Back to blog
March 2, 2026 · 8 min read

Automate Your Vault —
Local HTTP API and CLI

VS
Varinder Singh
Founder, Claspt
Colorful API letter blocks on a keyboard

A vault that only works through a GUI is half a tool. Claspt ships with a local REST API and a Unix-friendly CLI so you can automate credential lookups, create pages from shell scripts, and pipe vault data into any workflow you already have.

Two Interfaces, One Vault

Claspt gives you two programmatic interfaces, both running locally inside the desktop app:

  • Local HTTP API — REST endpoints on localhost, bearer token authentication, JSON responses. Use from any language, any HTTP client.
  • CLI Tool — a claspt command with Unix-friendly output, JSON mode, and pipe compatibility. Use from your terminal, shell scripts, or CI tooling.

Both use the same encryption engine as the editor. Both shut down when you lock your vault. Both auto-commit every change to Git.

The Local HTTP API

Searching Your Vault

bash 
# Search for pages matching a query
curl http://localhost:PORT/api/search?q=aws+production \
  -H "Authorization: Bearer YOUR_TOKEN"

The search endpoint uses the same tantivy full-text engine as the app — sub-100ms results with BM25 ranking. It searches titles, tags, and non-secret content.

Reading a Page

bash 
# Read a page by title — includes decrypted secrets
curl http://localhost:PORT/api/pages/aws-production \
  -H "Authorization: Bearer YOUR_TOKEN"

When the vault is unlocked, the API returns decrypted secret block contents alongside the markdown. The response includes the page title, folder path, tags, and the full content with secrets in plaintext.

Creating a Page

bash 
# Create a new page with a secret block
curl http://localhost:PORT/api/pages \
  -X POST \
  -H "Authorization: Bearer YOUR_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{
    "title": "Staging API Keys",
    "folder": "Work/Backend",
    "content": "# Staging API Keys\n\nRotated on 2026-03-01.",
    "secrets": [
      {
        "label": "Stripe Test Key",
        "template": "api-key",
        "fields": {
          "service": "Stripe",
          "key": "sk_test_abc123"
        }
      }
    ]
  }'

The page is created as a standard .md file in your vault, the secret block is encrypted with AES-256-GCM, and the change is auto-committed to Git. All from a single API call.

The CLI Tool

The claspt CLI is designed for terminal workflows. It outputs human-readable text by default and structured JSON with the --json flag.

Quick Lookups

bash 
# Search your vault
claspt search "aws production"

# Read a specific page
claspt read "AWS Prod"

# Read just a specific secret from a page
claspt read "AWS Prod" --secret "Access Key"

Pipe-Friendly

bash 
# Pipe a markdown file into a new vault page
cat notes.md | claspt create --folder meetings

# Extract a secret and use it in a deploy script
export DB_PASSWORD=$(claspt read "Prod DB" --secret "password" --json | jq -r '.value')

# List all pages in a folder as JSON
claspt list --folder "Work/Backend" --json

Automation Recipes

Deploy Script with Vault Credentials

deploy.sh 
#!/bin/bash
# Pull credentials from Claspt, deploy to staging

export AWS_ACCESS_KEY=$(claspt read "AWS Staging" --secret "access_key" --json | jq -r '.value')
export AWS_SECRET_KEY=$(claspt read "AWS Staging" --secret "secret_key" --json | jq -r '.value')

aws ecs update-service \
  --cluster staging \
  --service api \
  --force-new-deployment

Credential Rotation Script

rotate-keys.sh 
#!/bin/bash
# Generate a new API key and store it in the vault

NEW_KEY=$(openssl rand -hex 32)

# Update the secret in your vault
claspt update "Internal API" \
  --secret "API Key" \
  --value "$NEW_KEY"

# The change is auto-committed to Git
echo "Key rotated and saved to vault"

Post-Meeting Notes Import

bash 
# Import today's meeting notes into the vault
cat ~/Desktop/standup-2026-03-02.md | \
  claspt create \
    --title "Standup — March 2, 2026" \
    --folder "Work/Meetings" \
    --tags "standup,daily"

The Inbox Folder

There is a fourth integration surface that is even simpler: the Inbox folder. Drop any .md file into your vault's inbox directory, and Claspt automatically imports it — indexed, version-tracked, and searchable. No CLI command needed.

This is useful for workflows where another tool generates markdown output (CI logs, automated reports, meeting transcripts) and you want it in your vault without writing a script.

Security Guarantees

All four integration surfaces — MCP Server, HTTP API, CLI, and Inbox — share the same security model:

  • Vault lock = everything locks. All endpoints and CLI commands stop working the instant you lock your vault.
  • Same encryption. AES-256-GCM with unique nonces per block. No weaker "API-grade" encryption.
  • Localhost only. The API binds to 127.0.0.1. Not accessible from the network.
  • Git-tracked. Every API and CLI change is auto-committed with a full diff history.
  • Memory-safe. All decrypted values are zeroed from memory after use via Rust's zeroize crate.

All Free

The API, CLI, MCP Server, and Inbox folder are all included in the free tier. No subscription gates on developer tooling. Download Claspt, unlock your vault, and start automating.

Try Claspt Free

Free on desktop. No account required. API, CLI, and MCP Server included.

Download Free
Previous: How to Use Claude, Cursor, and Windsurf with Your Encrypted Vault Next: Text to Diagrams — Mermaid, Graphviz, and Charts