Resources

Vault

View as Markdown

The vault stores secrets such as login credentials, API keys, and TOTP seeds. Mount vault prefixes to spaces so hosted agents and runtime workflows can access only the secrets they need.

Access the vault through bctrl.vault.

Get a secret

1const credential = await bctrl.vault.get("prod/crm/salesforce");
2
3if (credential) {
4  console.log(credential.username);
5}

Set a secret

1await bctrl.vault.set("prod/crm/salesforce", {
2  username: "[email protected]",
3  password: process.env.SALESFORCE_PASSWORD!,
4  totp: process.env.SALESFORCE_TOTP_SEED!,
5  origins: ["https://login.salesforce.com"],
6  label: "Salesforce Bot",
7});

List secrets

1const keys = await bctrl.vault.list("prod/crm/");

List with metadata when you need filters or details.

1const entries = await bctrl.vault.list({
2  meta: true,
3  prefix: "prod/",
4  hasTotp: true,
5  limit: 50,
6});

Generate a TOTP code

1const code = await bctrl.vault.totp("prod/crm/salesforce");

Delete a secret

1await bctrl.vault.delete("prod/crm/salesforce");

Mount vault access to a space

Vault access is scoped by key prefix.

1const space = await bctrl.spaces.create({
2  name: "crm-agent",
3  mounts: {
4    vault: {
5      allow: ["prod/crm/"],
6      deny: ["prod/admin/"],
7      allowRawReads: true,
8    },
9  },
10});