Browse docs+
Get Vault Field Value
Returns the latest stored payload for a single vault field.
GET /api/v1/machine/vault/:vaultId/fields/:fieldIdHeaders
| Header | Type | Required | Description |
|---|---|---|---|
X-API-Key | string | Yes | Your API key |
Path Parameters
| Parameter | Type | Required | Description |
|---|---|---|---|
vaultId | string | Yes | The unique identifier of the vault |
fieldId | string | Yes | The unique identifier of the vault field |
Response
Success (200 OK)
{
"id": "507f1f77bcf86cd799439034",
"name": "Password",
"type": "PASSWORD",
"order": 3,
"fieldInstanceId": "507f1f77bcf86cd799439054",
"fieldInstanceIds": ["507f1f77bcf86cd799439054"],
"assetId": null,
"assetIds": [],
"value": "{\"v\":3,\"iv\":\"...\",\"t\":\"...\",\"d\":\"...\"}",
"vaultId": "507f1f77bcf86cd799439011",
"vaultItemId": "507f1f77bcf86cd799439021",
"vaultItemName": "Production Database",
"detailCheckpoint": {
"checkpoint": {
"vaultItemId": "507f1f77bcf86cd799439021",
"vaultId": "507f1f77bcf86cd799439011",
"version": 12,
"name": "Production Database",
"type": "LOGIN",
"websites": ["https://db.example.com"],
"groupId": null,
"fields": [
{
"id": "507f1f77bcf86cd799439033",
"name": "Username",
"type": "TEXT",
"order": 2,
"fieldInstanceIds": ["507f1f77bcf86cd799439053"],
"assetIds": []
},
{
"id": "507f1f77bcf86cd799439034",
"name": "Password",
"type": "PASSWORD",
"order": 3,
"fieldInstanceIds": ["507f1f77bcf86cd799439054"],
"assetIds": []
}
]
},
"signerUserKeyPairId": "507f1f77bcf86cd799439099",
"signature": "base64-signature"
}
}Response Fields
| Field | Type | Description |
|---|---|---|
id | string | Field ID |
name | string | Field label. This metadata is not end-to-end encrypted. |
type | string | Field type |
order | number | Stable field order from the signed detail checkpoint |
fieldInstanceId | string | null | Latest active field-instance ID used for value |
fieldInstanceIds | string[] | Full active field-instance set for the field |
assetId | string | null | Latest active attached asset ID |
assetIds | string[] | Full active asset set for the field |
value | string | null | Field value as stored. In client-encrypted vaults, this is a v3 vault envelope string |
vaultId | string | Vault that owns the field |
vaultItemId | string | Parent vault item ID |
vaultItemName | string | Parent vault item name. This metadata is not end-to-end encrypted. |
detailCheckpoint | object | null | Signed parent vault-item checkpoint used to verify the field metadata |
Verification Notes
- Use this endpoint when you already know the
fieldIdand only want one value - The field label, parent item name, and checkpoint
websitesmetadata are not end-to-end encrypted - Compare the returned field against the matching entry in
detailCheckpoint.checkpoint.fields - Use
POST /vault/public-key,GET /vault/:vaultId/wrapped-key, andGET /vault/:vaultId/public-keysto unwrap the vault DEK and verify the signer locally before decryptingvalue
Error Responses
404 Not Found - Vault or vault field not found
{
"error": {
"code": "vault_field_not_found",
"message": "The vault field with ID \"507f1f77bcf86cd799439034\" was not found in vault \"507f1f77bcf86cd799439011\" or you do not have access to it."
}
}Example Request
curl -X GET "https://r4.dev/api/v1/machine/vault/507f1f77bcf86cd799439011/fields/507f1f77bcf86cd799439034" \
-H "X-API-Key: rk_abc123def456.ghijklmnopqrstuvwxyz"Use Cases
- Targeted secret retrieval: Fetch one known field without downloading sibling values
- Rotation checks: Re-read the exact field that changed after an update
- Automation: Pull one credential into a runtime that already tracks field IDs