

  • algorithm (Vault.SymmetricAlgorithm): The algorithm of the key. Options listed in Vault documentation.
  • purpose (Vault.KeyPurpose): The purpose of this key
  • name (string): The name of this item
  • folder (string): The folder where this item is stored
  • metadata (object): User-provided metadata
  • tags (string[]): A list of user-defined tags
  • rotation_frequency (string): Period of time between item rotations, or never to disallow rotation
  • rotation_state (Vault.ItemVersionState): State to which the previous version should transition upon rotation.
  • expiration (string): Expiration timestamp

Promise<PangeaResponse<GenerateResult>>
const response = await vault.symmetricGenerate(
  {
    algorithm: Vault.SymmetricAlgorithm.AES128_CFB,
    purpose: Vault.KeyPurpose.ENCRYPTION,
    name: "my-very-secret-secret",
    folder: "/personal",
    metadata: {
      "created_by": "John Doe",
      "used_in": "Google products"
    },
    tags: ["irs_2023", "personal"],
    rotation_frequency: "10d",
    rotation_state: Vault.ItemVersionState.DEACTIVATED,
    expiration: "2025-01-01T10:00:00Z",
  }
);

Symmetric store

symmetricStore(request: StoreRequest): Promise<PangeaResponse<StoreResult>>

Import a symmetric key.

StoreRequest

The following options are supported:

  • key (string): The key material (in base64)
  • algorithm (Vault.SymmetricAlgorithm): The algorithm of the key. Options listed in Vault documentation.
  • purpose (Vault.KeyPurpose): The purpose of this key. encryption or jwt
  • name (string): The name of this item
  • folder (string): The folder where this item is stored
  • metadata (object): User-provided metadata
  • tags (string[]): A list of user-defined tags
  • rotation_frequency (string): Period of time between item rotations, or never to disallow rotation
  • rotation_state (Vault.ItemVersionState): State to which the previous version should transition upon rotation.
  • expiration (string): Expiration timestamp

Promise<PangeaResponse<StoreResult>>
const response = await vault.symmetricStore(
  {
    keY: "lJkk0gCLux+Q+rPNqLPEYw==",
    algorithm: Vault.SymmetricAlgorithm.AES128_CFB,
    purpose: Vault.KeyPurpose.ENCRYPTION,
    name: "my-very-secret-secret",
    folder: "/personal",
    metadata: {
      "created_by": "John Doe",
      "used_in": "Google products"
    },
    tags: ["irs_2023", "personal"],
    rotation_frequency: "10d",
    rotation_state: Vault.ItemVersionState.DEACTIVATED,
    expiration: "2025-01-01T10:00:00Z",
  }
);

Verify

verify(request: VerifyRequest): Promise<PangeaResponse<VerifyResult>>

Verify a signature using a key.

VerifyRequest

Supported options:

  • id (string): The item ID
  • message (string): The message to be verified (in base64)
  • signature (string): The message signature (in base64)
  • version (number): The item version

Promise<PangeaResponse<VerifyResult>>
const response = await vault.verify({
  id: "pvi_p6g5i3gtbvqvc3u6zugab6qs6r63tqf5",
  message: "lJkk0gCLux+Q+rPNqLPEYw=="
  signature: "FfWuT2Mq/+cxa7wIugfhzi7ktZxVf926idJNgBDCysF/knY9B7M6wxqHMMPDEBs86D8OsEGuED21y3J7IGOpCQ==",
});