> ## Documentation Index > Fetch the complete documentation index at: https://conductorone-docs-mcp-bridge-private-server.mintlify.site/llms.txt > Use this file to discover all available pages before exploring further. # Create External > CreateExternal creates a secret vault for external email recipients. ## OpenAPI ````yaml https://spec.speakeasy.com/conductor-one/conductorone/my-source-with-code-samples post /api/v1/secrets/external openapi: 3.1.0 info: description: The C1 API is a HTTP API for managing C1 resources. title: C1 API version: 0.1.0-alpha servers: - description: The C1 API server for the current tenant. url: https://{tenantDomain}.conductor.one variables: tenantDomain: default: example description: The domain of the tenant to use for this request. security: - bearerAuth: [] oauth: [] paths: /api/v1/secrets/external: post: tags: - Secrets summary: Create External description: CreateExternal creates a secret vault for external email recipients. operationId: c1.api.secrets.v1.PaperSecretService.CreateExternal requestBody: content: application/json: schema: $ref: >- #/components/schemas/c1.api.secrets.v1.PaperSecretServiceCreateExternalRequest responses: '200': content: application/json: schema: $ref: >- #/components/schemas/c1.api.secrets.v1.PaperSecretServiceCreateResponse description: Successful response x-codeSamples: - lang: go label: CreateExternal source: "package main\n\nimport(\n\t\"context\"\n\t\"github.com/conductorone/conductorone-sdk-go/pkg/models/shared\"\n\tconductoronesdkgo \"github.com/conductorone/conductorone-sdk-go\"\n\t\"log\"\n)\n\nfunc main() {\n ctx := context.Background()\n\n s := conductoronesdkgo.New(\n conductoronesdkgo.WithSecurity(shared.Security{\n BearerAuth: \"\",\n Oauth: \"\",\n }),\n )\n\n res, err := s.PaperSecret.CreateExternal(ctx, nil)\n if err != nil {\n log.Fatal(err)\n }\n if res.PaperSecretServiceCreateResponse != nil {\n // handle response\n }\n}" - lang: typescript label: Typescript (SDK) source: >- import { ConductoroneSDKTypescript } from "conductorone-sdk-typescript"; const conductoroneSDKTypescript = new ConductoroneSDKTypescript({ security: { bearerAuth: "", oauth: "", }, }); async function run() { const result = await conductoroneSDKTypescript.paperSecret.createExternal(); console.log(result); } run(); components: schemas: c1.api.secrets.v1.PaperSecretServiceCreateExternalRequest: description: The PaperSecretServiceCreateExternalRequest message. properties: allowedEmails: description: |- External email addresses allowed to view this secret (1 to 64). Recipients authenticate via email magic link or Google OAuth. items: type: string type: - array - 'null' contentType: description: >- For FILE secrets: MIME content type of the original file. Ignored for TEXT secrets. type: - string - 'null' displayName: description: >- Optional cleartext label visible to the creator in "My Secrets" view. Not encrypted — do not put sensitive data here. type: - string - 'null' expiresIn: format: duration type: - string - 'null' fileSize: description: >- For FILE secrets: expected file size in bytes (max 1GB). Ignored for TEXT secrets. format: int64 type: - string - 'null' filename: description: >- For FILE secrets: original filename (sanitized server-side). Ignored for TEXT secrets. type: - string - 'null' inputFormat: description: >- For TEXT secrets: hint about the plaintext format (e.g., JSON, YAML, key-value). Used by the viewer UI for syntax highlighting. Does not affect encryption. enum: - SECRET_INPUT_FORMAT_UNSPECIFIED - SECRET_INPUT_FORMAT_PLAINTEXT - SECRET_INPUT_FORMAT_JSON - SECRET_INPUT_FORMAT_YAML - SECRET_INPUT_FORMAT_KEY_VALUE type: - string - 'null' x-speakeasy-unknown-values: allow maxViews: description: Maximum number of views before the secret is burned (0 = unlimited). format: uint32 type: - integer - 'null' secretType: description: |- Secret type: TEXT or FILE. TEXT secrets use SetTextContent to upload encrypted content (max 64KB). FILE secrets use the upload_url from CreateResponse to upload encrypted content (max 1GB). enum: - SECRET_TYPE_UNSPECIFIED - SECRET_TYPE_TEXT - SECRET_TYPE_FILE type: - string - 'null' x-speakeasy-unknown-values: allow title: Paper Secret Service Create External Request type: object x-speakeasy-name-override: