Browse docs+

Move Vault Item

Moves a vault item into a different vault.

PATCH /api/v1/machine/vault-item/:id/move

Important

This is a zero-trust metadata write. The request must include a fresh item detailCheckpoint plus replacement signed summaries for both the source and target vaults.
The moved item's name, field labels, and websites remain metadata, so they are not end-to-end encrypted. Only field values are end-to-end encrypted.
When the source and target vaults use different DEKs, send reEncryptedFieldValues so the moved field values can be rewritten under the target vault's encryption context.

Headers

Header	Type	Required	Description
`X-API-Key`	string	Yes	Your machine API key
`Content-Type`	string	Yes	Must be `application/json`

Path Parameters

Parameter	Type	Required	Description
`id`	string	Yes	The unique identifier of the vault item to move

Request Body

Field	Type	Required	Description
`detailCheckpoint`	object	Yes	Signed replacement detail checkpoint for the moved item
`sourceVaultSummaryCheckpoint`	object	Yes	Signed replacement summary checkpoint for the source vault after the item leaves
`targetVaultSummaryCheckpoint`	object	Yes	Signed replacement summary checkpoint for the target vault after the item arrives
`vaultId`	string	Yes	The target vault ID
`reEncryptedFieldValues`	array	No	Optional field values re-encrypted for the target vault DEK

Re-Encrypted Field Value Object

Field	Type	Required	Description
`fieldInstanceId`	string	Yes	Field-instance ID being rewritten for the move
`value`	string	Yes	Client-encrypted value for the target vault DEK

Response

Success (200 OK)

No response body is returned on success.

Notes

This endpoint requires machine.vault.write plus ADMIN access to the target vault item.
Refresh both source and target vault summaries immediately before building the replacement checkpoints.
Use this route when you need to change the parent vault. Use PATCH /api/v1/machine/vault-item/:id/update for field edits that keep the item in the same vault.

Example Request

curl -X PATCH "https://r4.dev/api/v1/machine/vault-item/507f1f77bcf86cd799439021/move" \
  -H "X-API-Key: rk_abc123def456.ghijklmnopqrstuvwxyz" \
  -H "Content-Type: application/json" \
  -d '{
    "detailCheckpoint": {
      "checkpoint": {
        "vaultItemId": "507f1f77bcf86cd799439021",
        "vaultId": "507f1f77bcf86cd799439012",
        "version": 14,
        "name": "Production Database",
        "type": "LOGIN",
        "websites": ["https://db.example.com"],
        "groupId": null,
        "fields": []
      },
      "signerUserKeyPairId": "507f1f77bcf86cd799439099",
      "signature": "base64-signature"
    },
    "sourceVaultSummaryCheckpoint": {
      "checkpoint": {
        "vaultId": "507f1f77bcf86cd799439011",
        "version": 11,
        "name": "Source Vault",
        "dataClassification": "CONFIDENTIAL",
        "currentDekVersion": 3,
        "items": [],
        "groups": []
      },
      "signerUserKeyPairId": "507f1f77bcf86cd799439099",
      "signature": "base64-signature"
    },
    "targetVaultSummaryCheckpoint": {
      "checkpoint": {
        "vaultId": "507f1f77bcf86cd799439012",
        "version": 5,
        "name": "Target Vault",
        "dataClassification": "CONFIDENTIAL",
        "currentDekVersion": 7,
        "items": [
          {
            "id": "507f1f77bcf86cd799439021",
            "name": "Production Database",
            "type": "LOGIN",
            "websites": ["https://db.example.com"],
            "groupId": null
          }
        ],
        "groups": []
      },
      "signerUserKeyPairId": "507f1f77bcf86cd799439099",
      "signature": "base64-signature"
    },
    "vaultId": "507f1f77bcf86cd799439012",
    "reEncryptedFieldValues": [
      {
        "fieldInstanceId": "507f1f77bcf86cd799439061",
        "value": "{\"v\":3,\"iv\":\"...\",\"t\":\"...\",\"d\":\"...\"}"
      }
    ]
  }'