Returns all non-archived items in a vault with basic metadata, vault-level checkpoint metadata, and the item-group structure needed for zero-trust verification.
GET /api/v1/machine/vault/:vaultId/items| Header | Type | Required | Description |
|---|---|---|---|
X-API-Key | string | Yes | Your API key |
| Parameter | Type | Required | Description |
|---|---|---|---|
vaultId | string | Yes | The unique identifier of the vault |
Success (200 OK)
{
"vaultId": "507f1f77bcf86cd799439011",
"vaultName": "Production Secrets",
"dataClassification": "CONFIDENTIAL",
"currentDekVersion": 3,
"summaryCheckpoint": {
"checkpoint": {
"vaultId": "507f1f77bcf86cd799439011",
"version": 9,
"name": "Production Secrets",
"dataClassification": "CONFIDENTIAL",
"currentDekVersion": 3,
"items": [
{
"id": "507f1f77bcf86cd799439021",
"name": "Production Database",
"type": "LOGIN",
"websites": ["https://db.example.com"],
"groupId": null
}
],
"groups": []
},
"signerUserKeyPairId": "507f1f77bcf86cd799439099",
"signature": "base64-signature"
},
"items": [
{
"id": "507f1f77bcf86cd799439021",
"name": "Production Database",
"type": "LOGIN",
"websites": ["https://db.example.com"],
"groupId": null,
"createdAt": "2026-01-20T14:00:00.000Z",
"fieldCount": 4
},
{
"id": "507f1f77bcf86cd799439022",
"name": "AWS Root Credentials",
"type": "API_KEY",
"websites": ["https://console.aws.amazon.com"],
"groupId": null,
"createdAt": "2026-01-22T09:30:00.000Z",
"fieldCount": 2
}
],
"vaultItemGroups": [],
"count": 2
}| Field | Type | Description |
|---|---|---|
vaultId | string | The vault ID these items belong to |
vaultName | string | The current vault name used when reconstructing the signed summary checkpoint. This metadata is not end-to-end encrypted. |
dataClassification | string | null | Current vault data classification |
currentDekVersion | number | null | Current vault DEK version bound into the signed summary checkpoint |
summaryCheckpoint | object | null | Signed vault summary checkpoint that authenticates the returned item/group metadata |
summaryCheckpoint.checkpoint.version | number | Monotonic summary-checkpoint version for rollback detection |
summaryCheckpoint.signerUserKeyPairId | string | User key pair ID that signed the checkpoint |
summaryCheckpoint.signature | string | RSA-PSS signature over the canonical summary payload |
items | array | Array of vault item summaries |
items[].id | string | Vault item ID |
items[].name | string | Vault item name. This metadata is not end-to-end encrypted. |
items[].type | string | null | Item type: LOGIN, API_KEY, DATABASE, SSH_KEY, SERVER, SECURE_NOTE, CREDIT_CARD, CUSTOM |
items[].websites | string[] | Associated website URLs. This metadata is not end-to-end encrypted. |
items[].groupId | string | null | Vault item group ID referenced by the summary checkpoint |
items[].createdAt | string | ISO 8601 creation timestamp |
items[].fieldCount | number | Number of non-archived fields on the item |
vaultItemGroups | array | Vault item groups referenced by the returned items |
count | number | Total number of items returned |
404 Not Found - Vault not found or not accessible
{
"error": {
"code": "vault_not_found",
"message": "The vault with ID \"507f1f77bcf86cd799439011\" was not found or you do not have access to it."
}
}curl -X GET "https://r4.dev/api/v1/machine/vault/507f1f77bcf86cd799439011/items" \
-H "X-API-Key: rk_abc123def456.ghijklmnopqrstuvwxyz"vaultName, item names, and websites are metadata, so they are not end-to-end encryptedsummaryCheckpoint against GET /vault/:vaultId/public-keys before trusting item names, websites, or group structurefieldCount to understand the complexity of each item before fetching full details