This service is under active development. Features may change without notice.
← Back to Docs

API Reference

Complete HTTP API for the Sirr server. Public routes require no authentication. Protected routes require Authorization: Bearer <SIRR_API_KEY> if SIRR_API_KEY is set.

Public Routes

No authentication required.

GET/secrets/:key

Retrieve a secret value. Increments the read counter. Burns or seals the record if the read limit is reached.

// 200
{ "key": "DB_URL", "value": "postgres://..." }

// 404 — expired, burned, or not found
// 410 — sealed (delete=false, reads exhausted)
HEAD/secrets/:key

Returns metadata via headers. Does not increment the read counter.

X-Sirr-Read-Count: 3
X-Sirr-Reads-Remaining: 7    (or "unlimited")
X-Sirr-Delete: false
X-Sirr-Created-At: 1700000000
X-Sirr-Expires-At: 1700003600  (if TTL set)
X-Sirr-Status: active          (or "sealed")

// 200, 404 (not found), or 410 (sealed)
GET/health

Health check endpoint.

{ "status": "ok" }

Protected Routes

Require Authorization: Bearer <SIRR_API_KEY> if SIRR_API_KEY is set on the server.

POST/secrets

Create a new secret.

// Request
{
  "key": "DB_URL",
  "value": "postgres://...",
  "ttl_seconds": 3600,
  "max_reads": 1,
  "delete": true
}
// delete defaults to true. Set false for patchable secrets.

// 201
{ "key": "DB_URL" }

// 402 — license required (>100 secrets without SIRR_LICENSE_KEY)
PATCH/secrets/:key

Update value, max_reads, or TTL. Only works on delete=false secrets. Resets read_count to 0.

// Request (all fields optional)
{
  "value": "new-value",
  "max_reads": 10,
  "ttl_seconds": 3600
}

// 200 — updated metadata
// 404 — not found or expired
// 409 — cannot patch a delete=true secret
GET/secrets

List all secrets. Metadata only — values are never included.

{
  "secrets": [
    {
      "key": "DB_URL",
      "created_at": 1700000000,
      "expires_at": 1700003600,
      "max_reads": 1,
      "read_count": 0,
      "delete": true
    }
  ]
}
DELETE/secrets/:key

Delete a secret immediately.

{ "deleted": true }
POST/prune

Delete all expired secrets.

{ "pruned": 3 }

CORS

sirrd is a backend service. GET /secrets/:key deliberately returns no Access-Control-Allow-Origin header — browsers block cross-origin reads of secret values by design. Management endpoints respect SIRR_CORS_ORIGINS so a trusted admin UI on a different origin can talk to them.

Client libraries

Use an official SDK instead of calling the API directly — they handle authentication, retries, and client-side encryption.

View SDKs →View on GitHub →