pub struct VaultApi<'a> { /* private fields */ }Implementations§
Source§impl<'a> VaultApi<'a>
impl<'a> VaultApi<'a>
Sourcepub async fn create_data_key(
&self,
params: CreateDataKeyParams,
) -> Result<CreateDataKeyResponse, Error>
pub async fn create_data_key( &self, params: CreateDataKeyParams, ) -> Result<CreateDataKeyResponse, Error>
Create a data key
Generate an isolated encryption key for local encryption operations.
Sourcepub async fn create_data_key_with_options(
&self,
params: CreateDataKeyParams,
options: Option<&RequestOptions>,
) -> Result<CreateDataKeyResponse, Error>
pub async fn create_data_key_with_options( &self, params: CreateDataKeyParams, options: Option<&RequestOptions>, ) -> Result<CreateDataKeyResponse, Error>
Variant of Self::create_data_key that accepts per-request crate::RequestOptions.
Sourcepub async fn create_decrypt(
&self,
params: CreateDecryptParams,
) -> Result<DecryptResponse, Error>
pub async fn create_decrypt( &self, params: CreateDecryptParams, ) -> Result<DecryptResponse, Error>
Decrypt a data key
Decrypt a previously encrypted data key from WorkOS Vault.
Sourcepub async fn create_decrypt_with_options(
&self,
params: CreateDecryptParams,
options: Option<&RequestOptions>,
) -> Result<DecryptResponse, Error>
pub async fn create_decrypt_with_options( &self, params: CreateDecryptParams, options: Option<&RequestOptions>, ) -> Result<DecryptResponse, Error>
Variant of Self::create_decrypt that accepts per-request crate::RequestOptions.
Sourcepub async fn create_rekey(
&self,
params: CreateRekeyParams,
) -> Result<CreateDataKeyResponse, Error>
pub async fn create_rekey( &self, params: CreateRekeyParams, ) -> Result<CreateDataKeyResponse, Error>
Re-encrypt a data key
Decrypt an existing data key and re-encrypt it under a new key context.
Sourcepub async fn create_rekey_with_options(
&self,
params: CreateRekeyParams,
options: Option<&RequestOptions>,
) -> Result<CreateDataKeyResponse, Error>
pub async fn create_rekey_with_options( &self, params: CreateRekeyParams, options: Option<&RequestOptions>, ) -> Result<CreateDataKeyResponse, Error>
Variant of Self::create_rekey that accepts per-request crate::RequestOptions.
Sourcepub async fn list_kv(
&self,
params: ListKvParams,
) -> Result<ObjectListResponse, Error>
pub async fn list_kv( &self, params: ListKvParams, ) -> Result<ObjectListResponse, Error>
List objects
List all encrypted objects with cursor-based pagination.
Sourcepub async fn list_kv_with_options(
&self,
params: ListKvParams,
options: Option<&RequestOptions>,
) -> Result<ObjectListResponse, Error>
pub async fn list_kv_with_options( &self, params: ListKvParams, options: Option<&RequestOptions>, ) -> Result<ObjectListResponse, Error>
Variant of Self::list_kv that accepts per-request crate::RequestOptions.
Sourcepub fn list_kv_auto_paging(
&self,
params: ListKvParams,
) -> impl Stream<Item = Result<ObjectSummary, Error>> + '_
pub fn list_kv_auto_paging( &self, params: ListKvParams, ) -> impl Stream<Item = Result<ObjectSummary, Error>> + '_
Returns an async futures_util::Stream that yields every ObjectSummary
across all pages, advancing the after cursor under the hood.
use futures_util::TryStreamExt;
let all: Vec<ObjectSummary> = self
.list_kv_auto_paging(params)
.try_collect()
.await?;Sourcepub async fn create_kv(
&self,
params: CreateKvParams,
) -> Result<ObjectMetadata, Error>
pub async fn create_kv( &self, params: CreateKvParams, ) -> Result<ObjectMetadata, Error>
Create an object
Encrypt and store a new key-value object.
Sourcepub async fn create_kv_with_options(
&self,
params: CreateKvParams,
options: Option<&RequestOptions>,
) -> Result<ObjectMetadata, Error>
pub async fn create_kv_with_options( &self, params: CreateKvParams, options: Option<&RequestOptions>, ) -> Result<ObjectMetadata, Error>
Variant of Self::create_kv that accepts per-request crate::RequestOptions.
Sourcepub async fn get_name(&self, name: &str) -> Result<VaultObject, Error>
pub async fn get_name(&self, name: &str) -> Result<VaultObject, Error>
Read an object by name
Fetch and decrypt an object by its unique name.
Sourcepub async fn get_name_with_options(
&self,
name: &str,
options: Option<&RequestOptions>,
) -> Result<VaultObject, Error>
pub async fn get_name_with_options( &self, name: &str, options: Option<&RequestOptions>, ) -> Result<VaultObject, Error>
Variant of Self::get_name that accepts per-request crate::RequestOptions.
