Skip to main content
GET
/
org
/
secrets
List organization secrets
curl --request GET \
  --url https://api.onecli.sh/v1/org/secrets \
  --header 'Authorization: Bearer <token>'
[
  {
    "id": "<string>",
    "name": "<string>",
    "opRef": "<string>",
    "hostPattern": "<string>",
    "pathPattern": "<string>",
    "injectionConfig": {
      "headerName": "<string>",
      "valueFormat": "<string>"
    },
    "metadata": {},
    "typeLabel": "<string>",
    "createdAt": "2023-11-07T05:31:56Z"
  }
]

Authorizations

Authorization
string
header
required

API key obtained from the dashboard or GET /user/api-key

Response

200 - application/json

List of organization secrets

id
string
name
string
type
enum<string>
Available options:
anthropic,
openai,
generic
valueSource
enum<string>

Where the secret value lives — stored encrypted (inline) or resolved from 1Password at request time (onepassword).

Available options:
inline,
onepassword
opRef
string | null

1Password secret reference (op://vault/item/field). Only set when valueSource is onepassword.

hostPattern
string
pathPattern
string | null
injectionConfig
Header injection · object

How the gateway injects this secret into matching outbound requests (generic secrets only). Exactly one variant:

  • Header{ "headerName": "Authorization", "valueFormat": "Bearer {value}" }
  • Query parameter{ "paramName": "key", "paramFormat": "{value}" }
  • URL path template{ "pathTemplate": "/bot{value}" } (must start with / and contain {value} exactly once)
  • URL path regex{ "pathRegex": "^/bot([^/]+)", "pathReplacement": "/bot{value}" } (replacement must contain {value})

Unknown or mixed keys are rejected.

metadata
object | null

Type-specific metadata (e.g. authMode for anthropic/openai secrets, 1Password display labels).

scope
enum<string>

Project lists include inherited organization secrets; use this to tell them apart.

Available options:
project,
organization
typeLabel
string
createdAt
string<date-time>