Private beta — invite only. Request access

API reference

The Secronna REST API. Resources nest: projects own environments, environments own secrets.

Base URL

https://secronna.com/api/v1

Authentication

Every request carries a Bearer token — a per-workspace API key (sk_live_xxx) from Settings → API keys, or a Huudis-minted access token:

Authorization: Bearer sk_live_xxx

Requests without a valid token fail with AUTH_REQUIRED. Secronna is in private beta, so the token's workspace must be on the allowlist.

Response envelope

Every response uses the family-standard envelope:

{
  "data": { },
  "error": null,
  "meta": { "requestId": "req_...", "timestamp": "2026-01-01T00:00:00Z" }
}

List endpoints put an array in data and page info in meta. On error, data is null and error carries an UPPER_SNAKE_CASE code plus a human-readable message:

{
  "data": null,
  "error": { "code": "NOT_FOUND", "message": "secret not found" },
  "meta": { "requestId": "req_...", "timestamp": "2026-01-01T00:00:00Z" }
}

Common codes: AUTH_REQUIRED, FORBIDDEN, NOT_FOUND, VALIDATION_ERROR, CONFLICT, INTERNAL_ERROR.

Projects

Create a project

POST /projects

Request:

{ "name": "Web" }

Response data:

{
  "id": "proj_...",
  "name": "Web",
  "slug": "web",
  "createdAt": "2026-01-01T00:00:00Z",
  "createdBy": "usr_..."
}

List projects

GET /projects

data is an array of the project objects above.

Environments

Create an environment

POST /projects/:projectId/environments

Request:

{ "name": "production" }

Response data:

{
  "id": "env_...",
  "name": "production",
  "slug": "production",
  "createdAt": "2026-01-01T00:00:00Z"
}

List environments

GET /projects/:projectId/environments

data is an array of the environment objects above.

Secrets

Secrets are immutable and versioned. Writing a key mints a new version; listing returns keys only; reading a value is an explicit, audited reveal.

Write a secret

PUT /environments/:envId/secrets

Creates the key if it doesn't exist, otherwise mints the next version.

Request:

{ "key": "DATABASE_URL", "value": "postgres://user:pass@host/db" }

Response data:

{ "id": "sec_...", "key": "DATABASE_URL", "version": 1 }

List secrets (keys only)

GET /environments/:envId/secrets

data is an array — values are never included here:

[
  {
    "id": "sec_...",
    "key": "DATABASE_URL",
    "currentVersion": 3,
    "createdAt": "2026-01-01T00:00:00Z"
  }
]

Reveal a secret

POST /secrets/:secretId/reveal

Returns the plaintext of a single version. Every reveal is written to the audit log. Pass ?version=<n> to read a historical version; omit it for the current version.

Response data:

{ "key": "DATABASE_URL", "version": 3, "value": "postgres://user:pass@host/db" }

Delete a secret

DELETE /secrets/:secretId

Deletes the secret and all its versions.

Response data:

{ "id": "sec_...", "deleted": true }

Audit

List audit entries

GET /audit?limit=<n>

Recent audit-log entries — reveals, writes, deletes, project/environment creation. limit caps how many are returned.

data is an array:

[
  {
    "id": "aud_...",
    "action": "secret.reveal",
    "actorSub": "usr_...",
    "target": "sec_...",
    "metadata": { "key": "DATABASE_URL", "version": 3 },
    "createdAt": "2026-01-01T00:00:00Z"
  }
]