# CryptFlare Docs

> Developer documentation for CryptFlare, a secrets management platform built on Cloudflare. Covers REST API, CLI, SDK, Terraform, sync integrations, and security architecture.

This file follows the llms.txt convention: a flat markdown index of every documentation page so AI agents can enumerate the site in a single fetch. Each link resolves to an HTML page; append `.md` to any URL for the raw markdown version.

**Agent resources**

- Full corpus: `https://docs.cryptflare.com/llms-full.txt`
- Structured page index (JSON): `https://docs.cryptflare.com/docs-index.json`
- OpenAPI spec: `https://api.cryptflare.com/v1/openapi.json`
- Per-page markdown mirrors: append `.md` to any URL

## Getting Started

- [Meet Cipher](https://docs.cryptflare.com/getting-started/cipher): CryptFlare's AI assistant that helps you manage secrets, understand policies, and navigate the platform.
- [Pricing](https://docs.cryptflare.com/getting-started/pricing): CryptFlare plans and pricing - from free to team
- [Quickstart](https://docs.cryptflare.com/getting-started/quickstart): Get up and running with CryptFlare in under 5 minutes.

## API Reference

- [Authentication](https://docs.cryptflare.com/api-reference/authentication): Passwordless authentication via email OTP. Session cookies, CSRF protection, and session lifecycle.
- [Get current user](https://docs.cryptflare.com/api-reference/authentication/get-me): GET /auth/me - returns the authenticated user with organisations, roles, and resolved permissions.
- [Log out](https://docs.cryptflare.com/api-reference/authentication/logout): POST /auth/logout - destroys the current session and clears the session cookie.
- [Request a login OTP](https://docs.cryptflare.com/api-reference/authentication/request-otp): POST /auth/login - sends a 6-digit OTP to the provided email. Identical response whether the email exists or not.
- [Verify an OTP code](https://docs.cryptflare.com/api-reference/authentication/verify-otp): POST /auth/verify - validates the 6-digit OTP code and issues a session cookie.
- [Database Backups](https://docs.cryptflare.com/api-reference/backups): Manage automated and manual database backups via the console API.
- [Delete backup](https://docs.cryptflare.com/api-reference/backups/delete-backup): DELETE /console/database/backups/:key - permanently removes a backup snapshot.
- [Download backup](https://docs.cryptflare.com/api-reference/backups/download-backup): GET /console/database/backups/:key - downloads the raw backup JSON file.
- [List backups](https://docs.cryptflare.com/api-reference/backups/list-backups): GET /console/database/backups - returns every available backup with schedule info.
- [Restore from backup](https://docs.cryptflare.com/api-reference/backups/restore-backup): POST /console/database/backups/restore - restores tables from a backup snapshot. Supports full, per-table, and per-org restore modes.
- [Trigger manual backup](https://docs.cryptflare.com/api-reference/backups/trigger-backup): POST /console/database/backups - creates an immediate backup of both databases.
- [Compliance Reports](https://docs.cryptflare.com/api-reference/compliance): Generate audit-ready compliance reports for SOC 2, PCI DSS, HIPAA, ISO 27001, GDPR, and NIST 800-53.
- [Download report](https://docs.cryptflare.com/api-reference/compliance/download-report): GET /compliance/report/:jobId/download - download the generated compliance report.
- [Generate a compliance report](https://docs.cryptflare.com/api-reference/compliance/generate-report): POST /compliance/report - queue generation of an audit-ready compliance report.
- [Get report status](https://docs.cryptflare.com/api-reference/compliance/report-status): GET /compliance/report/:jobId - poll for the status of a compliance report.
- [Data Residency](https://docs.cryptflare.com/api-reference/data-residency): Set and manage data residency regions for your organisation via the API.
- [Get data region status](https://docs.cryptflare.com/api-reference/data-residency/get-status): GET /data-region/status - returns the current region and active migration progress.
- [Set data residency region](https://docs.cryptflare.com/api-reference/data-residency/set-region): POST /data-region - sets the geographic region where organisation data is stored. Starts a migration if data already exists.
- [Dynamic Secrets](https://docs.cryptflare.com/api-reference/dynamic-secrets): Mint short-lived credentials on demand from upstream cloud providers with strict TTL and quota enforcement.
- [Create a dynamic secret config](https://docs.cryptflare.com/api-reference/dynamic-secrets/create-config): POST /dynamic-secrets/configs - register a new upstream provider integration and store encrypted root credentials.
- [Delete a dynamic secret config](https://docs.cryptflare.com/api-reference/dynamic-secrets/delete-config): DELETE /dynamic-secrets/configs/:configId - drain active leases at the provider, then hard-delete the configuration.
- [Force-revoke an irrevocable lease](https://docs.cryptflare.com/api-reference/dynamic-secrets/force-revoke-lease): POST /dynamic-secrets/leases/:leaseId/force-revoke - operator escape hatch for leases stuck in irrevocable state.
- [Get a dynamic secret config](https://docs.cryptflare.com/api-reference/dynamic-secrets/get-config): GET /dynamic-secrets/configs/:configId - fetch a single configuration without root credentials.
- [Issue a dynamic secret lease](https://docs.cryptflare.com/api-reference/dynamic-secrets/issue-lease): POST /dynamic-secrets/configs/:configId/lease - mint a fresh short-lived credential at the upstream provider.
