The vault group is Voyant Cloud’s secrets manager and encryption service. Use it to store application secrets such as API keys and connection strings, and to perform per-call envelope cryptography without managing your own key material.
import { createVoyantCloudClient } from "@voyant-travel/cloud-sdk";
const client = createVoyantCloudClient({ apiKey: process.env.VOYANT_API_KEY! });
Secrets
A vault is a named container of secrets, addressed by a slug such as production. Each secret is a key with one or more versions.
// List the vaults you can see
const vaults = await client.vault.listVaults();
// List the secret keys and versions in a vault
const secrets = await client.vault.listSecrets("production");
// Read a single secret value
const value = await client.vault.getSecret("production", "STRIPE_KEY");
// Upsert and delete (write scope)
await client.vault.setSecret("production", "STRIPE_KEY", "sk_live_...");
await client.vault.deleteSecret("production", "OLD_KEY");
voyant secrets list production
voyant secrets set production STRIPE_KEY sk_live_xyz
voyant secrets rm production OLD_KEY
The CLI can list and write secrets but cannot read their values — there is no voyant secrets get. voyant login mints tokens without the vault:read scope that getSecret, decrypt, and unwrap require. Read a value in the dashboard, or from server-side code with an app token that carries vault:read.
Envelope encryption
The vault performs envelope crypto so you can encrypt data with managed keys. Generate a data key, use the plaintext key locally, store only the wrapped key, and unwrap it when you need to decrypt.
// Encrypt and decrypt a small payload directly
const encrypted = await client.vault.encrypt(/* ... */);
const decrypted = await client.vault.decrypt(/* ... */);
// Generate a data key, then unwrap it later
const dataKey = await client.vault.generateDataKey(/* ... */);
const unwrapped = await client.vault.unwrap(/* ... */);
Scopes
| Methods | Scope |
|---|
getSecret, decrypt, unwrap (return plaintext) | vault:read |
listVaults, listSecrets (metadata only) | vault:read or vault:write |
setSecret, deleteSecret, encrypt, generateDataKey | vault:write |
VaultSummary, VaultSecretSummary, VaultSecretValue, VaultEncryptResult, VaultDecryptResult, VaultGenerateDataKeyResult, VaultUnwrapResult.
When you deploy a framework app to Voyant Cloud, app secrets live in the vault instead of local .dev.vars files. The runtime reads them at deploy time.
