This write path no longer requires item detail or vault summary checkpoints.
The target vault is provided as vaultId.
When the source and target vaults use different DEKs, send reEncryptedFieldValues so stored field values can be rewritten under the target vault's encryption context.
The moved item's name, field labels, and websites remain metadata, so they are not end-to-end encrypted.
Headers
Header
Type
Required
Description
X-API-Key
string
Yes
Your machine API key
Content-Type
string
Yes
Must be application/json
Path Parameters
Parameter
Type
Required
Description
id
string
Yes
The unique identifier of the vault item to move
Request Body
Field
Type
Required
Description
vaultId
string
Yes
Target vault ID
reEncryptedFieldValues
array
No
Field values re-encrypted for the target vault DEK
Re-Encrypted Field Value Object
Field
Type
Required
Description
fieldInstanceId
string
Yes
Field-instance ID being rewritten for the move
value
string
Yes
Client-encrypted value for the target vault DEK
Response
Success (200 OK)
No response body is returned on success.
Notes
This endpoint requires machine.vault.write plus ADMIN access to the target vault item.