- [List dynamic secret configs](https://docs.cryptflare.com/api-reference/dynamic-secrets/list-configs): GET /dynamic-secrets/configs - returns all dynamic secret configurations for the organisation, without root credentials.
- [List dynamic secret leases](https://docs.cryptflare.com/api-reference/dynamic-secrets/list-leases): GET /dynamic-secrets/leases - returns lease history for the organisation with optional filters.
- [Renew a dynamic secret lease](https://docs.cryptflare.com/api-reference/dynamic-secrets/renew-lease): POST /dynamic-secrets/leases/:leaseId/renew - Vault-style lease renewal bounded by max_expires_at.
- [Revoke a dynamic secret lease](https://docs.cryptflare.com/api-reference/dynamic-secrets/revoke-lease): DELETE /dynamic-secrets/leases/:leaseId - manually revoke an active lease at the upstream provider.
- [Unwrap a credential token](https://docs.cryptflare.com/api-reference/dynamic-secrets/unwrap-credentials): POST /dynamic-secrets/unwrap/:token - exchange a single-use wrap token for the underlying credentials.
- [Update a dynamic secret config](https://docs.cryptflare.com/api-reference/dynamic-secrets/update-config): PATCH /dynamic-secrets/configs/:configId - update editable fields on an existing configuration.
- [Re-run provider permission check](https://docs.cryptflare.com/api-reference/dynamic-secrets/validate-config): POST /dynamic-secrets/configs/:configId/validate - re-run the provider adapter's validate() hook against the stored root credentials and return pass/fail without modifying state.
- [Environments](https://docs.cryptflare.com/api-reference/environments): Isolated secret containers within a workspace. Create, list, and delete environments.
- [Create an environment](https://docs.cryptflare.com/api-reference/environments/create-environment): POST /environments - creates a new environment inside a workspace.
- [Delete an environment](https://docs.cryptflare.com/api-reference/environments/delete-environment): DELETE /environments/:env - permanently deletes an environment and all its secrets, pods, and version history.
- [List environments](https://docs.cryptflare.com/api-reference/environments/list-environments): GET /environments - returns all environments inside a workspace.
- [Resolve a path](https://docs.cryptflare.com/api-reference/environments/resolve-path): GET /environments/:env/resolve-path - resolves a slash-joined URL tail to an env, pod, or secret.
- [Errors](https://docs.cryptflare.com/api-reference/errors): Error response format, codes, and handling best practices
- [Event Subscriptions](https://docs.cryptflare.com/api-reference/event-subscriptions): Subscribe to audit events and receive real-time HTTP notifications with HMAC-SHA256 signed payloads.
- [Create an event subscription](https://docs.cryptflare.com/api-reference/event-subscriptions/create-subscription): POST /events/subscriptions - creates a new webhook subscription with HMAC signing.
- [Delete an event subscription](https://docs.cryptflare.com/api-reference/event-subscriptions/delete-subscription): DELETE /events/subscriptions/:subscriptionId - permanently deletes a subscription and its delivery logs.
- [Get events status](https://docs.cryptflare.com/api-reference/event-subscriptions/get-status): GET /events/status - returns whether event subscriptions are enabled for this organisation.
- [List delivery log](https://docs.cryptflare.com/api-reference/event-subscriptions/list-deliveries): GET /events/deliveries - returns recent delivery attempts across every subscription.
- [List event subscriptions](https://docs.cryptflare.com/api-reference/event-subscriptions/list-subscriptions): GET /events/subscriptions - returns every event subscription in the organisation.
- [Redeliver a failed event](https://docs.cryptflare.com/api-reference/event-subscriptions/redeliver): POST /events/deliveries/:deliveryId/redeliver - retries a single failed delivery.
- [Replay events](https://docs.cryptflare.com/api-reference/event-subscriptions/replay): POST /events/subscriptions/:subscriptionId/replay - re-sends audit events from a time range to a subscription.
- [Rotate signing secret](https://docs.cryptflare.com/api-reference/event-subscriptions/rotate-secret): POST /events/subscriptions/:subscriptionId/rotate-secret - rotates the HMAC signing secret with a 24h grace period.
- [Send a test event](https://docs.cryptflare.com/api-reference/event-subscriptions/test-subscription): POST /events/subscriptions/:subscriptionId/test - sends a test.ping event to verify connectivity and HMAC signing.
- [Toggle events](https://docs.cryptflare.com/api-reference/event-subscriptions/toggle-events): POST /events/toggle - enables or disables event subscriptions org-wide. Owner only.
- [Update an event subscription](https://docs.cryptflare.com/api-reference/event-subscriptions/update-subscription): PATCH /events/subscriptions/:subscriptionId - update name, URL, events, secret, headers, or active state.
- [Feedback](https://docs.cryptflare.com/api-reference/feedback): Submit and retrieve documentation page feedback.
- [Get feedback](https://docs.cryptflare.com/api-reference/feedback/get-feedback): GET /feedback - returns the authenticated user's feedback for a specific documentation page.
- [Submit feedback](https://docs.cryptflare.com/api-reference/feedback/submit-feedback): POST /feedback - submits a rating for a documentation page. Anonymous feedback is accepted.
- [Idempotency](https://docs.cryptflare.com/api-reference/idempotency): Safely retry mutations with the Idempotency-Key header
