> ## Documentation Index
> Fetch the complete documentation index at: https://onecli.sh/docs/llms.txt
> Use this file to discover all available pages before exploring further.

# List secrets

> Returns all secrets in the current project. Secret values are never returned.



## OpenAPI

````yaml /openapi.yaml get /secrets
openapi: 3.1.0
info:
  title: OneCLI API
  version: '1.0'
  description: >
    The OneCLI API lets you manage agents, secrets, policy rules, app
    connections, and user settings programmatically.


    **Base URL:** `https://api.onecli.sh/v1` (Cloud) or
    `http://localhost:10254/v1` (self-hosted)


    ## Authentication


    All endpoints require authentication via one of:


    - **API Key** — `Authorization: Bearer <key>` header. Generate keys in the
    dashboard or via `GET /v1/user/api-key`.

    - **Session** — Cookie-based session from the web dashboard.


    For organization-scoped API keys, include the `X-Project-Id` header to
    specify which project to operate on.
servers:
  - url: https://api.onecli.sh/v1
    description: OneCLI Cloud
  - url: http://localhost:10254/v1
    description: Self-hosted (Docker)
security:
  - bearerAuth: []
tags:
  - name: Agents
    description: Manage agents and their access tokens, secrets, and configuration.
  - name: Secrets
    description: Manage credentials that the gateway injects into outbound requests.
  - name: Rules
    description: >-
      Manage policy rules that control how agents interact with external
      services.
  - name: User
    description: Manage your user profile and API keys.
  - name: Projects
    description: >-
      Manage projects within your organization. Requires admin role for
      create/update and owner role for delete. Cloud only.
  - name: Team
    description: Provision team members programmatically. Requires admin role. Cloud only.
  - name: Apps
    description: >-
      Manage app connections (OAuth and direct credentials), BYOC configuration,
      permission catalogs, and blocklists.
  - name: Connections
    description: App connections as a top-level resource.
  - name: Utility
    description: Health check and project resource summaries.
  - name: Agent Setup
    description: >-
      Endpoints agents and orchestrators use to bootstrap gateway access
      (container config, credential stubs, gateway skill).
  - name: Migration
    description: Migrate data from a self-hosted instance to OneCLI Cloud.
  - name: Organization Settings
    description: >-
      Organization-wide policy settings. Available on OneCLI Cloud and
      self-hosted Enterprise.
  - name: Organization Secrets
    description: >-
      Manage secrets at the organization level. Organization secrets apply
      across all projects. Available on OneCLI Cloud and self-hosted Enterprise.
  - name: Organization Rules
    description: >-
      Manage policy rules at the organization level. Organization rules apply
      across all projects. Available on OneCLI Cloud and self-hosted Enterprise.
  - name: Organization Connections
    description: >-
      Manage app connections at the organization level. Available on OneCLI
      Cloud and self-hosted Enterprise.
  - name: Organization App Config
    description: >-
      Connect apps (OAuth and direct credentials) and manage BYOC app
      configuration at the organization level. Available on OneCLI Cloud and
      self-hosted Enterprise.
  - name: Partner Organizations
    description: >-
      Create and manage customer organizations as a partner. Requires a Partner
      API key. Cloud only.
  - name: Partner Projects
    description: Manage projects within an unclaimed partner organization. Cloud only.
  - name: Partner Secrets
    description: >-
      Manage partner-level secrets inherited by every organization you manage.
      Cloud only.
  - name: Partner Budgets
    description: >-
      Cap how much an organization can spend on a partner LLM key. Owner or
      admin only. Cloud only.
  - name: Partner Members
    description: >-
      Manage who can sign in to your partner portal. Owner or admin only. Cloud
      only.
  - name: Organization Partner
    description: Inspect and detach an organization's partner relationship. Cloud only.
paths:
  /secrets:
    get:
      tags:
        - Secrets
      summary: List secrets
      description: >-
        Returns all secrets in the current project. Secret values are never
        returned.
      operationId: listSecrets
      responses:
        '200':
          description: List of secrets
          content:
            application/json:
              schema:
                type: array
                items:
                  $ref: '#/components/schemas/Secret'
components:
  schemas:
    Secret:
      type: object
      properties:
        id:
          type: string
        name:
          type: string
        type:
          type: string
          enum:
            - anthropic
            - openai
            - generic
        valueSource:
          type: string
          enum:
            - inline
            - onepassword
          description: >-
            Where the secret value lives — stored encrypted (`inline`) or
            resolved from 1Password at request time (`onepassword`).
        opRef:
          type: string
          nullable: true
          description: >-
            1Password secret reference (`op://vault/item/field`). Only set when
            `valueSource` is `onepassword`.
        hostPattern:
          type: string
        pathPattern:
          type: string
          nullable: true
        injectionConfig:
          $ref: '#/components/schemas/InjectionConfig'
        metadata:
          type: object
          nullable: true
          description: >-
            Type-specific metadata (e.g. `authMode` for `anthropic`/`openai`
            secrets, 1Password display labels).
        scope:
          type: string
          enum:
            - project
            - organization
          description: >-
            Project lists include inherited organization secrets; use this to
            tell them apart.
        typeLabel:
          type: string
        createdAt:
          type: string
          format: date-time
    InjectionConfig:
      nullable: true
      description: >
        How the gateway injects this secret into matching outbound requests
        (generic secrets only). Exactly one variant:


        - **Header** — `{ "headerName": "Authorization", "valueFormat": "Bearer
        {value}" }`

        - **Query parameter** — `{ "paramName": "key", "paramFormat": "{value}"
        }`

        - **URL path template** — `{ "pathTemplate": "/bot{value}" }` (must
        start with `/` and contain `{value}` exactly once)

        - **URL path regex** — `{ "pathRegex": "^/bot([^/]+)",
        "pathReplacement": "/bot{value}" }` (replacement must contain `{value}`)


        Unknown or mixed keys are rejected.
      oneOf:
        - type: object
          title: Header injection
          required:
            - headerName
          properties:
            headerName:
              type: string
              minLength: 1
            valueFormat:
              type: string
              description: >-
                Value template; `{value}` is replaced with the secret (default:
                `{value}`).
          additionalProperties: false
        - type: object
          title: Query parameter injection
          required:
            - paramName
          properties:
            paramName:
              type: string
              minLength: 1
            paramFormat:
              type: string
              description: >-
                Value template; `{value}` is replaced with the secret (default:
                `{value}`).
          additionalProperties: false
        - type: object
          title: URL path template injection
          required:
            - pathTemplate
          properties:
            pathTemplate:
              type: string
              description: >-
                Path with a `{value}` hole, e.g. `/bot{value}`. Must start with
                `/` and contain `{value}` exactly once.
          additionalProperties: false
        - type: object
          title: URL path regex injection
          required:
            - pathRegex
            - pathReplacement
          properties:
            pathRegex:
              type: string
              description: Regular expression matched against the request path.
            pathReplacement:
              type: string
              description: >-
                Replacement with `$N` capture references and a `{value}` token
                for the secret.
          additionalProperties: false
  securitySchemes:
    bearerAuth:
      type: http
      scheme: bearer
      description: API key obtained from the dashboard or `GET /user/api-key`

````