Secrets — API Reference
Package: dodil.ignite.v1 · Service: SecretService
CRUD over named, Vault-backed credential slots (a git PAT or a registry login), scoped per organization and referenced by name from builds and deploys. All four RPCs are unary.
| RPC | HTTP | Description |
|---|---|---|
CreateSecret | POST /v1/ignite/secrets | Create or overwrite a named slot |
GetSecret | GET /v1/ignite/secrets/{name} | Read a slot, including its value |
ListSecrets | GET /v1/ignite/secrets | List slots (metadata only) |
DeleteSecret | DELETE /v1/ignite/secrets/{name} | Remove a slot (idempotent) |
HTTP examples use staging (https://api.dev.dodil.io) and send camelCase JSON; gRPC examples use $IGNITE_GRPC and proto snake_case (see Conventions). Every call needs Authorization: Bearer $DODIL_TOKEN.
The SecretValue shape
A slot holds exactly one credential, modeled as a oneof — set git_secret or registry_secret, never both.
GitSecret
| Field | Type | Description |
|---|---|---|
username | string | Git username (e.g. GitHub username; Bitbucket workspace) |
token | string | Personal access token / app password for HTTPS clone |
RegistrySecret
| Field | Type | Description |
|---|---|---|
username | string | Registry login |
password | string | Registry password or token |
server_address | string | Registry host (ghcr.io, quay.io, …). Optional; empty defaults to Docker Hub |
SecretMetadata (returned by every RPC that reports a slot)
| Field | Type | Description |
|---|---|---|
name | string | Slot name |
type | string | Discriminator: "git_secret" or "registry_secret" |
created_at_ms | int64 | Creation time (epoch ms; JSON string) |
updated_at_ms | int64 | Last-write time (epoch ms; JSON string) |
CreateSecret
POST /v1/ignite/secrets — create a slot, or overwrite an existing one with the same name (this is how you rotate). Returns metadata only.
Request
| Field | Type | Description |
|---|---|---|
name | string | Slot name (1–64 chars; letters, digits, -, _) |
value | SecretValue | Exactly one of git_secret / registry_secret |
HTTP
curl -X POST https://api.dev.dodil.io/v1/ignite/secrets \
-H "Authorization: Bearer $DODIL_TOKEN" \
-H "Content-Type: application/json" \
-d '{
"name": "ghcr-pull",
"value": {
"registrySecret": {
"username": "acme-bot",
"password": "ghp_xxx",
"serverAddress": "ghcr.io"
}
}
}'Response
CreateSecretResponse — metadata (SecretMetadata).
GetSecret
GET /v1/ignite/secrets/{name} — read a slot including its value.
Slots are not write-only: this returns the stored token/password in cleartext to the owning org. Treat the
GetSecretscope as access to the credential itself — see How Secrets Work.
HTTP
curl https://api.dev.dodil.io/v1/ignite/secrets/ghcr-pull \
-H "Authorization: Bearer $DODIL_TOKEN"Response
GetSecretResponse — name (string), value (SecretValue — the real credential), metadata (SecretMetadata).
ListSecrets
GET /v1/ignite/secrets — list every slot in the org. Metadata only — values are never returned here.
HTTP
curl https://api.dev.dodil.io/v1/ignite/secrets \
-H "Authorization: Bearer $DODIL_TOKEN"Response
ListSecretsResponse — secrets (repeated SecretMetadata).
DeleteSecret
DELETE /v1/ignite/secrets/{name} — remove a slot. Idempotent: deleting a name that doesn’t exist is not an error.
HTTP
curl -X DELETE https://api.dev.dodil.io/v1/ignite/secrets/ghcr-pull \
-H "Authorization: Bearer $DODIL_TOKEN"Response
DeleteSecretResponse — deleted (bool): true if a slot was removed, false if none existed.
See also
- Secrets — overview and CLI cheat-sheet
- How Secrets Work — slots, rotation, reference fields
- Bring Your Own Image · Build from Git
- Conventions — transport, auth, wire format