API Reference
The WRVault API lets you manage certificates and JWT keys programmatically — ideal for CI/CD pipelines and infrastructure automation. All requests are authenticated with an API key generated from your dashboard.
Base URL
https://wrvault.com/apiContent type
application/jsonAuthentication
Generate an API key from Dashboard → API Keys and include it in every request:
X-API-Key: wrv_live_xxxxxxxxxxxxxxxxxxxxxxxx
The JWKS endpoint (/keys/jwt/jwks/{userId}) is public and requires no key.
Rate limits
Certificates
Generate, import, download, renew, and delete mTLS certificates via API key.
Return all certificates in your account.
Example Request
curl https://wrvault.com/api/certificates/mtls \ -H "X-API-Key: wrv_live_xxxx"
Example Response
[
{
"id": "3fa85f64-...",
"domain": "api.example.com",
"organization": "Acme Inc",
"country": "US",
"keySize": 4096,
"expiresAt": "2027-05-13T00:00:00",
"expired": false,
"expiringSoon": false,
"tags": ["prod"]
}
]Generate a new self-signed X.509 certificate. The private key is encrypted at rest and only returned on explicit download.
Request Body
Common name / domain (e.g. api.example.com).
Organization field (O).
2-letter ISO country code (C).
RSA key size: 2048, 3072, or 4096. Defaults to 4096.
Validity period in days. Defaults to 365.
Example Request
curl -X POST https://wrvault.com/api/certificates/mtls/generate \
-H "X-API-Key: wrv_live_xxxx" \
-H "Content-Type: application/json" \
-d '{
"domain": "api.example.com",
"organization": "Acme Inc",
"country": "US",
"keySize": 4096,
"validityDays": 365
}'Example Response
{
"id": "3fa85f64-...",
"domain": "api.example.com",
"expiresAt": "2027-05-13T00:00:00",
"expired": false
}Download a certificate in PEM, private key PEM, DER, or PKCS#12 format.
Query Parameters
pem (default) | key | der | p12
Required when format=p12.
Example Request
# Public certificate as PEM
curl "https://wrvault.com/api/certificates/mtls/{id}/download?format=pem" \
-H "X-API-Key: wrv_live_xxxx" -o cert.pem
# PKCS#12 bundle
curl "https://wrvault.com/api/certificates/mtls/{id}/download?format=p12&password=s3cr3t" \
-H "X-API-Key: wrv_live_xxxx" -o bundle.p12Renew a certificate with the same domain and settings. Generates a new cert, removes the old one. Does not count against your plan limit.
Example Request
curl -X POST https://wrvault.com/api/certificates/mtls/{id}/renew \
-H "X-API-Key: wrv_live_xxxx"Example Response
{
"id": "9cb12a33-...",
"domain": "api.example.com",
"expiresAt": "2028-05-13T00:00:00",
"expired": false
}Permanently delete a certificate and its associated private key.
Example Request
curl -X DELETE https://wrvault.com/api/certificates/mtls/{id} \
-H "X-API-Key: wrv_live_xxxx"Example Response
HTTP 204 No Content
JWT Keys
Generate and manage RSA and ECDSA signing key pairs.
Return all JWT key pairs in your account.
Example Request
curl https://wrvault.com/api/keys/jwt \ -H "X-API-Key: wrv_live_xxxx"
Example Response
[
{
"id": "a1b2c3d4-...",
"name": "prod-signing-key",
"algorithm": "RS256",
"kid": "prod-2026",
"deprecated": false,
"createdAt": "2026-05-13T10:00:00"
}
]Generate a new RSA or ECDSA key pair. The private key is encrypted at rest and never returned in API responses.
Request Body
Human-readable name for the key pair.
RS256 | RS384 | RS512 | ES256 | ES384 | ES512
RSA only: 2048 or 4096. Ignored for ECDSA.
