node package manager
It’s your turn. Help us improve JavaScript. Take the 2017 JavaScript Ecosystem Survey »


Microsoft Azure SDK for Node.js - Key Vault

This project provides a Node.js package for accessing keys, secrets and certificates on Azure Key Vault. Right now it supports:

  • Node.js version: 6.x.x or higher
  • REST API version: 2016-10-01


  • Manage keys: create, import, update, delete, backup, restore, list and get.
  • Key operations: sign, verify, encrypt, decrypt, wrap, unwrap.
  • Secret operations: set, get, update and list.
  • Certificate operations: create, get, update, import, list, and manage contacts and issuers.

How to Install

npm install azure-keyvault

Detailed Sample

A sample that can be cloned and run can be found here.

How to Use

The following are some examples on how to create and consume secrets, certificates and keys. For the complete sample please visit this sample.


var KeyVault = require('azure-keyvault');
var AuthenticationContext = require('adal-node').AuthenticationContext;
var clientId = "<to-be-filled>";
var clientSecret = "<to-be-filled>";
var vaultUri = "<to-be-filled>";
// Authenticator - retrieves the access token 
var authenticator = function (challenge, callback) {
  // Create a new authentication context. 
  var context = new AuthenticationContext(challenge.authorization);
  // Use the context to acquire an authentication token. 
  return context.acquireTokenWithClientCredentials(challenge.resource, clientId, clientSecret, function (err, tokenResponse) {
    if (err) throw err;
    // Calculate the value to be set in the request's Authorization header and resume the call. 
    var authorizationValue = tokenResponse.tokenType + ' ' + tokenResponse.accessToken;
    return callback(null, authorizationValue);

Create the KeyVaultClient

var credentials = new KeyVault.KeyVaultCredentials(authenticator);
var client = new KeyVault.KeyVaultClient(credentials);

Create a key and use it

client.createKey(vaultUri, 'mykey', 'RSA', options, function(err, keyBundle) {
  // Retrieve the key 
  client.getKey(keyBundle.key.kid, function(getErr, getKeyBundle) {    
    // Encrypt a plain text 
    client.encrypt(keyBundle.key.kid, 'RSA-OAEP', encryptionContent, function (encryptErr, cipherText) {  
    // Sign a digest value 
    client.sign(keyBundle.key.kid, 'RS256', digest, function (signErr, signature) {  

Create a secret and list all secrets

client.setSecret(vaultUri, 'mysecret', 'my password', options, function (err, secretBundle) {
  // List all secrets 
  var parsedId = KeyVault.parseSecretIdentifier(;
  client.getSecrets(parsedId.vault,, function (err, result) {
    if (err) throw err;
    var loop = function (nextLink) {
      if (nextLink !== null && nextLink !== undefined) {
        client.getSecretsNext(nextLink, function (err, res) {

Create a certificate and delete it

//Create a certificate 
client.createCertificate(vaultUri, 'mycertificate', options, function (err, certificateOperation) {
  // Poll the certificate status until it is created 
  var interval = setInterval(function getCertStatus() {
    var parsedId = KeyVault.parseCertificateOperationIdentifier(;
    client.getCertificateOperation(parsedId.vault,, function (err, pendingCertificate) {
      if (pendingCertificate.status.toUpperCase() === 'completed'.toUpperCase()) {
        var parsedCertId = KeyVault.parseCertificateIdentifier(;
        //Delete the created certificate 
        client.deleteCertificate(parsedCertId.vault,, function (delErr, deleteResp) {          
  }, intervalTime);

Related projects