> ## Documentation Index > Fetch the complete documentation index at: https://www.c1.ai/docs/llms.txt > Use this file to discover all available pages before exploring further. # Create Internal > CreateInternal creates a secret vault for internal C1 users. ## OpenAPI ````yaml https://spec.speakeasy.com/conductor-one/conductorone/my-source-with-code-samples post /api/v1/secrets/internal openapi: 3.1.0 info: description: The C1 API is a HTTP API for managing C1 resources. title: C1 API version: 0.1.0-alpha servers: - description: The C1 API server for the current tenant. url: https://{tenantDomain}.conductor.one variables: tenantDomain: default: example description: The domain of the tenant to use for this request. security: - bearerAuth: [] oauth: [] paths: /api/v1/secrets/internal: post: tags: - Secrets summary: Create Internal description: CreateInternal creates a secret vault for internal C1 users. operationId: c1.api.secrets.v1.PaperSecretService.CreateInternal requestBody: content: application/json: schema: $ref: >- #/components/schemas/c1.api.secrets.v1.PaperSecretServiceCreateInternalRequest responses: '200': content: application/json: schema: $ref: >- #/components/schemas/c1.api.secrets.v1.PaperSecretServiceCreateResponse description: Successful response x-codeSamples: - lang: go label: CreateInternal source: "package main\n\nimport(\n\t\"context\"\n\t\"github.com/conductorone/conductorone-sdk-go/pkg/models/shared\"\n\tconductoronesdkgo \"github.com/conductorone/conductorone-sdk-go\"\n\t\"log\"\n)\n\nfunc main() {\n ctx := context.Background()\n\n s := conductoronesdkgo.New(\n conductoronesdkgo.WithSecurity(shared.Security{\n BearerAuth: \"\",\n Oauth: \"\",\n }),\n )\n\n res, err := s.PaperSecret.CreateInternal(ctx, nil)\n if err != nil {\n log.Fatal(err)\n }\n if res.PaperSecretServiceCreateResponse != nil {\n // handle response\n }\n}" - lang: typescript label: Typescript (SDK) source: >- import { ConductoroneSDKTypescript } from "conductorone-sdk-typescript"; const conductoroneSDKTypescript = new ConductoroneSDKTypescript({ security: { bearerAuth: "", oauth: "", }, }); async function run() { const result = await conductoroneSDKTypescript.paperSecret.createInternal(); console.log(result); } run(); components: schemas: c1.api.secrets.v1.PaperSecretServiceCreateInternalRequest: description: The PaperSecretServiceCreateInternalRequest message. properties: allowedUserIds: description: C1 User IDs allowed to view this secret (1 to 128). items: type: string nullable: true readOnly: false type: array contentType: description: >- For FILE secrets: MIME content type of the original file. Ignored for TEXT secrets. readOnly: false type: string displayName: description: >- Optional cleartext label visible to the creator in "My Secrets" view. Not encrypted — do not put sensitive data here. readOnly: false type: string expiresIn: format: duration readOnly: false type: string fileSize: description: >- For FILE secrets: expected file size in bytes (max 1GB). Ignored for TEXT secrets. format: int64 readOnly: false type: string filename: description: >- For FILE secrets: original filename (sanitized server-side). Ignored for TEXT secrets. readOnly: false type: string inputFormat: description: >- For TEXT secrets: hint about the plaintext format (e.g., JSON, YAML, key-value). Used by the viewer UI for syntax highlighting. Does not affect encryption. enum: - SECRET_INPUT_FORMAT_UNSPECIFIED - SECRET_INPUT_FORMAT_PLAINTEXT - SECRET_INPUT_FORMAT_JSON - SECRET_INPUT_FORMAT_YAML - SECRET_INPUT_FORMAT_KEY_VALUE readOnly: false type: string x-speakeasy-unknown-values: allow maxViews: description: Maximum number of views before the secret is burned (0 = unlimited). format: uint32 readOnly: false type: integer secretType: description: |- Secret type: TEXT or FILE. TEXT secrets use SetTextContent to upload encrypted content (max 64KB). FILE secrets use the upload_url from CreateResponse to upload encrypted content (max 1GB). enum: - SECRET_TYPE_UNSPECIFIED - SECRET_TYPE_TEXT - SECRET_TYPE_FILE readOnly: false type: string x-speakeasy-unknown-values: allow title: Paper Secret Service Create Internal Request type: object x-speakeasy-name-override: PaperSecretServiceCreateInternalRequest c1.api.secrets.v1.PaperSecretServiceCreateResponse: