Vault
The vault is a zero-knowledge encrypted credential store for your organization. Store API keys, login credentials, SSH keys, and other secrets: Inkbox never sees the plaintext. All encryption and decryption happens client-side in the SDK or console using your vault key.
How it works
Every secret stored in the vault is encrypted with your organization's encryption key before it leaves the SDK. The server only ever sees ciphertext. To read secrets, you unlock the vault with your vault key, and the SDK or console decrypts everything locally.
Two keys are involved:
| Key | Purpose |
|---|---|
INKBOX_API_KEY | Authenticates API requests (sent to server) |
INKBOX_VAULT_KEY | Unlocks the vault for client-side decryption (never sent to server) |
Secret types
Each secret has a type that determines its payload structure:
| Type | Fields | Use case |
|---|---|---|
login | password, username, email, url, notes, totp | Website or service logins (with optional TOTP) |
api_key | api_key, endpoint, notes | API keys and tokens |
key_pair | access_key, secret_key, endpoint, notes | AWS-style key pairs |
ssh_key | private_key, public_key, fingerprint, passphrase, notes | SSH keys |
other | data, notes | Freeform secrets |
Unlocking the vault
Before you can read or write secrets, unlock the vault with your vault key. The SDK validates the key, fetches all encrypted secrets, and decrypts them locally.
PythonInitializing the vault
Initialize a vault once per organization. This creates the vault, sets the primary vault key, and generates four recovery codes. Store the recovery codes securely when they are returned.
PythonCreating secrets
Once unlocked, create secrets by specifying a name and a typed payload. The SDK encrypts the payload before sending it to the server.
PythonReading secrets
Access all decrypted secrets via the secrets property, or fetch a specific one by ID.
PythonUpdating and deleting secrets
Update a secret's name, description, or payload. Delete secrets when they're no longer needed.
PythonStoring logins with TOTP
Login secrets can include a TOTP configuration for two-factor authentication. Use parse_totp_uri to parse a standard otpauth:// URI (the same format used by Google Authenticator, Authy, etc.) into a TOTP config, then attach it to the login payload.
PythonYou can also build a TOTP config manually instead of parsing a URI:
PythonGenerating TOTP codes
Once a login secret has a TOTP config, generate the current one-time code with get_totp_code. The code, expiry window, and seconds remaining are returned.
PythonThe returned TOTPCode includes:
| Field | Type | Description |
|---|---|---|
code | string | The current OTP code (e.g. "482901") |
period_start | number | Unix timestamp when this code became valid |
period_end | number | Unix timestamp when this code expires |
seconds_remaining | number | Seconds left until expiry |
You can also generate codes directly from a TOTP config without storing it in the vault:
PythonIdentity access control
Grant specific agent identities access to individual secrets. This lets you control which agents can use which credentials.
PythonVault metadata
Check the vault's status and counts without unlocking it.
PythonManaging vault keys
Rotate the primary vault key or revoke an existing key by auth hash. Rotating the primary key keeps the same organization encryption key and re-wraps it under the new primary vault key.
PythonDeleting the vault
Delete the vault and all its keys and secrets from the Inkbox Console. This is destructive and permanently removes access to all stored secrets. After deletion, the organization can initialize a new vault.
Vault deletion is not available through the SDK or CLI. Use the Inkbox Console instead.
After deletion, you can initialize a new vault.