Sourcepub async fn get_kv(&self, id: &str) -> Result<VaultObject, Error>
pub async fn get_kv(&self, id: &str) -> Result<VaultObject, Error>
Read an object by ID
Fetch and decrypt an object by its unique identifier.
Sourcepub async fn get_kv_with_options(
&self,
id: &str,
options: Option<&RequestOptions>,
) -> Result<VaultObject, Error>
pub async fn get_kv_with_options( &self, id: &str, options: Option<&RequestOptions>, ) -> Result<VaultObject, Error>
Variant of Self::get_kv that accepts per-request crate::RequestOptions.
Sourcepub async fn update_kv(
&self,
id: &str,
params: UpdateKvParams,
) -> Result<ObjectWithoutValue, Error>
pub async fn update_kv( &self, id: &str, params: UpdateKvParams, ) -> Result<ObjectWithoutValue, Error>
Update an object
Update the value of an existing encrypted object.
Sourcepub async fn update_kv_with_options(
&self,
id: &str,
params: UpdateKvParams,
options: Option<&RequestOptions>,
) -> Result<ObjectWithoutValue, Error>
pub async fn update_kv_with_options( &self, id: &str, params: UpdateKvParams, options: Option<&RequestOptions>, ) -> Result<ObjectWithoutValue, Error>
Variant of Self::update_kv that accepts per-request crate::RequestOptions.
Sourcepub async fn delete_kv(
&self,
id: &str,
params: DeleteKvParams,
) -> Result<DeleteObjectResponse, Error>
pub async fn delete_kv( &self, id: &str, params: DeleteKvParams, ) -> Result<DeleteObjectResponse, Error>
Delete an object
Delete an encrypted object.
Sourcepub async fn delete_kv_with_options(
&self,
id: &str,
params: DeleteKvParams,
options: Option<&RequestOptions>,
) -> Result<DeleteObjectResponse, Error>
pub async fn delete_kv_with_options( &self, id: &str, params: DeleteKvParams, options: Option<&RequestOptions>, ) -> Result<DeleteObjectResponse, Error>
Variant of Self::delete_kv that accepts per-request crate::RequestOptions.
Sourcepub async fn list_kv_metadata(
&self,
id: &str,
) -> Result<ObjectWithoutValue, Error>
pub async fn list_kv_metadata( &self, id: &str, ) -> Result<ObjectWithoutValue, Error>
Describe an object
Fetch metadata for an object without decrypting it.
Sourcepub async fn list_kv_metadata_with_options(
&self,
id: &str,
options: Option<&RequestOptions>,
) -> Result<ObjectWithoutValue, Error>
pub async fn list_kv_metadata_with_options( &self, id: &str, options: Option<&RequestOptions>, ) -> Result<ObjectWithoutValue, Error>
Variant of Self::list_kv_metadata that accepts per-request crate::RequestOptions.
Sourcepub async fn encrypt(
&self,
data: &str,
context: HashMap<String, String>,
associated_data: &str,
) -> Result<VaultEncryptResult, Error>
pub async fn encrypt( &self, data: &str, context: HashMap<String, String>, associated_data: &str, ) -> Result<VaultEncryptResult, Error>
Generates a fresh data key and locally encrypts data with AES-256-GCM.
§Security
associated_data is the only binding between the ciphertext
envelope and the calling application: the encrypted-key prefix
(encrypted_keys and its LEB128 length) sits outside the
AEAD-authenticated region. Callers MUST pass an associated_data
value that is unique per record and unguessable to an attacker
with write access to the ciphertext store (e.g., the immutable
record id mixed with an environment-scoped secret). A constant or
empty value lets an attacker who can replace stored bytes
substitute a separately-generated envelope — including their own
encrypted_keys and ciphertext — under the same context, and
decrypt will succeed against the attacker-controlled plaintext.
Sourcepub async fn decrypt(
&self,
encrypted_data: &str,
associated_data: &str,
) -> Result<String, Error>
pub async fn decrypt( &self, encrypted_data: &str, associated_data: &str, ) -> Result<String, Error>
Decrypts data previously encrypted with Self::encrypt. Calls the API to
decrypt the data key, then performs local AES-GCM decryption.
§Security
associated_data is the only authenticated binding between this
envelope and the calling application — see Self::encrypt for
the full requirement. If the value passed here is not unique per
record and unguessable, a successful return does not prove
that the stored bytes were authored by this application.
Sourcepub async fn list_kv_versions(
&self,
id: &str,
) -> Result<VersionListResponse, Error>
pub async fn list_kv_versions( &self, id: &str, ) -> Result<VersionListResponse, Error>
List object versions
Retrieve all versions for a specific object.
Sourcepub async fn list_kv_versions_with_options(
&self,
id: &str,
options: Option<&RequestOptions>,
) -> Result<VersionListResponse, Error>
pub async fn list_kv_versions_with_options( &self, id: &str, options: Option<&RequestOptions>, ) -> Result<VersionListResponse, Error>
Variant of Self::list_kv_versions that accepts per-request crate::RequestOptions.