API Reference

Vault's backend API is built with Hono and runs on Cloudflare Workers, providing a fast, globally distributed API.

Base URLs

Environment	Base URL
Production	`https://vault-api.workers.dev`
Staging	`https://vault-api-staging.workers.dev`

Authentication

Most endpoints require a valid JWT token in the Authorization header:

curl -H "Authorization: Bearer <token>" \
  https://vault-api.workers.dev/vault

API Sections

Authentication

WebAuthn registration, login, and session management.

Vaults

Create, read, update, and delete encrypted vaults.

Sharing

Vault sharing invitations and shared vault access.

Quick Reference

Authentication Endpoints

Method	Endpoint	Description
`POST`	`/auth/register/options`	Get WebAuthn registration options
`POST`	`/auth/register/verify`	Complete registration
`POST`	`/auth/login/options`	Get WebAuthn login options
`POST`	`/auth/login/verify`	Complete login
`POST`	`/auth/session/logout`	End session
`GET`	`/auth/session/status`	Check authentication status

CLI Authentication

Method	Endpoint	Description
`POST`	`/auth/cli/session`	Create CLI auth session
`GET`	`/auth/cli/session/:id`	Poll session status
`POST`	`/auth/cli/session/:id/complete`	Complete CLI session

Vault Endpoints

Method	Endpoint	Description
`GET`	`/vault`	List owned vaults
`POST`	`/vault`	Create new vault
`GET`	`/vault/:name`	Get vault data
`PUT`	`/vault/:name`	Update vault
`DELETE`	`/vault/:name`	Delete vault

Sharing Endpoints

Method	Endpoint	Description
`POST`	`/vault/:name/share`	Share vault with user
`GET`	`/shared`	List shared vaults
`GET`	`/shared/:ownerId/:name`	Get shared vault
`GET`	`/invitations`	List pending invitations
`POST`	`/invitations/:id/accept`	Accept invitation

Response Format

All responses are JSON with consistent structure:

Success Response

{
  "data": { ... },
  "success": true
}

Error Response

{
  "error": "Error message",
  "code": "ERROR_CODE",
  "success": false
}

Error Codes

Code	HTTP Status	Description
`UNAUTHORIZED`	401	Missing or invalid token
`FORBIDDEN`	403	Insufficient permissions
`NOT_FOUND`	404	Resource not found
`CONFLICT`	409	Version conflict (optimistic locking)
`VALIDATION_ERROR`	400	Invalid request data

Rate Limiting

API requests are rate-limited per IP address:

Endpoint Type	Limit
Auth endpoints	10 req/min
Vault operations	100 req/min
Read operations	1000 req/min

TypeScript Client

Use the typed Hono client for type-safe API calls:

import { createClient } from "@pwm/api";
 
const api = createClient("https://vault-api.workers.dev", token);
 
// Fully typed responses
const vaults = await api.vault.$get();
const vault = await api.vault[":name"].$get({ param: { name: "default" } });

Next Steps

Authentication API - WebAuthn and session management
Vaults API - Vault CRUD operations
Sharing API - Vault sharing and invitations