API Exposure Guide

Encrypted Vault API

End-to-End Encrypted secret management endpoints.

Edit this page on GitHub

End-to-End Encrypted Vault API

When the Vault feature is enabled, Rescile mounts a standalone Key Management Server mapped directly to your architecture graph, available at /vault/v1/*.

This API provides client registration (/register), Session generation (/session), and End-to-End Encrypted blob storage (/collection, /cipher/:id), utilizing Argon2id for Key Derivation, X25519 for Key Exchange, and AES-256-GCM for payload encryption. A dedicated UI is also available at /vault-ui.