Get Vault Item Detail

Returns full details for a vault item, including all fields and their values.

GET /api/v1/machine/vault/:vaultId/items/:itemId

Headers

Header	Type	Required	Description
`X-API-Key`	string	Yes	Your API key

Path Parameters

Parameter	Type	Required	Description
`vaultId`	string	Yes	The unique identifier of the vault
`itemId`	string	Yes	The unique identifier of the vault item

Response

Success (200 OK)

{
  "id": "507f1f77bcf86cd799439021",
  "name": "Production Database",
  "type": "LOGIN",
  "websites": ["https://db.example.com"],
  "vaultId": "507f1f77bcf86cd799439011",
  "encryptionKeyId": "507f1f77bcf86cd799439015",
  "fields": [
    {
      "id": "507f1f77bcf86cd799439031",
      "name": "Host",
      "type": "TEXT",
      "value": "db.example.com",
      "isSecret": false
    },
    {
      "id": "507f1f77bcf86cd799439032",
      "name": "Port",
      "type": "NUMBER",
      "value": "5432",
      "isSecret": false
    },
    {
      "id": "507f1f77bcf86cd799439033",
      "name": "Username",
      "type": "TEXT",
      "value": "admin",
      "isSecret": false
    },
    {
      "id": "507f1f77bcf86cd799439034",
      "name": "Password",
      "type": "PASSWORD",
      "value": "BASE64_RSA_ENCRYPTED_CIPHERTEXT...",
      "isSecret": true
    }
  ]
}

Response Fields

Field	Type	Description
`id`	string	Vault item ID
`name`	string	Vault item name
`type`	string \| null	Item type: `LOGIN`, `API_KEY`, `DATABASE`, `SSH_KEY`, `SERVER`, `SECURE_NOTE`, `CREDIT_CARD`, `CUSTOM`
`websites`	string[]	Associated website URLs
`vaultId`	string	The vault this item belongs to
`encryptionKeyId`	string \| null	Encryption key ID from the parent vault, needed for client-side decryption
`fields`	array	Array of field objects with values

Field Object

Field	Type	Description
`id`	string	Field ID
`name`	string	Field label (e.g., "Username", "Password")
`type`	string	Field type: `TEXT`, `PASSWORD`, `SECRET`, `URL`, `NUMBER`, `TOTP`, `FILE`
`value`	string \| null	Field value. For encrypted vaults, secret values are RSA-encrypted ciphertext (base64)
`isSecret`	boolean	Whether this field contains a secret value

Encrypted Values

For vaults with encryption enabled (encryptionKeyId is not null):

Non-secret fields (isSecret: false): Values are returned in plaintext
Secret fields (isSecret: true): Values are RSA-encrypted ciphertext, base64-encoded

To decrypt secret values, use the GET /vault/encryption-key endpoint to retrieve the RSA private key (AGENT-scoped API keys only), then decrypt with RSA-OAEP.

Error Responses

404 Not Found - Vault or vault item not found

{
  "error": {
    "code": "vault_item_not_found",
    "message": "The vault item with ID \"507f1f77bcf86cd799439021\" was not found or you do not have access to it."
  }
}

Example Request

curl -X GET "https://r4.dev/api/v1/machine/vault/507f1f77bcf86cd799439011/items/507f1f77bcf86cd799439021" \
  -H "X-API-Key: rk_abc123def456.ghijklmnopqrstuvwxyz"

Use Cases

Secret retrieval: Fetch credentials for use in automation scripts
Configuration injection: Read vault item fields to populate application config
Secret rotation: Read current values to verify after rotation
Backup: Export vault item data for disaster recovery