Example Request
curl -X POST https://wrvault.com/api/keys/jwt/generate \
-H "X-API-Key: wrv_live_xxxx" \
-H "Content-Type: application/json" \
-d '{
"name": "prod-signing-key",
"algorithm": "RS256",
"keySize": 4096
}'Example Response
{
"id": "a1b2c3d4-...",
"name": "prod-signing-key",
"algorithm": "RS256",
"kid": "a1b2c3d4",
"deprecated": false,
"createdAt": "2026-05-13T10:00:00"
}Retrieve the public key in JWK or PEM format.
Query Parameters
jwk (default) | pem
Example Request
# JWK (default)
curl "https://wrvault.com/api/keys/jwt/{id}/public" \
-H "X-API-Key: wrv_live_xxxx"
# PEM
curl "https://wrvault.com/api/keys/jwt/{id}/public?format=pem" \
-H "X-API-Key: wrv_live_xxxx"Example Response
{
"kty": "RSA",
"n": "0vx7agoebGcQ...",
"e": "AQAB",
"alg": "RS256",
"use": "sig",
"kid": "prod-2026"
}Generate a new key pair with the same algorithm. The previous key is marked deprecated but not deleted — tokens signed with it remain verifiable during rollover.
Example Request
curl -X POST https://wrvault.com/api/keys/jwt/{id}/rotate \
-H "X-API-Key: wrv_live_xxxx"Example Response
{
"id": "b9e1f2a0-...",
"name": "prod-signing-key",
"algorithm": "RS256",
"kid": "b9e1f2a0",
"deprecated": false
}Permanently delete a key pair. Tokens previously signed with this key will no longer be verifiable.
Example Request
curl -X DELETE https://wrvault.com/api/keys/jwt/{id} \
-H "X-API-Key: wrv_live_xxxx"Example Response
HTTP 204 No Content
JWKS
A public endpoint — no API key required. Point your auth server here directly.
Returns the JSON Web Key Set for a user account containing all active (non-deprecated) public keys. Updates immediately when a key is rotated. Find your user ID under Account → Profile.
Example Request
curl https://wrvault.com/api/keys/jwt/jwks/your-user-id
Example Response
{
"keys": [
{
"kty": "RSA",
"n": "0vx7agoebGcQ...",
"e": "AQAB",
"alg": "RS256",
"use": "sig",
"kid": "prod-2026"
}
]
}Verifying JWTs with the JWKS endpoint
import { createRemoteJWKSet, jwtVerify } from 'jose';
const JWKS = createRemoteJWKSet(
new URL('https://wrvault.com/api/keys/jwt/jwks/<your-user-id>')
);
const { payload } = await jwtVerify(token, JWKS);Webhooks
Receive HTTP callbacks when certificates or keys change.
List all configured webhook endpoints.
Example Request
curl https://wrvault.com/api/webhooks \ -H "X-API-Key: wrv_live_xxxx"
Example Response
[
{
"id": "w1x2y3z4-...",
"url": "https://your-server.com/hooks/wrvault",
"events": ["certificate.expiring"],
"active": true
}
]Register a new webhook. WRVault sends a signed POST to your URL when subscribed events occur. Payloads are signed with HMAC-SHA256 in the X-WRVault-Signature header.
Request Body
HTTPS URL to receive the webhook payload.
Event types to subscribe to.
Signing secret for HMAC-SHA256 signature verification.
Example Request
curl -X POST https://wrvault.com/api/webhooks \
-H "X-API-Key: wrv_live_xxxx" \
-H "Content-Type: application/json" \
-d '{
"url": "https://your-server.com/hooks/wrvault",
"events": ["certificate.expiring"],
"secret": "my-signing-secret"
}'Example Response
{
"id": "w1x2y3z4-...",
"url": "https://your-server.com/hooks/wrvault",
"events": ["certificate.expiring"],
"active": true
}Downloads
Import into Postman or load the OpenAPI spec into your toolchain.
The Postman collection includes all endpoints pre-configured with {{baseUrl}} and {{apiKey}} variables. The OpenAPI 3.0 spec covers the same public endpoints and can be imported into Swagger UI, Insomnia, or any OpenAPI-compatible toolchain.
Postman Collection v2.1 · 14 requests across 4 folders · 12 paths in OpenAPI spec
Collection structure