GET /api/zsc/list
Returns metadata for every row in zsc_secrets, ordered by name.
The encrypted ciphertext and IV are stripped before the response is
serialised — only metadata leaves the server.
Auth
Admin cookie (zeq_admin) required.
Request
curl -H "Cookie: zeq_admin=$ADMIN_JWT" \
https://YOUR-FRAMEWORK/api/zsc/list
Response · 200 OK
{
"ok": true,
"count": 3,
"secrets": [
{
"id": "01928f44-...",
"name": "OPENAI_API_KEY",
"purpose_tag": null,
"bound_zid": "ZEQ-SYS",
"expires_zeqond": 2289676800,
"last_read_zeqond": 2289605442,
"read_count": 184,
"permissions": ["ZEQ07111111111"],
"created_at": "2026-05-15T08:42:11.012Z",
"updated_at": "2026-05-17T13:08:32.412Z"
},
{
"id": "01928f44-...",
"name": "STRIPE_SECRET_KEY",
"purpose_tag": "payments",
"bound_zid": "ZEQ-FOUNDATION",
"expires_zeqond": 2289676900,
"last_read_zeqond": 2289605501,
"read_count": 47,
"permissions": [],
"created_at": "2026-05-10T12:00:00.000Z",
"updated_at": "2026-05-17T13:09:01.000Z"
}
]
}
Field reference
| Field | Type | Notes |
|---|---|---|
id | UUID | Stable row identifier. |
name | string | The vault key — what callers pass to ZeqContext.read(). |
purpose_tag | string | null | Free-form label for analytics. Not enforced. |
bound_zid | string | Owning ZID. Defaults to "ZEQ-SYS". |
expires_zeqond | bigint | null | Auto-rotation target. rotationDaemon re-encrypts when currentZeqond() > expires_zeqond. |
last_read_zeqond | bigint | null | Most recent successful read. null until first read. |
read_count | integer | Lifetime successful reads. |
permissions | string[] | ZIDs additionally allowed to read (beyond bound_zid and ZEQ-SYS). |
created_at | ISO 8601 | First write. |
updated_at | ISO 8601 | Most recent metadata change (set, rotate, grant, revoke). |
Errors
| Status | error | Cause |
|---|---|---|
401 | unauthorized | Admin cookie missing/invalid. |
500 | INTERNAL_ERROR | DB unreachable. Falls back to env at the application layer, but this admin route surfaces the error directly. |
Cadence
Operator-driven — no scheduled polling. The /portal/secrets/ UI
calls this once per page load.
Related
GET /api/zsc/info/:name— single secret metadatapulse > context list— same operation, CLI- ZSC Secure Context — what the metadata means