vault/website/content/api-docs/secret/cubbyhole.mdx

---
layout: api
page_title: Cubbyhole - Secrets Engines - HTTP API
description: This is the API documentation for the Vault Cubbyhole secrets engine.
---

> [!IMPORTANT]  
> **Documentation Update:** Product documentation, which were located in this repository under `/website`, are now located in [`hashicorp/web-unified-docs`](https://github.com/hashicorp/web-unified-docs), colocated with all other product documentation. Contributions to this content should be done in the `web-unified-docs` repo, and not this one. Changes made to `/website` content in this repo will not be reflected on the developer.hashicorp.com website.

# Cubbyhole secrets engine (API)

This is the API documentation for the Vault Cubbyhole secrets engine. For
general information about the usage and operation of the Cubbyhole secrets
engine, please see the
[Vault Cubbyhole documentation](/vault/docs/secrets/cubbyhole).

This documentation assumes the Cubbyhole secrets engine is enabled at the
`/cubbyhole` path in Vault. Since it is possible to enable secrets engines at
any location, please update your API calls accordingly.

## Read secret

This endpoint retrieves the secret at the specified location.

| Method | Path               |
| :----- | :----------------- |
| `GET`  | `/cubbyhole/:path` |

### Parameters

- `path` `(string: <required>)` – Specifies the path of the secret to read.
  This is specified as part of the URL.
- `read_snapshot_id` `(string: <optional>)` - Query parameter specifing a loaded snapshot ID to
read the secret.

### Sample requests

```shell-session
$ curl \
    --header "X-Vault-Token: ..." \
    http://127.0.0.1:8200/v1/cubbyhole/my-secret
```

To read the secret from a loaded snapshot with ID `2403d301-94f2-46a1-a39d-02be83e2831a`:

```shell-session
$ curl \
    --header "X-Vault-Token: ..." \
    https://127.0.0.1:8200/v1/cubbyhole/my-secret?read_snapshot_id=2403d301-94f2-46a1-a39d-02be83e2831a
```


### Sample response

```json
{
  "auth": null,
  "data": {
    "foo": "bar"
  },
  "lease_duration": 0,
  "lease_id": "",
  "renewable": false
}
```

## List secrets

This endpoint returns a list of secret entries at the specified location.
Folders are suffixed with `/`. The input must be a folder; list on a file will
not return a value. The values themselves are not accessible via this command.

| Method | Path               |
| :----- | :----------------- |
| `LIST` | `/cubbyhole/:path` |

### Parameters

- `path` `(string: <required>)` – Specifies the path of the secrets to list.
  This is specified as part of the URL.
- `read_snapshot_id` `(string: <optional>)` - Query parameter specifying the loaded snapshot ID from which Vault should read secrets for the provided path.

### Sample requests

```shell-session
$ curl \
    --header "X-Vault-Token: ..." \
    --request LIST \
    http://127.0.0.1:8200/v1/cubbyhole/my-secret
```

To list the secrets from a loaded snapshot with ID `2403d301-94f2-46a1-a39d-02be83e2831a`:

```shell-session
$ curl \
    --header "X-Vault-Token: ..." \
    --request LIST \
    https://127.0.0.1:8200/v1/cubbyhole/my-secret?read_snapshot_id=2403d301-94f2-46a1-a39d-02be83e2831a"
```


### Sample response

The example below shows output for a query path of `cubbyhole/` when there are
secrets at `cubbyhole/foo` and `cubbyhole/foo/bar`; note the difference in the
two entries.

```json
{
  "auth": null,
  "data": {
    "keys": ["foo", "foo/"]
  },
  "lease_duration": 2764800,
  "lease_id": "",
  "renewable": false
}
```

## Create/Update secret

This endpoint stores a secret at the specified location.

| Method | Path               |
| :----- | :----------------- |
| `POST` | `/cubbyhole/:path` |

### Parameters

- `path` `(string: <required>)` – Specifies the path of the secrets to
  create/update. This is specified as part of the URL.

- `:key` `(string: "")` – Specifies a key in the payload, paired with an associated value, to
  be held at the given location. Multiple key/value pairs can be specified, and
  all will be returned on a read operation.

### Sample payload

```json
{
  "foo": "bar",
  "zip": "zap"
}
```

### Sample request

```shell-session
$ curl \
    --header "X-Vault-Token: ..." \
    --request POST \
    --data @payload.json \
    http://127.0.0.1:8200/v1/cubbyhole/my-secret
```

## Recover secret

[Recover](/vault/docs/concepts/integrated-storage/snapshot-recover) a secret at the specified location from the given loaded snapshot.

| Method | Path               |
| :----- | :----------------- |
| `POST` | `/cubbyhole/:path?recover_snapshot_id=:recover_snapshot_id` |

### Query parameters

- `path` `(string: <required>)` – The target path of the secrets you want to recover. 
- `recover_snapshot_id` `(string: <required>)` - The ID of a snapshot previously loaded into Vault that contains secrets at the provided path.


### Sample request

```shell-session
$ curl \
    --header "X-Vault-Token: ..." \
    --request POST \
    https://127.0.0.1:8200/v1/cubbyhole/my-secret?recover_snapshot_id=2403d301-94f2-46a1-a39d-02be83e2831a
```

## Delete secret

This endpoint deletes the secret at the specified location.

| Method   | Path               |
| :------- | :----------------- |
| `DELETE` | `/cubbyhole/:path` |

### Parameters

- `path` `(string: <required>)` – Specifies the path of the secret to delete.
  This is specified as part of the URL.

### Sample request

```shell-session
$ curl \
    --header "X-Vault-Token: ..." \
    --request DELETE \
    http://127.0.0.1:8200/v1/cubbyhole/my-secret
```