Get Secret - Get Secret
Get a specified secret from a given key vault.
The GET operation is applicable to any secret stored in Azure Key Vault. This operation requires the secrets/get permission.
GET {vaultBaseUrl}/secrets/{secret-name}/{secret-version}?api-version=2025-07-01GET {vaultBaseUrl}/secrets/{secret-name}/{secret-version}?api-version=2025-07-01&outContentType={outContentType}URI Parameters
| Name | In | Required | Type | Description |
|---|---|---|---|---|
|
secret-name
|
path | True |
string |
The name of the secret. |
|
secret-version
|
path | True |
string |
The version of the secret. This URI fragment is optional. If not specified, the latest version of the secret is returned. |
|
vault
|
path | True |
string (uri) |
|
|
api-version
|
query | True |
string minLength: 1 |
The API version to use for this operation. |
|
out
|
query |
The media type (MIME type) of the certificate. If a supported format is specified, the certificate content is converted to the requested format. Currently, only PFX to PEM conversion is supported. If an unsupported format is specified, the request is rejected. If not specified, the certificate is returned in its original format without conversion. |
Responses
| Name | Type | Description |
|---|---|---|
| 200 OK |
The request has succeeded. |
|
| Other Status Codes |
An unexpected error response. |
Security
OAuth2Auth
Type:
oauth2
Flow:
implicit
Authorization URL:
https://login.microsoftonline.com/common/oauth2/authorize
Scopes
| Name | Description |
|---|---|
| https://vault.azure.net/.default |
Examples
GetSecret
Sample request
GET https://myvault.vault.azure.net//secrets/mysecretname/4387e9f3d6e14c459867679a90fd0f79?api-version=2025-07-01
Sample response
{
"value": "mysecretvalue",
"id": "https://myvault.vault.azure.net/secrets/mysecretname/4387e9f3d6e14c459867679a90fd0f79",
"attributes": {
"enabled": true,
"created": 1493938410,
"updated": 1493938410,
"recoveryLevel": "Recoverable+Purgeable"
}
}Definitions
| Name | Description |
|---|---|
|
Content |
The media type (MIME type). |
|
Deletion |
Reflects the deletion recovery level currently in effect for secrets in the current vault. If it contains 'Purgeable', the secret can be permanently deleted by a privileged user; otherwise, only the system can purge the secret, at the end of the retention interval. |
| Error | |
|
Key |
The key vault error exception. |
|
Secret |
The secret management attributes. |
|
Secret |
A secret consisting of a value, id and its attributes. |
ContentType
The media type (MIME type).
| Value | Description |
|---|---|
| application/x-pkcs12 |
The PKCS#12 file format. |
| application/x-pem-file |
The PEM file format. |
DeletionRecoveryLevel
Reflects the deletion recovery level currently in effect for secrets in the current vault. If it contains 'Purgeable', the secret can be permanently deleted by a privileged user; otherwise, only the system can purge the secret, at the end of the retention interval.
| Value | Description |
|---|---|
| Purgeable |
Denotes a vault state in which deletion is an irreversible operation, without the possibility for recovery. This level corresponds to no protection being available against a Delete operation; the data is irretrievably lost upon accepting a Delete operation at the entity level or higher (vault, resource group, subscription etc.) |
| Recoverable+Purgeable |
Denotes a vault state in which deletion is recoverable, and which also permits immediate and permanent deletion (i.e. purge). This level guarantees the recoverability of the deleted entity during the retention interval (90 days), unless a Purge operation is requested, or the subscription is cancelled. System wil permanently delete it after 90 days, if not recovered |
| Recoverable |
Denotes a vault state in which deletion is recoverable without the possibility for immediate and permanent deletion (i.e. purge). This level guarantees the recoverability of the deleted entity during the retention interval (90 days) and while the subscription is still available. System wil permanently delete it after 90 days, if not recovered |
| Recoverable+ProtectedSubscription |
Denotes a vault and subscription state in which deletion is recoverable within retention interval (90 days), immediate and permanent deletion (i.e. purge) is not permitted, and in which the subscription itself cannot be permanently canceled. System wil permanently delete it after 90 days, if not recovered |
| CustomizedRecoverable+Purgeable |
Denotes a vault state in which deletion is recoverable, and which also permits immediate and permanent deletion (i.e. purge when 7 <= SoftDeleteRetentionInDays < 90). This level guarantees the recoverability of the deleted entity during the retention interval, unless a Purge operation is requested, or the subscription is cancelled. |
| CustomizedRecoverable |
Denotes a vault state in which deletion is recoverable without the possibility for immediate and permanent deletion (i.e. purge when 7 <= SoftDeleteRetentionInDays < 90).This level guarantees the recoverability of the deleted entity during the retention interval and while the subscription is still available. |
| CustomizedRecoverable+ProtectedSubscription |
Denotes a vault and subscription state in which deletion is recoverable, immediate and permanent deletion (i.e. purge) is not permitted, and in which the subscription itself cannot be permanently canceled when 7 <= SoftDeleteRetentionInDays < 90. This level guarantees the recoverability of the deleted entity during the retention interval, and also reflects the fact that the subscription itself cannot be cancelled. |
Error
| Name | Type | Description |
|---|---|---|
| code |
string |
The error code. |
| innererror |
The key vault server error. |
|
| message |
string |
The error message. |
KeyVaultError
The key vault error exception.
| Name | Type | Description |
|---|---|---|
| error |
The key vault server error. |
SecretAttributes
The secret management attributes.
| Name | Type | Description |
|---|---|---|
| created |
integer (unixtime) |
Creation time in UTC. |
| enabled |
boolean |
Determines whether the object is enabled. |
| exp |
integer (unixtime) |
Expiry date in UTC. |
| nbf |
integer (unixtime) |
Not before date in UTC. |
| recoverableDays |
integer (int32) |
softDelete data retention days. Value should be >=7 and <=90 when softDelete enabled, otherwise 0. |
| recoveryLevel |
Reflects the deletion recovery level currently in effect for secrets in the current vault. If it contains 'Purgeable', the secret can be permanently deleted by a privileged user; otherwise, only the system can purge the secret, at the end of the retention interval. |
|
| updated |
integer (unixtime) |
Last updated time in UTC. |
SecretBundle
A secret consisting of a value, id and its attributes.
| Name | Type | Description |
|---|---|---|
| attributes |
The secret management attributes. |
|
| contentType |
string |
The content type of the secret. |
| id |
string |
The secret id. |
| kid |
string |
If this is a secret backing a KV certificate, then this field specifies the corresponding key backing the KV certificate. |
| managed |
boolean |
True if the secret's lifetime is managed by key vault. If this is a secret backing a certificate, then managed will be true. |
| previousVersion |
string |
The version of the previous certificate, if applicable. Applies only to certificates created after June 1, 2025. Certificates created before this date are not retroactively updated. |
| tags |
object |
Application specific metadata in the form of key-value pairs. |
| value |
string |
The secret value. |