- [Notifications](https://docs.cryptflare.com/api-reference/notifications): In-app notification management for organisation members.
- [List notifications](https://docs.cryptflare.com/api-reference/notifications/list-notifications): GET /notifications - returns paginated in-app notifications for the authenticated user.
- [Mark all as read](https://docs.cryptflare.com/api-reference/notifications/mark-all-read): POST /notifications/mark-all-read - marks every unread notification as read in one call.
- [Mark as read](https://docs.cryptflare.com/api-reference/notifications/mark-read): PATCH /notifications/:id/read - marks a single notification as read.
- [Organisations](https://docs.cryptflare.com/api-reference/organisations): Manage organisations, members, and ownership transfers.
- [Cancel pending transfer](https://docs.cryptflare.com/api-reference/organisations/cancel-transfer): POST /organisations/:org/transfer/cancel - cancels a pending ownership transfer.
- [Create an organisation](https://docs.cryptflare.com/api-reference/organisations/create-organisation): POST /organisations - creates a new organisation and assigns the caller as owner.
- [Delete an organisation](https://docs.cryptflare.com/api-reference/organisations/delete-organisation): DELETE /organisations/:org - permanently deletes the organisation and every resource it owns.
- [Get organisation features](https://docs.cryptflare.com/api-reference/organisations/get-features): GET /organisations/:org/features - returns the org-wide enabled/disabled state of every toggleable feature.
- [Get an organisation](https://docs.cryptflare.com/api-reference/organisations/get-organisation): GET /organisations/:org - returns full details for a single organisation.
- [Get transfer status](https://docs.cryptflare.com/api-reference/organisations/get-transfer): GET /organisations/:org/transfer - returns the pending ownership transfer for the organisation, if any.
- [Get the organisation tree](https://docs.cryptflare.com/api-reference/organisations/get-tree): GET /organisations/:org/tree - returns the full workspace / environment / pod hierarchy with secret counts.
- [Initiate ownership transfer](https://docs.cryptflare.com/api-reference/organisations/initiate-transfer): POST /organisations/:org/transfer - initiates an ownership transfer to another user by email.
- [Invite a member](https://docs.cryptflare.com/api-reference/organisations/invite-member): POST /organisations/:org/members/invite - invites a user to the organisation by email.
- [List members](https://docs.cryptflare.com/api-reference/organisations/list-members): GET /organisations/:org/members - returns every member of the organisation with their role.
- [List your organisations](https://docs.cryptflare.com/api-reference/organisations/list-organisations): GET /organisations - returns every organisation the authenticated user belongs to along with the caller's role in each.
- [Remove a member](https://docs.cryptflare.com/api-reference/organisations/remove-member): DELETE /organisations/:org/members/:userId - removes a member from the organisation.
- [Toggle an organisation feature](https://docs.cryptflare.com/api-reference/organisations/toggle-feature): POST /organisations/:org/features - enable or disable a feature flag for the organisation. Owner-only.
- [Change member role](https://docs.cryptflare.com/api-reference/organisations/update-member-role): PATCH /organisations/:org/members/:userId/role - changes a member's role in the organisation.
- [Update an organisation](https://docs.cryptflare.com/api-reference/organisations/update-organisation): PATCH /organisations/:org - update the organisation name. Owner only.
- [Pagination](https://docs.cryptflare.com/api-reference/pagination): How to paginate through list endpoints
- [Pods](https://docs.cryptflare.com/api-reference/pods): Hierarchical folders for organising secrets inside an environment. Up to 5 levels deep.
- [Create a pod](https://docs.cryptflare.com/api-reference/pods/create-pod): POST /pods - creates a new pod, optionally nested under a parent pod.
- [Delete a pod](https://docs.cryptflare.com/api-reference/pods/delete-pod): DELETE /pods/:pod - deletes an empty pod. The pod must contain no secrets or sub-pods.
- [Get a pod](https://docs.cryptflare.com/api-reference/pods/get-pod): GET /pods/:pod - returns pod details including the ancestor breadcrumb chain.
- [List pods](https://docs.cryptflare.com/api-reference/pods/list-pods): GET /pods - lists pods at a given level within an environment.
- [Update a pod](https://docs.cryptflare.com/api-reference/pods/update-pod): PATCH /pods/:pod - update a pod's name, slug, or description.
- [Policies](https://docs.cryptflare.com/api-reference/policies): Attribute-based access policies and just-in-time access requests. Deny-first, priority-ordered, fully auditable.
- [Approve an access request](https://docs.cryptflare.com/api-reference/policies/approve-access-request): POST /policies/access-requests/:id/approve - approves a pending request and creates a time-limited grant.
- [Create an access request](https://docs.cryptflare.com/api-reference/policies/create-access-request): POST /policies/access-requests - submits a JIT access request for elevated permissions.
- [Create a policy](https://docs.cryptflare.com/api-reference/policies/create-policy): POST /policies - creates a new global or team-scoped access policy.
- [Delete a policy](https://docs.cryptflare.com/api-reference/policies/delete-policy): DELETE /policies/:id - permanently deletes a policy. Active JIT access grants are unaffected.
