Vaults
Vaults are containers that organize your files. Every file belongs to exactly one vault. This guide walks through every vault operation — creating, listing, updating, deleting, setting defaults, managing members, and organizing with folders.
Visibility
Section titled “Visibility”Vaults have a visibility that determines encryption and access control:
| Public | Shared | |
|---|---|---|
| Encryption | None — plaintext | SEAL protocol (on-chain IBE) |
| Who can access | Anyone with the URL | Owner + granted Sui addresses |
| Authentication | Files downloadable without auth | Requires API key + Sui key |
| Use case | Public assets, open data, static hosting | Team collaboration, multi-agent workflows, sensitive data |
Creating vaults
Section titled “Creating vaults”# Shared vault (default) — SEAL-encrypted, requires Sui keyopentusk vault create "Team Project"
# Public vault — unencrypted, no Sui key requiredopentusk vault create "Public Assets" --public
# With a descriptionopentusk vault create "Research Data" --description "Q2 experiment results"// Shared vault — requires a linked Sui address on the accountconst shared = await opentusk.vaults.create({ name: 'Team Project', visibility: 'shared',});
// Public vaultconst pub = await opentusk.vaults.create({ name: 'Public Assets', visibility: 'public', description: 'Static files for the website',});curl -X POST https://api.opentusk.ai/api/vaults \ -H "Authorization: Bearer otk_your_key" \ -H "Content-Type: application/json" \ -d '{"name": "Team Project", "visibility": "shared"}'When you create a shared vault, OpenTusk deploys an on-chain SEAL Whitelist on the Sui blockchain. Your Sui address is automatically added as the vault owner.
Listing vaults
Section titled “Listing vaults”# List all vaults you ownopentusk vault list
# JSON output for scriptingopentusk vault list --format jsonconst vaults = await opentusk.vaults.list();
for (const v of vaults) { console.log(`${v.name} (${v.visibility}) — ${v.fileCount} files`);}Getting vault details
Section titled “Getting vault details”# By vault ID, slug, or nameopentusk vault info "Team Project"opentusk vault info team-projectopentusk vault info <vault-id>const vault = await opentusk.vaults.get('<vault-id>');console.log(vault.name, vault.visibility, vault.fileCount);Updating vaults
Section titled “Updating vaults”You can change a vault’s name and description. Visibility cannot be changed.
# Renameopentusk vault rename "Team Project" "Engineering"
# Update name and/or descriptionopentusk vault update "Team Project" --name "Engineering" --description "Core team files"const updated = await opentusk.vaults.update('<vault-id>', { name: 'Engineering', description: 'Core team files',});Deleting vaults
Section titled “Deleting vaults”Deleted vaults go to trash with a 7-day grace period before permanent deletion.
# Delete an empty vault (prompts for confirmation)opentusk vault delete "Old Project"
# Force delete — moves all files to trash firstopentusk vault delete "Old Project" --force
# Skip confirmation promptopentusk vault delete "Old Project" --force --yes// Delete an empty vaultawait opentusk.vaults.delete('<vault-id>');
// Force — moves files to trash, then deletes vaultawait opentusk.vaults.delete('<vault-id>', { force: true });Default vault
Section titled “Default vault”When you upload a file without specifying a vault, OpenTusk uses your default vault. The setup wizard sets this automatically, or you can set it manually:
# Set by name, slug, or IDopentusk vault set-default "Team Project"
# Now uploads go here by defaultopentusk upload report.pdf# equivalent to: opentusk upload report.pdf --vault "Team Project"You can always override the default with --vault:
opentusk upload photo.jpg --vault "Public Assets"Shared vault members
Section titled “Shared vault members”Shared vaults use Sui address-based access control. Only the vault owner can add or remove members. Members can be humans (with their wallet address) or AI agents (with their generated Sui address).
