Skip to main content
POST
/
secrets
Create a secret
curl --request POST \
  --url https://api.onecli.sh/v1/secrets \
  --header 'Authorization: Bearer <token>' \
  --header 'Content-Type: application/json' \
  --data '
{
  "name": "Anthropic Production",
  "hostPattern": "api.anthropic.com",
  "valueSource": "inline",
  "value": "<string>",
  "opRef": "<string>",
  "opDisplay": {
    "vault": "<string>",
    "item": "<string>",
    "field": "<string>"
  },
  "pathPattern": "<string>",
  "injectionConfig": {
    "headerName": "<string>",
    "valueFormat": "<string>"
  }
}
'
{
  "id": "<string>",
  "name": "<string>",
  "type": "<string>",
  "opRef": "<string>",
  "hostPattern": "<string>",
  "pathPattern": "<string>",
  "createdAt": "2023-11-07T05:31:56Z",
  "preview": "<string>"
}

Authorizations

Authorization
string
header
required

API key obtained from the dashboard or GET /user/api-key

Body

application/json
name
string
required
Required string length: 1 - 255
Example:

"Anthropic Production"

type
enum<string>
required
Available options:
anthropic,
openai,
generic
hostPattern
string
required

Hostname pattern to match (no ://, /, or spaces). A *. wildcard is only allowed as a leading subdomain and must not cover a public suffix.

Example:

"api.anthropic.com"

valueSource
enum<string>
default:inline
Available options:
inline,
onepassword
value
string

The secret value (API key, token, etc.). Required unless valueSource is onepassword.

Required string length: 1 - 10000
opRef
string

1Password secret reference (op://vault/item/field). Required when valueSource is onepassword.

opDisplay
object

Human-readable labels of the picked 1Password vault/item/field, for display only.

pathPattern
string

Optional path pattern to match

Maximum string length: 1000
injectionConfig
Header injection · object

How the gateway injects this secret into matching outbound requests (generic secrets only). Exactly one variant:

  • Header{ "headerName": "Authorization", "valueFormat": "Bearer {value}" }
  • Query parameter{ "paramName": "key", "paramFormat": "{value}" }
  • URL path template{ "pathTemplate": "/bot{value}" } (must start with / and contain {value} exactly once)
  • URL path regex{ "pathRegex": "^/bot([^/]+)", "pathReplacement": "/bot{value}" } (replacement must contain {value})

Unknown or mixed keys are rejected.

Response

Secret created. The response contains the core fields (id, name, type, valueSource, opRef, hostPattern, pathPattern, createdAt) plus a masked preview of inline values.

The narrowed secret representation returned by create endpoints.

id
string
name
string
type
string
valueSource
enum<string>
Available options:
inline,
onepassword
opRef
string
hostPattern
string
pathPattern
string | null
createdAt
string<date-time>
preview
string

Masked preview of the value (inline secrets only).