- [Deny an access request](https://docs.cryptflare.com/api-reference/policies/deny-access-request): POST /policies/access-requests/:id/deny - denies a pending access request. No grant is created.
- [Export policies](https://docs.cryptflare.com/api-reference/policies/export-policies): GET /policies/export - exports all policies as a JSON document for backup or migration.
- [Import policies](https://docs.cryptflare.com/api-reference/policies/import-policies): POST /policies/import - imports policies from an export document. Non-destructive.
- [List access grants](https://docs.cryptflare.com/api-reference/policies/list-access-grants): GET /policies/access-grants - returns every active JIT access grant. Expired grants are excluded.
- [List access requests](https://docs.cryptflare.com/api-reference/policies/list-access-requests): GET /policies/access-requests - lists pending and resolved JIT access requests.
- [List policies](https://docs.cryptflare.com/api-reference/policies/list-policies): GET /policies - returns all global policies ordered by priority (highest first).
- [Revoke an access grant](https://docs.cryptflare.com/api-reference/policies/revoke-access-grant): POST /policies/access-grants/:id/revoke - immediately revokes an active JIT access grant before it expires.
- [Simulate policy evaluation](https://docs.cryptflare.com/api-reference/policies/simulate-policy): POST /policies/simulate - dry-run policy evaluation for a given member, action, and resource.
- [Toggle a policy](https://docs.cryptflare.com/api-reference/policies/toggle-policy): POST /policies/:id/toggle - enable or disable a policy without deleting it.
- [Rate limiting](https://docs.cryptflare.com/api-reference/rate-limits): Learn about the rate limits the CryptFlare API enforces
- [Role Permissions](https://docs.cryptflare.com/api-reference/role-permissions): View and customise the permissions granted to each role in your organisation.
- [Get role permissions](https://docs.cryptflare.com/api-reference/role-permissions/get-role-permissions): GET /role-permissions - returns the effective permissions for every role in the organisation.
- [Toggle a role permission](https://docs.cryptflare.com/api-reference/role-permissions/toggle-role-permission): PATCH /role-permissions - grants or revokes a specific permission for a non-owner role.
- [Rotation Policies](https://docs.cryptflare.com/api-reference/rotation-policies): Configure automated secret rotation on a schedule with generated values.
- [Create a rotation policy](https://docs.cryptflare.com/api-reference/rotation-policies/create-policy): POST /:ws/:env/:key/rotation-policy - attaches a rotation policy to a secret.
- [Delete a rotation policy](https://docs.cryptflare.com/api-reference/rotation-policies/delete-policy): DELETE /rotation-policies/:policyId - permanently removes a rotation policy. The secret is untouched.
- [Get policy for a secret](https://docs.cryptflare.com/api-reference/rotation-policies/get-policy): GET /:ws/:env/:key/rotation-policy - returns the rotation policy attached to a specific secret, or null.
- [List rotation policies](https://docs.cryptflare.com/api-reference/rotation-policies/list-policies): GET /rotation-policies - returns every rotation policy across every workspace and environment.
- [Toggle a rotation policy](https://docs.cryptflare.com/api-reference/rotation-policies/toggle-policy): POST /rotation-policies/:policyId/toggle - pauses or resumes a rotation policy.
- [Update a rotation policy](https://docs.cryptflare.com/api-reference/rotation-policies/update-policy): PATCH /rotation-policies/:policyId - update interval, generation, or notification settings.
- [Search](https://docs.cryptflare.com/api-reference/search): Permission-aware search across workspaces, environments, secrets, and members.
- [Secrets](https://docs.cryptflare.com/api-reference/secrets): Create, read, rotate, and delete encrypted secrets. Organize with pods.
- [Batch create secrets](https://docs.cryptflare.com/api-reference/secrets/batch-create): POST /secrets/batch/create - create up to 100 secrets in a single request via an async job.
- [Batch delete secrets](https://docs.cryptflare.com/api-reference/secrets/batch-delete): POST /secrets/batch/delete - delete up to 100 secrets by key in a single request.
- [Get batch job status](https://docs.cryptflare.com/api-reference/secrets/batch-status): GET /secrets/batch/:jobId - poll for the results of a batch operation.
- [Batch update secrets](https://docs.cryptflare.com/api-reference/secrets/batch-update): POST /secrets/batch/update - rotate up to 100 secrets to new values in a single request.
- [Create a secret](https://docs.cryptflare.com/api-reference/secrets/create-secret): POST /secrets - creates a new secret with version 1. Value is encrypted with AES-256-GCM before storage.
- [Delete a secret](https://docs.cryptflare.com/api-reference/secrets/delete-secret): DELETE /secrets/:key - permanently deletes a secret and all its version history.
- [Get validation rules](https://docs.cryptflare.com/api-reference/secrets/get-rules): GET /secrets/:key/rules - returns the validation rules configured on a secret.
- [Get secret settings](https://docs.cryptflare.com/api-reference/secrets/get-settings): GET /secrets/:key/settings - returns metadata, version policy, validation rules, and auto-delete configuration.
- [List secrets](https://docs.cryptflare.com/api-reference/secrets/list-secrets): GET /secrets - returns secret key names and metadata. Values are never included in list responses.
