api-integrations
API overview
VaultTerm exposes a tenant REST API: authenticate with a bearer JWT, and every call is row-level-security scoped to the caller's organization.
Updated Jun 23, 2026
VaultTerm’s backend is a single Fastify service that serves the web app, the native and CLI clients, and a programmable REST API. The same API you build against is the one the first-party clients use, so anything you can do in the product you can do over HTTP.
Authentication and tenancy
Every request authenticates with a bearer JWT in the Authorization header:
curl -H "Authorization: Bearer $TOKEN" https://your-host.example.com/api/vault
The token carries the caller’s identity and organization. All data access is row-level-security (RLS) scoped to that org in the database — there is no cross-tenant read path in the API layer. For unattended access (CI, scripts, SIEM export), use a scoped API token instead of a user JWT; token-authenticated routes still establish the same tenant context server-side. See API tokens and SCIM.
This is the audited-broker model in practice: the server decrypts a secret in memory only for a specific authorized call, and the call lands on the tamper-evident audit trail.
Route groups
The API is organized into route groups by module. The table below is high level — each group has its own endpoints for list, fetch, create, and action operations.
| Group | Purpose |
|---|---|
/auth | Register, login, and MFA (TOTP) challenge and verification. |
/auth/devices | Registered device sessions and per-device trust. |
/auth/webauthn | Passkey (WebAuthn) registration and authentication. |
/auth/sso | Enterprise SSO login and callback flows. |
/vault | Stored secrets: logins, keys, env files, TOTP seeds, notes, cards. |
/ssh | Brokered SSH/terminal access; includes the SSH certificate authority. |
/terminal | Interactive terminal sessions and session lifecycle. |
/rdp | Brokered RDP sessions and session recordings. |
/audit | The tamper-evident audit trail. |
/compliance | Compliance reporting and posture summaries. |
/ai and /ai/access | Privacy-first AI assistance and AI access controls. |
/jit | Just-in-time access requests, approvals, and revocation. |
/fleet | Fleet-wide command execution across hosts. |
/rotation | Credential rotation jobs and schedules. |
/exposure | Credential exposure and breach detection results. |
/integrations | Outbound security-event integrations (Slack, SIEM, webhook). |
/hashicorp | HashiCorp Vault sync connections and operations. |
/posture | Device posture policies and evaluation. |
/org | Organization settings and membership. |
/teams | Teams within an org and their membership. |
/api-tokens | Scoped API tokens for programmatic access. |
/scim/v2 | SCIM 2.0 user and group provisioning. |
/events/v1 | Paginated pull export of the audit event stream. |
/billing | Subscription, plan, and billing operations. |
/license | License activation and status (self-hosted). |
/health | Liveness check. |
/readyz | Readiness check (dependencies reachable). |
/metrics | Prometheus metrics endpoint. |
Where to go next
- API tokens and SCIM — scoped tokens and identity provisioning.
- Events API — pull the audit stream as paginated JSON.
- Integrations — push real-time security events to your own systems.