Donutwork Docs
Api Reference

Key Management Service (KMS)

Securely orchestrate sensitive credentials, enforce network-level access controls, and maintain comprehensive audit trails for cryptographic secrets.

Key Management Service (KMS) API

The Key Management Service (KMS) provides a hardened environment for the storage and lifecycle management of sensitive credentials, such as third-party API keys, service accounts, and cryptographic tokens. By using KMS, organizations can eliminate the risk of hardcoded secrets within source code, instead retrieving them dynamically via secure, audited endpoints protected by strict IP-based whitelisting.

Secret Management

Audit KMS Inventory

Retrieve a paginated directory of all KMS secret handlers associated with your organization. This endpoint provides administrative metadata and is used for secret discovery; it does not expose the underlying secret values.

GET
/2026-02-01/kms.json
Required permissionkms:readApiAccessPermission::KMS_READ

Query Parameters

sizeinteger
Maximum records per page (max 100).
pageinteger
Target page index for pagination.

Responses

Secret inventory successfully retrieved.

{
  "entities": "KMSEntry",
  "count": 12,
  "per_page": 100,
  "pages": {
    "current": 1,
    "max": 1
  },
  "elements": [
    {
      "id": "6835c2cd...",
      "name": "Production AWS S3 Access",
      "handler": "aws-s3-prod-credentials"
    }
  ]
}

Retrieve Secret Configuration

Fetch the detailed metadata and operational configuration for a unique KMS handler. This includes the registered IP whitelist and custom properties defined for the secret.

GET
/2026-02-01/kms/{handler}.json
Required permissionkms:readApiAccessPermission::KMS_READ

Query Parameters

handlerstringRequired
The unique slug/identifier of the KMS entry.

Responses

Secret configuration retrieved.

{
  "id": "6835c2cd...",
  "name": "Production AWS S3 Access",
  "handler": "aws-s3-prod-credentials",
  "whitelist": [
    "52.1.2.3",
    "54.0.0.1"
  ],
  "properties": {
    "region": "us-east-1"
  }
}

The specified handler does not exist in the vault.

{
  "error": "This KMSEntry does not exist"
}

Secret Consumption

Decrypt & Reveal Secret

Securely decrypt and reveal the underlying secret content. Access to this endpoint is strictly enforced via IP-based whitelisting and results in an immediate audit entry. Use this endpoint only within backend environments to dynamically inject credentials.

GET
/2026-02-01/kms/reveal/{handler}.json
Required permissionkms:readApiAccessPermission::KMS_READ

Query Parameters

handlerstringRequired
The KMS handler identifying the secret to reveal.

Responses

Secret successfully decrypted and returned.

{
  "content": "EXAMPLE_ACCESS_KEY_REDACTED"
}

Requesting IP is not in the authorized whitelist or permissions are insufficient.

{
  "error": "Unauthorized to reveal this KMS Entry"
}

Technical Implementation

curl --location --request GET \
'https://api.hub.donutwork.com/2026-02-01/kms/reveal/aws-s3-prod-credentials.json' \
--header 'Authorization: Bearer YOUR_API_TOKEN'
const handler = "aws-s3-prod-credentials";
try {
  const secret = await sdk.kms.reveal(handler);
  console.log(`Resource Access Granted. Payload: ${secret.content}`);
} catch (error) {
  console.error(`Vault Access Denied: ${error.message}`);
}

Security Audit: Every call to the reveal endpoint is logged with the requesting IP, User-Agent, and timestamp. Ensure your infrastructure IPs are properly whitelisted in the KMS configuration to avoid 403 authorization failures.

Identity Provider (IDP) & MFA

Orchestrate user identities, implement multi-factor authentication (TOTP), and manage security audit trails.

Content Box

Manage content types and content entities with scalable custom schemas.

On this page

Key Management Service (KMS) APISecret ManagementAudit KMS InventoryRetrieve Secret ConfigurationSecret ConsumptionDecrypt & Reveal SecretTechnical Implementation