Early access — founding teams get the Free tier locked in permanently.
Sirr is in public beta — APIs may change before 1.0
← Back to Docs

API Reference

Complete HTTP API for the Sirr server. Public routes require no authentication. Protected routes require Authorization: Bearer <SIRR_MASTER_API_KEY> if SIRR_MASTER_API_KEY is set.

Public Routes

No authentication required.

GET/secrets/:id

Retrieve a secret value by ID (public dead-drop) or key (org secret). Increments the read counter. Burns or seals the record if the read limit is reached.

// 200
{ "id": "a1b2c3...", "value": "postgres://..." }

// 404 — expired, burned, or not found
// 410 — sealed (delete=false, reads exhausted)
HEAD/secrets/:id

Returns metadata via headers. Does not increment the read counter.

X-Sirr-Read-Count: 3
X-Sirr-Reads-Remaining: 7    (or "unlimited")
X-Sirr-Delete: false
X-Sirr-Created-At: 1700000000
X-Sirr-Expires-At: 1700003600  (if TTL set)
X-Sirr-Status: active          (or "sealed")

// 200, 404 (not found), or 410 (sealed)
GET/health

Health check endpoint.

{ "status": "ok" }

Protected Routes

Require Authorization: Bearer <SIRR_MASTER_API_KEY> if SIRR_MASTER_API_KEY is set on the server.

POST/secrets

Public dead drop — push a value with no key. The server generates a 256-bit hex ID and returns a shareable URL.

// Request
{
  "value": "postgres://...",
  "ttl_seconds": 3600,
  "max_reads": 1,
  "delete": true
}
// delete defaults to true. Set false for patchable secrets.

// 201
{ "id": "a1b2c3d4...", "url": "https://sirrlock.com/s/a1b2c3d4..." }
POST/orgs/:org/secrets

Org named secret — store a key-value pair scoped to an organization. Rejects duplicate keys with 409 Conflict.

// Request
{
  "key": "DB_URL",
  "value": "postgres://...",
  "ttl_seconds": 3600,
  "max_reads": 1,
  "delete": true
}

// 201
{ "key": "DB_URL" }

// 409 — duplicate key within the org
PATCH/secrets/:id

Update value, max_reads, or TTL. Only works on delete=false secrets. Resets read_count to 0.

// Request (all fields optional)
{
  "value": "new-value",
  "max_reads": 10,
  "ttl_seconds": 3600
}

// 200 — updated metadata
// 404 — not found or expired
// 409 — cannot patch a delete=true secret
GET/secrets

List all secrets. Metadata only — values are never included.

{
  "secrets": [
    {
      "key": "DB_URL",
      "created_at": 1700000000,
      "expires_at": 1700003600,
      "max_reads": 1,
      "read_count": 0,
      "delete": true
    }
  ]
}
DELETE/secrets/:id

Delete a secret immediately.

{ "deleted": true }
POST/prune

Delete all expired secrets.

{ "pruned": 3 }

CORS

sirrd is a backend service. GET /secrets/:key deliberately returns no Access-Control-Allow-Origin header — browsers block cross-origin reads of secret values by design. Management endpoints respect SIRR_CORS_ORIGINS so a trusted admin UI on a different origin can talk to them.

Client libraries

Use an official SDK instead of calling the API directly — they handle authentication, retries, and client-side encryption.

View SDKs →View on GitHub →