description: The PaperSecretServiceCreateResponse message. properties: ageRecipient: description: >- Age X25519 recipient public key (format: "age1...") for client-side encryption. All content MUST be encrypted to this recipient using the Age encryption format before calling SetTextContent or uploading to upload_url. See: https://age-encryption.org readOnly: false type: string secret: $ref: '#/components/schemas/c1.api.secrets.v1.PaperSecret' uploadUrl: description: >- For FILE secrets: capability URL for uploading the Age-encrypted file. Send an HTTP PUT request with the Age-encrypted file bytes as the body and Content-Type: application/octet-stream. The payload MUST begin with the Age header "age-encryption.org/v1\n". Maximum file size: 1GB. Empty for TEXT secrets. readOnly: false type: string vaultId: description: Vault ID - primary identifier for this secret. readOnly: false type: string title: Paper Secret Service Create Response type: object x-speakeasy-name-override: PaperSecretServiceCreateResponse c1.api.secrets.v1.PaperSecret: description: >- PaperSecret is the API view of a secret (combines Vault + PaperVault fields). The vault_id is the primary identifier (Vault.id). properties: allowedEmails: description: The allowedEmails field. items: type: string nullable: true readOnly: false type: array allowedUserIds: description: Access control items: type: string nullable: true readOnly: false type: array contentDeleted: description: The contentDeleted field. readOnly: false type: boolean contentExpiresAt: format: date-time readOnly: false type: string contentReady: description: Whether content has been set (text uploaded or file uploaded) readOnly: false type: boolean contentType: description: The contentType field. readOnly: false type: string createdAt: format: date-time readOnly: true type: string creatorUserId: description: Creator readOnly: false type: string currentViews: description: The currentViews field. format: uint32 readOnly: false type: integer deletedAt: format: date-time readOnly: true type: string displayName: description: From Vault readOnly: false type: string fileSize: description: File metadata format: int64 readOnly: false type: string filename: description: 'For FILE secrets: original filename (sanitized)' readOnly: false type: string inputFormat: description: The inputFormat field. enum: - SECRET_INPUT_FORMAT_UNSPECIFIED - SECRET_INPUT_FORMAT_PLAINTEXT - SECRET_INPUT_FORMAT_JSON - SECRET_INPUT_FORMAT_YAML - SECRET_INPUT_FORMAT_KEY_VALUE readOnly: false type: string x-speakeasy-unknown-values: allow maxViews: description: View tracking format: uint32 readOnly: false type: integer secretType: description: The secretType field. enum: - SECRET_TYPE_UNSPECIFIED - SECRET_TYPE_TEXT - SECRET_TYPE_FILE readOnly: false type: string x-speakeasy-unknown-values: allow shareCode: description: Human-friendly share code (XXXX-XXXX-XXXX) for shareable URLs readOnly: false type: string shareUrl: description: URL to share with recipients (populated when content_ready is true) readOnly: false type: string sharingMode: description: From PaperVault enum: - PAPER_VAULT_SHARING_MODE_UNSPECIFIED - PAPER_VAULT_SHARING_MODE_INTERNAL - PAPER_VAULT_SHARING_MODE_EXTERNAL readOnly: false type: string x-speakeasy-unknown-values: allow status: description: Computed status enum: - SECRET_STATUS_UNSPECIFIED - SECRET_STATUS_ACTIVE - SECRET_STATUS_EXPIRED - SECRET_STATUS_BURNED - SECRET_STATUS_REVOKED - SECRET_STATUS_DATA_DELETED readOnly: false type: string x-speakeasy-unknown-values: allow updatedAt: format: date-time readOnly: true type: string vaultId: description: Vault.id - primary identifier for the secret readOnly: false type: string title: Paper Secret type: object x-speakeasy-name-override: PaperSecret securitySchemes: bearerAuth: scheme: bearer type: http oauth: description: >- This API uses OAuth2 with the Client Credential flow. Client Credentials must be sent in the BODY, not the headers. For an example of how to implement this, refer to the [c1TokenSource.Token()](https://github.com/ConductorOne/conductorone-sdk-go/blob/3375fe7c0126d17e7ec4e711693dee7b791023aa/token_source.go#L101-L187) function. flows: clientCredentials: scopes: {} tokenUrl: /auth/v1/token type: oauth2 ````