- [List secret versions](https://docs.cryptflare.com/api-reference/secrets/list-versions): GET /secrets/:key/versions - returns the full version history of a secret (metadata only, no plaintext).
- [Move a secret to a pod](https://docs.cryptflare.com/api-reference/secrets/move-secret): PATCH /secrets/:key/move - moves a secret into a pod, or back to the root level.
- [Remove validation rules](https://docs.cryptflare.com/api-reference/secrets/remove-rules): DELETE /secrets/:key/rules - removes all validation rules from a secret.
- [Reveal a secret](https://docs.cryptflare.com/api-reference/secrets/reveal-secret): GET /secrets/:key - decrypts and returns the secret value. Logged in the audit trail.
- [Reveal a specific version](https://docs.cryptflare.com/api-reference/secrets/reveal-version): GET /secrets/:key/versions/:version - decrypts and returns a specific historical version.
- [Rotate a secret](https://docs.cryptflare.com/api-reference/secrets/rotate-secret): POST /secrets/:key/rotate - encrypts a new value, increments the version, and archives the old version.
- [Set validation rules](https://docs.cryptflare.com/api-reference/secrets/set-rules): PUT /secrets/:key/rules - replaces all validation rules on a secret.
- [Update secret settings](https://docs.cryptflare.com/api-reference/secrets/update-settings): PATCH /secrets/:key/settings - update metadata, version policy, and auto-delete configuration.
- [Service Tokens](https://docs.cryptflare.com/api-reference/service-tokens): Organisation-level API tokens for CI / CD pipelines. Not tied to any user account.
- [Create a service token](https://docs.cryptflare.com/api-reference/service-tokens/create-service-token): POST /service-tokens - generates a new organisation-level service token. Secret returned exactly once.
- [List service tokens](https://docs.cryptflare.com/api-reference/service-tokens/list-service-tokens): GET /service-tokens - returns every service token in the organisation.
- [Revoke a service token](https://docs.cryptflare.com/api-reference/service-tokens/revoke-service-token): DELETE /service-tokens/:tokenId - permanently deletes a service token. CI / CD pipelines using it will lose access immediately.
- [Enable or disable a service token](https://docs.cryptflare.com/api-reference/service-tokens/toggle-service-token): POST /service-tokens/:tokenId/toggle - disable a service token without permanently revoking it (or re-enable it).
- [Update a service token](https://docs.cryptflare.com/api-reference/service-tokens/update-service-token): PATCH /service-tokens/:tokenId - update the name, description, scopes, or IP allowlist of a service token.
- [SSO](https://docs.cryptflare.com/api-reference/sso): Configure OIDC Single Sign-On connections, group-to-role mappings, and the auth flow endpoints.
- [Check force-SSO status](https://docs.cryptflare.com/api-reference/sso/check-domain): GET /auth/sso/check - returns whether a given email domain has force-SSO enabled. No authentication required.
- [Create an SSO connection](https://docs.cryptflare.com/api-reference/sso/create-connection): POST /sso - creates a new SSO connection. Starts in a disabled state until tested.
- [Create a group mapping](https://docs.cryptflare.com/api-reference/sso/create-mapping): POST /sso/:connectionId/mappings - maps an IdP group to a CryptFlare role.
- [Delete an SSO connection](https://docs.cryptflare.com/api-reference/sso/delete-connection): DELETE /sso/:connectionId - deletes an SSO connection and every group mapping associated with it.
- [Delete a group mapping](https://docs.cryptflare.com/api-reference/sso/delete-mapping): DELETE /sso/:connectionId/mappings/:mappingId - removes an IdP group-to-role mapping.
- [Initiate SSO login](https://docs.cryptflare.com/api-reference/sso/initiate-login): GET /auth/sso/initiate - redirects the user to the IdP authorization endpoint with PKCE.
- [List SSO connections](https://docs.cryptflare.com/api-reference/sso/list-connections): GET /sso - returns every SSO connection for the organisation. Client secrets are redacted.
- [List group mappings](https://docs.cryptflare.com/api-reference/sso/list-mappings): GET /sso/:connectionId/mappings - returns every IdP group-to-role mapping, ordered by priority.
- [OIDC callback](https://docs.cryptflare.com/api-reference/sso/oidc-callback): GET /auth/sso/callback/oidc - handles the authorization code callback from the identity provider.
- [Test an SSO connection](https://docs.cryptflare.com/api-reference/sso/test-connection): POST /sso/:connectionId/test - tests OIDC discovery against the configured issuer. No user login performed.
- [Toggle an SSO connection](https://docs.cryptflare.com/api-reference/sso/toggle-connection): POST /sso/:connectionId/toggle - enables or disables an SSO connection.
- [Update an SSO connection](https://docs.cryptflare.com/api-reference/sso/update-connection): PATCH /sso/:connectionId - updates an existing SSO connection's configuration.
- [Status](https://docs.cryptflare.com/api-reference/status): Public, unauthenticated endpoints for service health, incident data, and email notification subscriptions.
- [Check unsubscribe token](https://docs.cryptflare.com/api-reference/status/check-unsubscribe): POST /status/unsubscribe/check - validates a signed token and returns the current subscription state without modifying anything.
- [Get service status](https://docs.cryptflare.com/api-reference/status/get-status): GET /status - returns live service health checks, 90-day history, active incidents, maintenance windows, and platform metrics. Public and edge-cached.
