# Store a secret
$ curl -X POST https://vault.prim.sh/v1/secrets \
-H "X-402-Payment: $TOKEN" \
-d '{"key": "openai_key", "value": "sk-...", "ttl": 3600}'
# → 402 → pay → 201
{ "id": "sec_m3x8k1", "key": "openai_key", "ttl": 3600 }
# Read it back
$ curl https://vault.prim.sh/v1/secrets/sec_m3x8k1 \
-H "X-402-Payment: $TOKEN"
{ "key": "openai_key", "value": "sk-...", "expires_at": "..." }
# Create a scoped token (read-only, 1 hour, one secret)
$ curl -X POST https://vault.prim.sh/v1/tokens \
-H "X-402-Payment: $TOKEN" \
-d '{"scope": ["sec_m3x8k1"], "perms": "read", "ttl": 3600}'
Parent agent stores API keys, spawns child agent on spawn.sh, passes a scoped vault token. Child reads only what it needs. No env vars in plaintext.
Agent rotates its own API keys on a schedule. Old keys auto-expire. Compromised key? Revoke instantly via API.
Store credentials for email.sh, ring.sh, external APIs. One vault, every secret an agent touches.
Generate a secret for a single task. TTL of 5 minutes. Auto-destroyed. No cleanup required.
POST /v1/secrets # Store a secret
GET /v1/secrets # List secrets (metadata only)
GET /v1/secrets/:id # Read secret value
PUT /v1/secrets/:id # Update value or TTL
DELETE /v1/secrets/:id # Destroy secret
POST /v1/tokens # Create scoped access token
DELETE /v1/tokens/:id # Revoke token
GET /v1/audit # Access log (who read what, when)
| Action | Cost | Notes |
|---|---|---|
| Store secret | $0.001 | Per secret/month |
| Read secret | $0.0001 | Per read |
| Scoped token | $0.0005 | Per token created |
| Audit log | Free | 30 day retention |