Vault Tokens

The Vault Tokens API lets you store third-party API credentials (such as AI provider keys) once, then reference them by ID in your tasks. Credentials are encrypted at rest and decrypted only at execution time - your raw secrets never appear in task payloads or database records.

Store a token

POST /v1/tokens

Request body

Field	Type	Required	Description
name	string	Yes	A human-readable label for this credential (max 100 characters)
value	string	Yes	The raw credential value (API key, bearer token, etc.)

Example request

curl -X POST https://api.asyncqueue.io/v1/tokens \
  -H "Authorization: Bearer your-api-key" \
  -H "Content-Type: application/json" \
  -d '{
    "name": "OpenAI Production",
    "value": "sk-proj-abc123..."
  }'

Example response (201 Created)

{
  "token": {
    "id": "tok_01jrx7m2k...",
    "name": "OpenAI Production",
    "createdAt": "2026-04-09T14:00:00.000Z"
  }
}

The raw value is never returned after creation. Store the tok_* ID to reference this credential in tasks.

---

List tokens

GET /v1/tokens

Returns all active (non-revoked) vault tokens for your team. Only metadata is returned - never the raw credential value.

Example request

curl https://api.asyncqueue.io/v1/tokens \
  -H "Authorization: Bearer your-api-key"

Example response

{
  "tokens": [
    {
      "id": "tok_01jrx7m2k...",
      "name": "OpenAI Production",
      "createdAt": "2026-04-09T14:00:00.000Z"
    },
    {
      "id": "tok_01jrx8n3p...",
      "name": "Replicate API Key",
      "createdAt": "2026-04-09T15:00:00.000Z"
    }
  ]
}

---

Revoke a token

DELETE /v1/tokens/{tokenId}

Revokes a vault token. Tasks referencing a revoked token will fail at creation time with a validation error.

Example request

curl -X DELETE https://api.asyncqueue.io/v1/tokens/tok_01jrx7m2k... \
  -H "Authorization: Bearer your-api-key"

Example response

{
  "token": {
    "id": "tok_01jrx7m2k...",
    "name": "OpenAI Production",
    "revokedAt": "2026-04-10T09:00:00.000Z"
  }
}

---

Using tokens in tasks

Reference a tok_* ID anywhere you would normally put a raw credential in task headers:

curl -X POST https://api.asyncqueue.io/v1/tasks \
  -H "Authorization: Bearer your-api-key" \
  -H "Content-Type: application/json" \
  -d '{
    "targetUrl": "https://api.openai.com/v1/chat/completions",
    "headers": {
      "Authorization": "tok_01jrx7m2k..."
    },
    "body": "{\"model\":\"gpt-4\",\"messages\":[{\"role\":\"user\",\"content\":\"Hello\"}]}"
  }'

At task creation, AsyncQueue validates that each tok_* reference exists and belongs to your team. At execution time, the reference is resolved to the actual credential before making the HTTP call. The raw credential never appears in the task record.

Multiple tokens in one task

You can reference different vault tokens in different headers:

curl -X POST https://api.asyncqueue.io/v1/tasks \
  -H "Authorization: Bearer your-api-key" \
  -H "Content-Type: application/json" \
  -d '{
    "targetUrl": "https://api.example.com/generate",
    "headers": {
      "Authorization": "tok_01jrx7m2k...",
      "X-Custom-Key": "tok_01jrx8n3p..."
    }
  }'

Mixing tokens with plain values

You can mix tok_* references with regular header values. Only values starting with tok_ are resolved:

{
  "headers": {
    "Authorization": "tok_01jrx7m2k...",
    "Content-Type": "application/json",
    "X-Request-ID": "my-request-123"
  }
}

---

Error responses

// 400 - Referencing unknown or revoked token in task headers
{"error": "Header \"Authorization\" references unknown vault token \"tok_01jrx7m2k...\""}

// 400 - Missing required fields
{"error": "name is required"}

// 404 - Token not found or already revoked
{"error": "Token not found or already revoked"}

// 503 - Vault not available
{"error": "Token vault is not configured"}

---

OAuth scopes

Vault token endpoints require the following scopes for OAuth applications:

Endpoint	Required Scope
POST /v1/tokens	tokens:write
GET /v1/tokens	tokens:read
DELETE /v1/tokens/{id}	tokens:write

API keys have full access to all vault endpoints by default.