> For clean Markdown of any page, append .md to the page URL.
> For a complete documentation index, see https://platform.bctrl.ai/llms.txt.
> For full documentation content, see https://platform.bctrl.ai/llms-full.txt.

# Vault

> Store and manage secrets that spaces and runtimes use to authenticate.

The vault stores secrets such as login credentials, API keys, and TOTP seeds. Mount vault prefixes to spaces so hosted agents and runtime workflows can access only the secrets they need.

Access the vault through `bctrl.vault`.

## Get a secret

```ts
const credential = await bctrl.vault.get("prod/crm/salesforce");

if (credential) {
  console.log(credential.username);
}
```

## Set a secret

```ts
await bctrl.vault.set("prod/crm/salesforce", {
  username: "bot@example.com",
  password: process.env.SALESFORCE_PASSWORD!,
  totp: process.env.SALESFORCE_TOTP_SEED!,
  origins: ["https://login.salesforce.com"],
  label: "Salesforce Bot",
});
```

## List secrets

```ts
const keys = await bctrl.vault.list("prod/crm/");
```

List with metadata when you need filters or details.

```ts
const entries = await bctrl.vault.list({
  meta: true,
  prefix: "prod/",
  hasTotp: true,
  limit: 50,
});
```

## Generate a TOTP code

```ts
const code = await bctrl.vault.totp("prod/crm/salesforce");
```

## Delete a secret

```ts
await bctrl.vault.delete("prod/crm/salesforce");
```

## Mount vault access to a space

Vault access is scoped by key prefix.

```ts
const space = await bctrl.spaces.create({
  name: "crm-agent",
  mounts: {
    vault: {
      allow: ["prod/crm/"],
      deny: ["prod/admin/"],
      allowRawReads: true,
    },
  },
});
```

## Related

* [Mounts & Inheritance](/sdk/core-concepts/mounts-inheritance)
* [API Reference: Vault](/api/api-reference/vault/list)