Featured on ListBulb

API Reference

The WRVault API lets you manage certificates and JWT keys programmatically — ideal for CI/CD pipelines and infrastructure automation. All requests are authenticated with an API key generated from your dashboard.

Base URL

https://wrvault.com/api

Content type

application/json

Authentication

Generate an API key from Dashboard → API Keys and include it in every request:

X-API-Key: wrv_live_xxxxxxxxxxxxxxxxxxxxxxxx

The JWKS endpoint (/keys/jwt/jwks/{userId}) is public and requires no key.

Rate limits

Free100 requests / day
Pro2,000 requests / day
EnterpriseUnlimited

Certificates

Generate, import, download, renew, and delete mTLS certificates via API key.

GET/certificates/mtls

Return all certificates in your account.

Example Request

curl https://wrvault.com/api/certificates/mtls \
  -H "X-API-Key: wrv_live_xxxx"

Example Response

[
  {
    "id":           "3fa85f64-...",
    "domain":       "api.example.com",
    "organization": "Acme Inc",
    "country":      "US",
    "keySize":      4096,
    "expiresAt":    "2027-05-13T00:00:00",
    "expired":      false,
    "expiringSoon": false,
    "tags":         ["prod"]
  }
]
POST/certificates/mtls/generate

Generate a new self-signed X.509 certificate. The private key is encrypted at rest and only returned on explicit download.

Request Body

domainstringrequired

Common name / domain (e.g. api.example.com).

organizationstring

Organization field (O).

countrystring

2-letter ISO country code (C).

keySizeinteger

RSA key size: 2048, 3072, or 4096. Defaults to 4096.

validityDaysinteger

Validity period in days. Defaults to 365.

Example Request

curl -X POST https://wrvault.com/api/certificates/mtls/generate \
  -H "X-API-Key: wrv_live_xxxx" \
  -H "Content-Type: application/json" \
  -d '{
    "domain": "api.example.com",
    "organization": "Acme Inc",
    "country": "US",
    "keySize": 4096,
    "validityDays": 365
  }'

Example Response

{
  "id":        "3fa85f64-...",
  "domain":    "api.example.com",
  "expiresAt": "2027-05-13T00:00:00",
  "expired":   false
}
GET/certificates/mtls/{id}/download

Download a certificate in PEM, private key PEM, DER, or PKCS#12 format.

Query Parameters

formatstring

pem (default) | key | der | p12

passwordstring

Required when format=p12.

Example Request

# Public certificate as PEM
curl "https://wrvault.com/api/certificates/mtls/{id}/download?format=pem" \
  -H "X-API-Key: wrv_live_xxxx" -o cert.pem

# PKCS#12 bundle
curl "https://wrvault.com/api/certificates/mtls/{id}/download?format=p12&password=s3cr3t" \
  -H "X-API-Key: wrv_live_xxxx" -o bundle.p12
POST/certificates/mtls/{id}/renew

Renew a certificate with the same domain and settings. Generates a new cert, removes the old one. Does not count against your plan limit.

Example Request

curl -X POST https://wrvault.com/api/certificates/mtls/{id}/renew \
  -H "X-API-Key: wrv_live_xxxx"

Example Response

{
  "id":        "9cb12a33-...",
  "domain":    "api.example.com",
  "expiresAt": "2028-05-13T00:00:00",
  "expired":   false
}
DELETE/certificates/mtls/{id}

Permanently delete a certificate and its associated private key.

Example Request

curl -X DELETE https://wrvault.com/api/certificates/mtls/{id} \
  -H "X-API-Key: wrv_live_xxxx"

Example Response

HTTP 204 No Content

JWT Keys

Generate and manage RSA and ECDSA signing key pairs.

GET/keys/jwt

Return all JWT key pairs in your account.

Example Request

curl https://wrvault.com/api/keys/jwt \
  -H "X-API-Key: wrv_live_xxxx"

Example Response

[
  {
    "id":         "a1b2c3d4-...",
    "name":       "prod-signing-key",
    "algorithm":  "RS256",
    "kid":        "prod-2026",
    "deprecated": false,
    "createdAt":  "2026-05-13T10:00:00"
  }
]
POST/keys/jwt/generate

Generate a new RSA or ECDSA key pair. The private key is encrypted at rest and never returned in API responses.

Request Body

namestringrequired

Human-readable name for the key pair.

algorithmstringrequired

RS256 | RS384 | RS512 | ES256 | ES384 | ES512

keySizeinteger

RSA only: 2048 or 4096. Ignored for ECDSA.