- [Subscribe to notifications](https://docs.cryptflare.com/api-reference/status/subscribe): POST /status/subscribe - subscribes an email to receive incident and maintenance notifications. Public, idempotent, rate-limited.
- [Unsubscribe](https://docs.cryptflare.com/api-reference/status/unsubscribe): POST /status/unsubscribe - unsubscribe an email using a signed token from a notification email. Public, idempotent, rate-limited.
- [Support](https://docs.cryptflare.com/api-reference/support): Create and manage support tickets, upload attachments, and communicate with the CryptFlare team.
- [Add a message](https://docs.cryptflare.com/api-reference/support/add-message): POST /support/:ticketId/messages - adds a message to an existing ticket thread.
- [Close a ticket](https://docs.cryptflare.com/api-reference/support/close-ticket): POST /support/:ticketId/close - closes an open ticket. Closed tickets cannot receive new messages.
- [Create a ticket](https://docs.cryptflare.com/api-reference/support/create-ticket): POST /support - creates a new support ticket. Priority is validated against your plan tier.
- [Get ticket detail](https://docs.cryptflare.com/api-reference/support/get-ticket): GET /support/:ticketId - returns a ticket with its full message thread.
- [List tickets](https://docs.cryptflare.com/api-reference/support/list-tickets): GET /support - returns every support ticket in the organisation, newest first.
- [Upload attachment](https://docs.cryptflare.com/api-reference/support/upload-attachment): POST /support/:ticketId/upload - uploads a file as multipart/form-data. Use the returned key when adding messages.
- [Sync Connections](https://docs.cryptflare.com/api-reference/sync-connections): Push secrets to third-party platforms like GitHub, Vercel, and AWS Secrets Manager.
- [Create a sync connection](https://docs.cryptflare.com/api-reference/sync-connections/create-connection): POST /sync-connections - creates a new sync connection. Credentials are validated against the provider before saving.
- [Get drift report](https://docs.cryptflare.com/api-reference/sync-connections/get-drift): GET /sync-connections/:connectionId/drift - classifies destination secrets against CryptFlare source scope. Names only, never values.
- [List sync connections](https://docs.cryptflare.com/api-reference/sync-connections/list-connections): GET /sync-connections - returns every sync connection in the organisation. Credentials are never exposed.
- [List sync logs](https://docs.cryptflare.com/api-reference/sync-connections/list-logs): GET /sync-connections/:connectionId/logs - returns execution history for a sync connection.
- [Trigger a manual sync](https://docs.cryptflare.com/api-reference/sync-connections/trigger-sync): POST /sync-connections/:connectionId/trigger - enqueues an immediate sync job for the connection.
- [Tags](https://docs.cryptflare.com/api-reference/tags): Attach free-form labels to resources for policy scoping and compliance classification.
- [Attach a tag](https://docs.cryptflare.com/api-reference/tags/create-tag): POST /tags - attach a tag to a workspace, environment, pod, or secret.
- [Remove a tag](https://docs.cryptflare.com/api-reference/tags/delete-tag): DELETE /tags - remove a tag from a resource.
- [List org tags](https://docs.cryptflare.com/api-reference/tags/list-org-tags): GET /tags/org - list every distinct tag used in the organisation.
- [List tags for a resource](https://docs.cryptflare.com/api-reference/tags/list-tags): GET /tags - list all tags attached to a specific resource.
- [API Tokens](https://docs.cryptflare.com/api-reference/tokens): Create, update, toggle, and revoke workspace-scoped API tokens for programmatic access.
- [Create an API token](https://docs.cryptflare.com/api-reference/tokens/create-token): POST /tokens - generates a new API token. The full secret is returned exactly once.
- [List API tokens](https://docs.cryptflare.com/api-reference/tokens/list-tokens): GET /tokens - returns every API token in the organisation. Token secrets are never exposed.
- [Revoke a token](https://docs.cryptflare.com/api-reference/tokens/revoke-token): DELETE /tokens/:tokenId - permanently deletes a token. Cannot be undone.
- [Enable or disable a token](https://docs.cryptflare.com/api-reference/tokens/toggle-token): POST /tokens/:tokenId/toggle - disable a token without permanently revoking it (or re-enable it).
- [Update an API token](https://docs.cryptflare.com/api-reference/tokens/update-token): PATCH /tokens/:tokenId - update the name and / or scopes of an existing token.
- [Usage](https://docs.cryptflare.com/api-reference/usage): Check organisation resource usage, remaining quota, and plan limits.
- [Workspaces](https://docs.cryptflare.com/api-reference/workspaces): Create, list, and delete workspaces - the top-level project container inside an organisation.
- [Create a workspace](https://docs.cryptflare.com/api-reference/workspaces/create-workspace): POST /workspaces - creates a new workspace within an organisation.
- [Delete a workspace](https://docs.cryptflare.com/api-reference/workspaces/delete-workspace): DELETE /workspaces/:ws - permanently deletes the workspace and every environment, pod, secret, and token it owns.
- [Get a workspace](https://docs.cryptflare.com/api-reference/workspaces/get-workspace): GET /workspaces/:ws - returns details for a single workspace. Can look up by ID or slug.
- [List workspaces](https://docs.cryptflare.com/api-reference/workspaces/list-workspaces): GET /workspaces - returns all workspaces in an organisation.

