Browse docs+

Get Vault Item Detail

Returns full details for a vault item, including all fields and their values.

If you already know the target fieldId and only need one value, prefer GET /api/v1/machine/vault/:vaultId/fields/:fieldId.

GET /api/v1/machine/vault/:vaultId/items/:itemId

Headers

Header	Type	Required	Description
`X-API-Key`	string	Yes	Your API key

Path Parameters

Parameter	Type	Required	Description
`vaultId`	string	Yes	The unique identifier of the vault
`itemId`	string	Yes	The unique identifier of the vault item

Response

Success (200 OK)

{
  "id": "507f1f77bcf86cd799439021",
  "name": "Production Database",
  "type": "LOGIN",
  "websites": ["https://db.example.com"],
  "vaultId": "507f1f77bcf86cd799439011",
  "groupId": null,
  "fields": [
    {
      "id": "507f1f77bcf86cd799439031",
      "name": "Host",
      "type": "TEXT",
      "order": 0,
      "fieldInstanceIds": ["507f1f77bcf86cd799439051"],
      "assetIds": [],
      "value": "{\"v\":3,\"iv\":\"...\",\"t\":\"...\",\"d\":\"...\"}"
    },
    {
      "id": "507f1f77bcf86cd799439032",
      "name": "Port",
      "type": "NUMBER",
      "order": 1,
      "fieldInstanceIds": ["507f1f77bcf86cd799439052"],
      "assetIds": [],
      "value": "{\"v\":3,\"iv\":\"...\",\"t\":\"...\",\"d\":\"...\"}"
    },
    {
      "id": "507f1f77bcf86cd799439033",
      "name": "Username",
      "type": "TEXT",
      "order": 2,
      "fieldInstanceIds": ["507f1f77bcf86cd799439053"],
      "assetIds": [],
      "value": "{\"v\":3,\"iv\":\"...\",\"t\":\"...\",\"d\":\"...\"}"
    },
    {
      "id": "507f1f77bcf86cd799439034",
      "name": "Password",
      "type": "PASSWORD",
      "order": 3,
      "fieldInstanceIds": ["507f1f77bcf86cd799439054"],
      "assetIds": [],
      "value": "{\"v\":3,\"iv\":\"...\",\"t\":\"...\",\"d\":\"...\"}"
    }
  ],
  "detailCheckpoint": {
    "checkpoint": {
      "vaultItemId": "507f1f77bcf86cd799439021",
      "vaultId": "507f1f77bcf86cd799439011",
      "version": 12,
      "name": "Production Database",
      "type": "LOGIN",
      "websites": ["https://db.example.com"],
      "groupId": null,
      "fields": [
        {
          "id": "507f1f77bcf86cd799439031",
          "name": "Host",
          "type": "TEXT",
          "order": 0,
          "fieldInstanceIds": ["507f1f77bcf86cd799439051"],
          "assetIds": []
        }
      ]
    },
    "signerUserKeyPairId": "507f1f77bcf86cd799439099",
    "signature": "base64-signature"
  }
}

Response Fields

Field	Type	Description
`id`	string	Vault item ID
`name`	string	Vault item name. This metadata is not end-to-end encrypted.
`type`	string \| null	Item type: `LOGIN`, `API_KEY`, `DATABASE`, `SSH_KEY`, `SERVER`, `SECURE_NOTE`, `CREDIT_CARD`, `CUSTOM`
`websites`	string[]	Associated website URLs. This metadata is not end-to-end encrypted.
`vaultId`	string	The vault this item belongs to
`groupId`	string \| null	Vault item group ID
`fields`	array	Array of field objects with values
`detailCheckpoint`	object \| null	Signed detail checkpoint authenticating the returned item metadata
`detailCheckpoint.checkpoint.version`	number	Monotonic detail-checkpoint version for rollback detection
`detailCheckpoint.signerUserKeyPairId`	string	User key pair ID that signed the item checkpoint
`detailCheckpoint.signature`	string	RSA-PSS signature over the canonical detail payload

Field Object

Field	Type	Description
`id`	string	Field ID
`name`	string	Field label (e.g., "Username", "Password"). This metadata is not end-to-end encrypted.
`type`	string	Field type: `TEXT`, `PASSWORD`, `SECRET`, `URL`, `NUMBER`, `TOTP`, `FILE`
`order`	number	Stable field order used in the signed detail checkpoint
`fieldInstanceIds`	string[]	Active field-instance IDs bound into the signed detail checkpoint
`assetIds`	string[]	Active asset IDs bound into the signed detail checkpoint
`value`	string \| null	Field value as stored. In client-encrypted vaults, every field value is returned as a v3 vault envelope string

Encrypted Values

The item name, field name, and websites metadata are not end-to-end encrypted.
Every field value is returned as client ciphertext
Field type determines whether a client should mask the decrypted value by default
The backend does not selectively decrypt non-hidden fields

To decrypt values, unwrap the vault key in your client and decrypt each field's v3 envelope locally. Zero-trust clients should also verify detailCheckpoint against GET /vault/:vaultId/public-keys before trusting the item name, websites, or field layout.

Error Responses

404 Not Found - Vault or vault item not found

{
  "error": {
    "code": "vault_item_not_found",
    "message": "The vault item with ID \"507f1f77bcf86cd799439021\" was not found or you do not have access to it."
  }
}

Example Request

curl -X GET "https://r4.dev/api/v1/machine/vault/507f1f77bcf86cd799439011/items/507f1f77bcf86cd799439021" \
  -H "X-API-Key: rk_abc123def456.ghijklmnopqrstuvwxyz"

Use Cases

Secret retrieval: Fetch credentials for use in automation scripts
Configuration injection: Read vault item fields to populate application config
Secret rotation: Read current values to verify after rotation
Backup: Export vault item data for disaster recovery