Salt management
Get salt
Retrieve the user’s vault salt for key derivation.
Authentication: Required
Response 200 OK:
{
"salt": "base64-encoded-salt"
}
404 Not Found — salt not yet created for this user.
Set salt
Create or update the user’s vault salt. Called once during initial vault setup.
Authentication: Required
CSRF: Required
Request body:
{
"salt": "base64-encoded-salt"
}
crypto.getRandomValues() and sent to the server for storage. It is not secret — it ensures different users derive different keys from the same password.
Response 200 OK:
RSA key management
Check keys
Check whether the user has RSA keys stored and retrieve the encrypted private key.
Authentication: Required
Response 200 OK:
{
"hasKeys": true,
"encryptedPrivateKey": "base64-encrypted-rsa-private-key",
"publicKey": "base64-rsa-public-key"
}
200 OK (no keys):
Store keys
Store a newly generated RSA keypair. Called during vault setup after client-side key generation.
Authentication: Required
CSRF: Required
Request body:
{
"publicKey": "base64-rsa-public-key",
"encryptedPrivateKey": "base64-encrypted-rsa-private-key"
}
201 Created:
Server-side encryption (legacy)
These endpoints use Evervault for server-side encryption. New installations should use zero-trust client-side encryption instead.
Encrypt
Authentication: Required
CSRF: Required
Request body:
{
"data": "plaintext-to-encrypt"
}
200 OK:
{
"encrypted": "ev:encrypted-data"
}
Decrypt
Authentication: Required
CSRF: Required
Request body:
{
"data": "ev:encrypted-data"
}
200 OK:
{
"decrypted": "plaintext-data"
}
The server-side encryption endpoints are provided for backward compatibility with Evervault-encrypted data. New vault entries should use zero-trust client-side encryption exclusively.