## Guides

- [Dynamic secrets with AWS IAM (AssumeRole)](https://docs.cryptflare.com/guides/dynamic-secrets/aws): Use AWS STS AssumeRole to mint short-lived IAM credentials on demand with session policies and scoped durations
- [Dynamic secrets with Azure Service Principals](https://docs.cryptflare.com/guides/dynamic-secrets/azure): Register an Azure AD App Registration, grant the right Microsoft Graph permissions, and mint short-lived Azure credentials on demand
- [Using dynamic secrets](https://docs.cryptflare.com/guides/dynamic-secrets/usage): How to actually consume a dynamic secret lease from the CLI, your CI pipeline, local development, and Terraform
- [Idempotency Keys](https://docs.cryptflare.com/guides/idempotency): Safely retry mutations without creating duplicates by attaching an Idempotency-Key header
- [SSO with Auth0](https://docs.cryptflare.com/guides/sso/auth0): Step-by-step guide to configuring OIDC-based SSO with Auth0 in CryptFlare
- [SSO with Microsoft Entra ID](https://docs.cryptflare.com/guides/sso/entra-id): Step-by-step guide to configuring OIDC-based SSO with Microsoft Entra ID (Azure AD) in CryptFlare
- [SSO with Generic OIDC](https://docs.cryptflare.com/guides/sso/generic-oidc): Step-by-step guide to configuring SSO with any OpenID Connect provider in CryptFlare
- [SSO with Google Workspace](https://docs.cryptflare.com/guides/sso/google): Step-by-step guide to configuring OIDC-based SSO with Google Workspace in CryptFlare
- [SSO with Okta](https://docs.cryptflare.com/guides/sso/okta): Step-by-step guide to configuring OIDC-based SSO with Okta in CryptFlare
- [Sync to AWS Secrets Manager (federated)](https://docs.cryptflare.com/guides/sync/aws-federated): Step-by-step guide to setting up keyless IAM OIDC federation between AWS and CryptFlare so sync connections push secrets without storing IAM access keys
- [Sync to GCP Secret Manager (federated)](https://docs.cryptflare.com/guides/sync/gcp-federated): Step-by-step guide to setting up keyless Workload Identity Federation between GCP and CryptFlare so sync connections push secrets without a service-account JSON key
- [Sync to GitHub Actions](https://docs.cryptflare.com/guides/sync/github): Step-by-step guide to syncing CryptFlare secrets to GitHub Actions (or Codespaces / Dependabot) secrets using a PAT or GitHub App