Example Request

curl -X POST https://wrvault.com/api/keys/jwt/generate \
  -H "X-API-Key: wrv_live_xxxx" \
  -H "Content-Type: application/json" \
  -d '{
    "name": "prod-signing-key",
    "algorithm": "RS256",
    "keySize": 4096
  }'

Example Response

{
  "id":         "a1b2c3d4-...",
  "name":       "prod-signing-key",
  "algorithm":  "RS256",
  "kid":        "a1b2c3d4",
  "deprecated": false,
  "createdAt":  "2026-05-13T10:00:00"
}
GET/keys/jwt/{id}/public

Retrieve the public key in JWK or PEM format.

Query Parameters

formatstring

jwk (default) | pem

Example Request

# JWK (default)
curl "https://wrvault.com/api/keys/jwt/{id}/public" \
  -H "X-API-Key: wrv_live_xxxx"

# PEM
curl "https://wrvault.com/api/keys/jwt/{id}/public?format=pem" \
  -H "X-API-Key: wrv_live_xxxx"

Example Response

{
  "kty": "RSA",
  "n":   "0vx7agoebGcQ...",
  "e":   "AQAB",
  "alg": "RS256",
  "use": "sig",
  "kid": "prod-2026"
}
POST/keys/jwt/{id}/rotate

Generate a new key pair with the same algorithm. The previous key is marked deprecated but not deleted — tokens signed with it remain verifiable during rollover.

Example Request

curl -X POST https://wrvault.com/api/keys/jwt/{id}/rotate \
  -H "X-API-Key: wrv_live_xxxx"

Example Response

{
  "id":         "b9e1f2a0-...",
  "name":       "prod-signing-key",
  "algorithm":  "RS256",
  "kid":        "b9e1f2a0",
  "deprecated": false
}
DELETE/keys/jwt/{id}

Permanently delete a key pair. Tokens previously signed with this key will no longer be verifiable.

Example Request

curl -X DELETE https://wrvault.com/api/keys/jwt/{id} \
  -H "X-API-Key: wrv_live_xxxx"

Example Response

HTTP 204 No Content

JWKS

A public endpoint — no API key required. Point your auth server here directly.

GET/keys/jwt/jwks/{userId}public

Returns the JSON Web Key Set for a user account containing all active (non-deprecated) public keys. Updates immediately when a key is rotated. Find your user ID under Account → Profile.

Example Request

curl https://wrvault.com/api/keys/jwt/jwks/your-user-id

Example Response

{
  "keys": [
    {
      "kty": "RSA",
      "n":   "0vx7agoebGcQ...",
      "e":   "AQAB",
      "alg": "RS256",
      "use": "sig",
      "kid": "prod-2026"
    }
  ]
}

Verifying JWTs with the JWKS endpoint

import { createRemoteJWKSet, jwtVerify } from 'jose';

const JWKS = createRemoteJWKSet(
  new URL('https://wrvault.com/api/keys/jwt/jwks/<your-user-id>')
);

const { payload } = await jwtVerify(token, JWKS);

Webhooks

Receive HTTP callbacks when certificates or keys change.

GET/webhooks

List all configured webhook endpoints.

Example Request

curl https://wrvault.com/api/webhooks \
  -H "X-API-Key: wrv_live_xxxx"

Example Response

[
  {
    "id":     "w1x2y3z4-...",
    "url":    "https://your-server.com/hooks/wrvault",
    "events": ["certificate.expiring"],
    "active": true
  }
]
POST/webhooks

Register a new webhook. WRVault sends a signed POST to your URL when subscribed events occur. Payloads are signed with HMAC-SHA256 in the X-WRVault-Signature header.

Request Body

urlstringrequired

HTTPS URL to receive the webhook payload.

eventsstring[]required

Event types to subscribe to.

secretstring

Signing secret for HMAC-SHA256 signature verification.

Example Request

curl -X POST https://wrvault.com/api/webhooks \
  -H "X-API-Key: wrv_live_xxxx" \
  -H "Content-Type: application/json" \
  -d '{
    "url": "https://your-server.com/hooks/wrvault",
    "events": ["certificate.expiring"],
    "secret": "my-signing-secret"
  }'

Example Response

{
  "id":     "w1x2y3z4-...",
  "url":    "https://your-server.com/hooks/wrvault",
  "events": ["certificate.expiring"],
  "active": true
}

Downloads

Import into Postman or load the OpenAPI spec into your toolchain.

The Postman collection includes all endpoints pre-configured with {{baseUrl}} and {{apiKey}} variables. The OpenAPI 3.0 spec covers the same public endpoints and can be imported into Swagger UI, Insomnia, or any OpenAPI-compatible toolchain.

Postman Collection v2.1 · 14 requests across 4 folders · 12 paths in OpenAPI spec

Collection structure

Certificates6 requests
JWT Keys5 requests
JWKS (public)1 requests
Webhooks2 requests
© 2026 WRVault