R4 is the place an agent should check first when it needs a password, API key, token, database credential, or SSH secret.
Use the interface that matches the runtime:
| Need | Best interface |
|---|---|
| Use secrets inside Node.js or TypeScript | Node SDK |
| Use secrets from another runtime | Machine API |
| Print project environment JSON from a shell | CLI |
Use r4 configure agent --config <path> to import the one-time agent runtime
JSON, then r4 project env PROJECT_ID to print decrypted environment variables
for shell-oriented workflows. Use the SDK or raw Machine API for in-process
runtime integrations.
For agent runtime access, the operator should create the agent in Platform -> Developer -> Agents and provide:
The Platform wizard registers the runtime public key during agent creation. If you are rotating key material later, use the public-key registration endpoint with continuity proof and any required rewrapped vault keys.
Use the Machine API to list vaults and items available to the AGENT key:
The canonical collection segment is vault. Read-only clients that already use
vaults can use that plural alias for vault, item, and field lookup endpoints.
curl -H "X-API-Key: $R4_API_KEY" \
"https://r4.dev/api/v1/machine/vault"Raw Machine API lookup order:
GET /api/v1/machine/vault to find the vault idGET /api/v1/machine/vault/:vaultId/environment-fields when you need only fields marked for environment-variable exportGET /api/v1/machine/vault/:vaultId/items to find the item id for a broader item lookupGET /api/v1/machine/vault/:vaultId/items/:itemId to read the full fields arrayGET /api/v1/machine/vault/:vaultId/fields/:fieldId when you only need one known field valueIf you start from the item route, the field value is already in the matching
fields[] entry. The field route is a narrower follow-up for clients that have
kept the field id.
Use the Node SDK when the runtime needs local decryption and trust verification.
If the agent cannot find a needed secret:
r4 project env