Skip to main content
POST
/
api
/
v2
/
vaults
Create a vault
curl --request POST \
  --url https://agp.eu.hcompany.ai/api/v2/vaults \
  --header 'Authorization: Bearer <token>' \
  --header 'Content-Type: application/json' \
  --data '
{
  "name": "<string>",
  "provider_config": {},
  "token": "<string>"
}
'
Registers a vault (a link between your organization and an external secrets provider) so an agent can sign in to the sites it works on without you passing the secrets through the API. Today the only provider is 1Password: you record which 1Password vault to read (op_vault_id) and a service account token that grants access to it. The token is validated against the provider before it is stored, and is never returned by any endpoint. Returns 201 with the created vault object (see Retrieve for the full field list).
The request body carries a plaintext service account token. Send it only over HTTPS and never log it.

Request body

name
string
required
Human-readable label for the config.
provider_config
object
required
Provider settings.
  • provider (string, optional): Secrets provider. Defaults to onepassword, the only supported value.
  • op_vault_id (string, required): Identifier of the 1Password vault to read credentials from.
token
string
required
The 1Password service account token granting access to the vault. Write-only: validated before storage and omitted from every response.

Examples

curl -X POST https://agp.eu.hcompany.ai/api/v2/vaults \
  -H "Authorization: Bearer $HAI_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{
    "name": "prod-1password",
    "provider_config": {"provider": "onepassword", "op_vault_id": "abcd1234efgh5678"},
    "token": "ops_eyJ..."
  }'
Response
{
  "id": "f47ac10b-58cc-4372-a567-0e02b2c3d479",
  "org_id": "org_123",
  "name": "prod-1password",
  "provider_config": {"provider": "onepassword", "op_vault_id": "abcd1234efgh5678"},
  "created_at": "2026-05-07T14:30:00Z",
  "updated_at": "2026-05-07T14:30:00Z"
}

Errors

StatusCause
409A vault with this name already exists in your organization. Names are unique per org.
422Body failed validation, or the provider rejected the token (it could not access op_vault_id).