> For clean Markdown of any page, append .md to the page URL.
> For a complete documentation index, see https://platform.bctrl.ai/llms.txt.
> For full documentation content, see https://platform.bctrl.ai/llms-full.txt.
> For AI client integration (Claude Code, Cursor, etc.), connect to the MCP server at https://platform.bctrl.ai/_mcp/server.

# Vault

> Encrypted secrets and TOTP, scoped per space and injected into runtimes by reference.

Secrets live in the vault encrypted, keyed by a name you choose - logins or standalone values. [Spaces](/sdk/spaces) mount vault prefixes, so a runtime uses a secret by reference and your code never touches the plaintext.

## Store a secret

A login secret holds a username, password, and optional TOTP:

```ts
await bctrl.vault.upsert("clients/acme/login", {
  type: "login",
  username: "agent@acme.com",
  password: process.env.ACME_PASSWORD!,
  totpSecret: process.env.ACME_TOTP!,
  origins: ["https://acme.com"],
});
```

A value secret holds a single string:

```ts
await bctrl.vault.upsert("clients/acme/api-token", {
  type: "value",
  value: process.env.ACME_TOKEN!,
});
```

## Read secrets

`get` returns metadata only; `value` returns the decrypted secret.

```ts
const meta = await bctrl.vault.get("clients/acme/login");
const secret = await bctrl.vault.value("clients/acme/login");

const { data } = await bctrl.vault.list({ prefix: "clients/acme/" });
```

## TOTP

Generate the current one-time code for a login secret that has a TOTP seed:

```ts
const { code } = await bctrl.vault.totp("clients/acme/login");
```

## Update and delete

```ts
await bctrl.vault.update("clients/acme/login", { password: "new-password" });
await bctrl.vault.delete("clients/acme/api-token");
```

## Mount into a space

Allow prefixes on the space [environment](/sdk/spaces) to give its runtimes access:

```ts
await bctrl.spaces.environment.update(space.id, {
  vault: { allow: ["clients/acme/"] },
});
```

## Next

* [Spaces](/sdk/spaces) - mount vault prefixes
* [AI Providers](/sdk/ai-providers) - model keys, stored separately
* [Account & Org](/sdk/account) - per-customer isolation