Adding members
Section titled “Adding members”# Add a member by Sui addressopentusk vault members add "Team Project" 0x5678...efgh
# Add an agent (find its address in Settings → API Keys, or from invite output)opentusk vault members add "Team Project" 0xabcd...1234The CLI signs the on-chain transaction with your Sui key to add the address to the SEAL Whitelist.
const { member } = await opentusk.sharedVaults.addMember('<vault-id>', { suiAddress: '0x5678...efgh', txDigest: '<on-chain-tx-digest>', // proof of on-chain addition});Listing members
Section titled “Listing members”opentusk vault members list "Team Project"Output shows each member’s Sui address, role (owner/member), granted date, and member ID.
const { members } = await opentusk.sharedVaults.listMembers('<vault-id>');
for (const m of members) { console.log(`${m.suiAddress} — ${m.role} (since ${m.grantedAt})`);}Removing members
Section titled “Removing members”# Remove by member ID (shown in members list)opentusk vault members remove "Team Project" <member-id>
# Skip confirmationopentusk vault members remove "Team Project" <member-id> --yesawait opentusk.sharedVaults.removeMember('<vault-id>', '<member-id>', { txDigest: '<on-chain-tx-digest>', // proof of on-chain removal});When a member is removed, their Sui address is removed from the on-chain Whitelist — they can no longer decrypt files in the vault.
Permission model
Section titled “Permission model”| Action | Owner | Member |
|---|---|---|
| Upload files | Yes | Yes |
| Download / view files | Yes | Yes (all files, not just their own) |
| Create / list / manage folders | Yes | Yes |
| List vault members | Yes | Yes |
| Add / remove members | Yes | No |
| Update / delete vault | Yes | No |
Shared vaults you’re a member of
Section titled “Shared vaults you’re a member of”To list vaults that other users have granted you access to (not vaults you own):
opentusk vault sharedconst { vaults } = await opentusk.sharedVaults.list();
for (const entry of vaults) { console.log(`${entry.vault.name} — ${entry.role} (since ${entry.grantedAt})`);}Linking your Sui address
Section titled “Linking your Sui address”Before creating or joining shared vaults, you need a Sui address linked to your account. The opentusk setup wizard handles this automatically, or do it manually:
# Link an addressopentusk account link-sui 0x1234...abcd
# Unlinkopentusk account unlink-sui
# Check current addressopentusk account show-sui// Linkawait opentusk.sharedVaults.linkSuiAddress('0x1234...abcd');
// Unlinkawait opentusk.sharedVaults.unlinkSuiAddress();Folders
Section titled “Folders”Vaults support nested folder hierarchies to organize files.
Creating folders
Section titled “Creating folders”# Create a top-level folderopentusk folder create "Documents" --vault "Team Project"
# Create a nested folderopentusk folder create "Invoices" --vault "Team Project" --parent <parent-folder-id>// Top-level folderconst docs = await opentusk.folders.create({ vaultId: '<vault-id>', name: 'Documents',});
// Nested folderconst invoices = await opentusk.folders.create({ vaultId: '<vault-id>', parentId: docs.id, name: 'Invoices',});Listing and browsing folders
Section titled “Listing and browsing folders”# List top-level folders in a vaultopentusk folder list --vault "Team Project"
# List children of a specific folderopentusk folder list --vault "Team Project" --parent <folder-id>
# View folder contents (files + subfolders)opentusk folder contents <folder-id>
# View folder detailsopentusk folder info <folder-id>// List top-level foldersconst folders = await opentusk.folders.list({ vaultId: '<vault-id>' });
// List children of a folderconst children = await opentusk.folders.list({ vaultId: '<vault-id>', parentId: '<folder-id>',});
// Get folder contents (files + subfolders in one call)const contents = await opentusk.folders.getContents('<folder-id>');console.log(contents.folders); // subfolder listconsole.log(contents.files); // file listRenaming and deleting folders
Section titled “Renaming and deleting folders”# Renameopentusk folder rename <folder-id> "New Name"
# Delete (folder must be empty)opentusk folder delete <folder-id>opentusk folder delete <folder-id> --yes # skip confirmation// Renameawait opentusk.folders.update('<folder-id>', { name: 'New Name' });
// Delete (must be empty)await opentusk.folders.delete('<folder-id>');Uploading to folders
Section titled “Uploading to folders”opentusk upload invoice.pdf --vault "Team Project" --folder <folder-id>const file = await opentusk.files.upload({ name: 'invoice.pdf', mimeType: 'application/pdf', vaultId: '<vault-id>', folderId: '<folder-id>', data: await readFile('./invoice.pdf'),});Vault lifecycle summary
Section titled “Vault lifecycle summary”Create vault → Upload files → Organize with folders │ Shared vaults: ├── Add members by Sui address ├── Members upload/download with SEAL encryption └── Remove members to revoke access │ Delete vault → Trash (7-day grace) → Permanent delete Encryption How SEAL encryption works for shared vaults.
Upload & file lifecycle How files move through hot, synced, and cold.
Invite codes Onboard AI agents with a single command.
CLI reference Full vault, folder, and member command reference.