## Security

- [Access control](https://docs.cryptflare.com/security/access-control): Role-based permissions and how CryptFlare controls who can do what
- [Audit logs](https://docs.cryptflare.com/security/audit-logs): Track every action taken in your organisation
- [Bring Your Own Key (BYOK)](https://docs.cryptflare.com/security/byok): Use your own encryption key to control how secrets are encrypted at rest
- [Security and compliance](https://docs.cryptflare.com/security/compliance): How CryptFlare protects your secrets, audit capabilities, and compliance posture
- [Compliance Reports](https://docs.cryptflare.com/security/compliance-reports): Generate and share audit-ready compliance evidence reports with auditors and compliance teams.
- [Data Residency](https://docs.cryptflare.com/security/data-residency): Control where your organisation's data is stored to meet regulatory and compliance requirements.
- [Dynamic Secrets](https://docs.cryptflare.com/security/dynamic-secrets): Mint short-lived, auto-revoked credentials on demand from upstream cloud providers. No long-lived secrets, no manual rotation, bounded blast radius.
- [Encryption](https://docs.cryptflare.com/security/encryption): How CryptFlare encrypts your secrets at rest and in transit
- [Event Subscriptions](https://docs.cryptflare.com/security/event-subscriptions): Receive real-time HTTP notifications when actions occur in your CryptFlare organisation.
- [Federated Identity](https://docs.cryptflare.com/security/federated-identity): CryptFlare runs its own OIDC issuer so sync connections can push to AWS, GCP, Azure, and Kubernetes using short-lived federated credentials instead of long-lived API keys.
- [MCP Access](https://docs.cryptflare.com/security/mcp-access): Control which tokens can reach the Model Context Protocol server at mcp.cryptflare.com. One permission gate, full audit trail, opt-in per token.
- [Notifications](https://docs.cryptflare.com/security/notifications): In-app notifications for access requests, member invites, secret rotations, and more
- [Ownership transfer](https://docs.cryptflare.com/security/ownership-transfer): Transfer organisation ownership to another member
- [Policies](https://docs.cryptflare.com/security/policies): Fine-grained, deny-first access policies that layer on top of RBAC roles
- [Roles and permissions](https://docs.cryptflare.com/security/roles): Understand the built-in roles, what each one can do, and how organisation owners can customise permissions.
- [Single Sign-On (SSO)](https://docs.cryptflare.com/security/sso): Authenticate your team through your corporate identity provider with OIDC-based SSO
- [Status Notifications](https://docs.cryptflare.com/security/status-notifications): Subscribe to email alerts for incidents and scheduled maintenance on the CryptFlare status page.
- [Secret Sync](https://docs.cryptflare.com/security/sync): Push CryptFlare secrets to third-party destinations like GitHub Actions, Vercel, and AWS Secrets Manager. One-way, auto-reconciled, identity-aware.
- [Teams](https://docs.cryptflare.com/security/teams): Group members into teams for scoped access policies and collaboration

## CLI

- [CLI authentication](https://docs.cryptflare.com/cli/authentication): How the CryptFlare CLI authenticates using the device authorization flow
- [Command reference](https://docs.cryptflare.com/cli/commands): Complete reference for all CryptFlare CLI commands
- [Auth commands](https://docs.cryptflare.com/cli/commands/auth): Authenticate and manage CLI sessions
- [Environment commands](https://docs.cryptflare.com/cli/commands/environment): Inject secrets, export in various formats, and manage environments
- [Pod commands](https://docs.cryptflare.com/cli/commands/pods): Organize secrets into hierarchical folders from the CLI
- [Resource commands](https://docs.cryptflare.com/cli/commands/resources): Manage organisations, workspaces, tokens, and config
- [Secret commands](https://docs.cryptflare.com/cli/commands/secrets): Create, read, rotate, move, and delete secrets from the CLI
- [Configuration](https://docs.cryptflare.com/cli/configuration): Configure the CryptFlare CLI defaults, credentials, and output preferences
- [CLI](https://docs.cryptflare.com/cli/overview): Manage CryptFlare secrets from your terminal

## Integrations

- [Terraform Provider](https://docs.cryptflare.com/integrations/terraform): Manage CryptFlare secrets, workspaces, environments, and pods as infrastructure-as-code with Terraform

## Changelog

- [Complete API reference](https://docs.cryptflare.com/changelog/2026-04-08-api-reference)
- [CLI device flow authentication](https://docs.cryptflare.com/changelog/2026-04-08-cli-device-flow)
- [Dark mode](https://docs.cryptflare.com/changelog/2026-04-08-dark-mode)
- [Health endpoint and status indicator](https://docs.cryptflare.com/changelog/2026-04-08-health-status)
- [Pods - organize secrets into folders](https://docs.cryptflare.com/changelog/2026-04-08-pods-support)
- [Terraform Provider](https://docs.cryptflare.com/changelog/2026-04-08-terraform-provider)

## Internal

- [Dynamic Secrets - Internal Architecture](https://docs.cryptflare.com/internal/dynamic-secrets-architecture): Schema, workflow lifecycle, cascade revoke, and provider abstraction for the dynamic secrets subsystem. Engineering team only.
- [Internal Engineering Docs](https://docs.cryptflare.com/internal/index): Private documentation for the CryptFlare platform team. Requires a valid console session.

## Secrets

- [Environments](https://docs.cryptflare.com/secrets/environments): Separate your secrets across development, staging, and production
- [Secret rotation](https://docs.cryptflare.com/secrets/rotation): Rotate secrets safely and plan for automated rotation with service syncing
- [Secret versioning](https://docs.cryptflare.com/secrets/versioning): How CryptFlare tracks every change to your secrets