PaperSecretServiceCreateExternalRequest c1.api.secrets.v1.PaperSecretServiceCreateResponse: description: The PaperSecretServiceCreateResponse message. properties: ageRecipient: description: >- Age X25519 recipient public key (format: "age1...") for client-side encryption. All content MUST be encrypted to this recipient using the Age encryption format before calling SetTextContent or uploading to upload_url. See: https://age-encryption.org type: - string - 'null' secret: oneOf: - $ref: '#/components/schemas/c1.api.secrets.v1.PaperSecret' - type: 'null' uploadUrl: description: >- For FILE secrets: capability URL for uploading the Age-encrypted file. Send an HTTP PUT request with the Age-encrypted file bytes as the body and Content-Type: application/octet-stream. The payload MUST begin with the Age header "age-encryption.org/v1\n". Maximum file size: 1GB. Empty for TEXT secrets. type: - string - 'null' vaultId: description: Vault ID - primary identifier for this secret. type: - string - 'null' title: Paper Secret Service Create Response type: object x-speakeasy-name-override: PaperSecretServiceCreateResponse c1.api.secrets.v1.PaperSecret: description: >- PaperSecret is the API view of a secret (combines Vault + PaperVault fields). The vault_id is the primary identifier (Vault.id). properties: allowedEmails: description: The allowedEmails field. items: type: string type: - array - 'null' allowedUserIds: description: Access control items: type: string type: - array - 'null' contentDeleted: description: The contentDeleted field. type: - boolean - 'null' contentExpiresAt: format: date-time type: - string - 'null' contentReady: description: Whether content has been set (text uploaded or file uploaded) type: - boolean - 'null' contentType: description: The contentType field. type: - string - 'null' createdAt: format: date-time readOnly: true type: - string - 'null' creatorUserId: description: Creator type: - string - 'null' currentViews: description: The currentViews field. format: uint32 type: - integer - 'null' deletedAt: format: date-time readOnly: true type: - string - 'null' displayName: description: From Vault type: - string - 'null' fileSize: description: File metadata format: int64 type: - string - 'null' filename: description: 'For FILE secrets: original filename (sanitized)' type: - string - 'null' inputFormat: description: The inputFormat field. enum: - SECRET_INPUT_FORMAT_UNSPECIFIED - SECRET_INPUT_FORMAT_PLAINTEXT - SECRET_INPUT_FORMAT_JSON - SECRET_INPUT_FORMAT_YAML - SECRET_INPUT_FORMAT_KEY_VALUE type: - string - 'null' x-speakeasy-unknown-values: allow maxViews: description: View tracking format: uint32 type: - integer - 'null' secretType: description: The secretType field. enum: - SECRET_TYPE_UNSPECIFIED - SECRET_TYPE_TEXT - SECRET_TYPE_FILE type: - string - 'null' x-speakeasy-unknown-values: allow shareCode: description: Human-friendly share code (XXXX-XXXX-XXXX) for shareable URLs type: - string - 'null' shareUrl: description: URL to share with recipients (populated when content_ready is true) type: - string - 'null' sharingMode: description: From PaperVault enum: - PAPER_VAULT_SHARING_MODE_UNSPECIFIED - PAPER_VAULT_SHARING_MODE_INTERNAL - PAPER_VAULT_SHARING_MODE_EXTERNAL type: - string - 'null' x-speakeasy-unknown-values: allow status: description: Computed status enum: - SECRET_STATUS_UNSPECIFIED - SECRET_STATUS_ACTIVE - SECRET_STATUS_EXPIRED - SECRET_STATUS_BURNED - SECRET_STATUS_REVOKED - SECRET_STATUS_DATA_DELETED type: - string - 'null' x-speakeasy-unknown-values: allow updatedAt: format: date-time readOnly: true type: - string - 'null' vaultId: description: Vault.id - primary identifier for the secret type: - string - 'null' title: Paper Secret type: object x-speakeasy-name-override: PaperSecret securitySchemes: bearerAuth: scheme: bearer type: http oauth: description: >- This API uses OAuth2 with the Client Credential flow. Client Credentials must be sent in the BODY, not the headers. For an example of how to implement this, refer to the [c1TokenSource.Token()](https://github.com/ConductorOne/conductorone-sdk-go/blob/3375fe7c0126d17e7ec4e711693dee7b791023aa/token_source.go#L101-L187) function. flows: clientCredentials: scopes: {} tokenUrl: /auth/v1/token type: oauth2 ````