> ## Documentation Index > Fetch the complete documentation index at: https://docs.openlit.io/llms.txt > Use this file to discover all available pages before exploring further. # Get Secret(s) > Fetches secret(s) using the provided key or tags. ## Cross-origin browser requests `POST /api/vault/get-secrets` is an API-key authenticated endpoint for retrieving Vault secrets. Browser requests from a different origin are blocked unless the calling origin is explicitly allowed. To allow a browser application hosted on another domain, configure the OpenLIT deployment with a comma-separated origin allowlist: ```bash theme={null} OPENLIT_ALLOWED_CORS_ORIGINS="https://app.example.com,https://admin.example.com" ``` `OPENLIT_ALLOWED_ORIGINS` is also supported as a backward-compatible alias. `NEXTAUTH_URL` is automatically treated as an allowed same-site origin. Use complete origins such as `https://app.example.com`. Do not configure wildcard origins for this endpoint. Server-to-server SDK or REST requests usually do not need CORS configuration because CORS is enforced by browsers. ## OpenAPI ````yaml POST /api/vault/get-secrets openapi: 3.0.0 info: title: Get Vault API description: An API to fetch secret(s) by providing necessary parameters. version: 1.0.0 servers: - url: http://localhost:3000 security: [] paths: /api/vault/get-secrets: post: summary: Get Secret(s) description: Fetches secret(s) using the provided key or tags. operationId: getSecrets requestBody: required: true content: text/plain: schema: type: object properties: key: type: string example: OPENAI_API_KEY tags: type: array items: type: string example: - openai responses: '200': description: Successfully retrieved secret(s). content: application/json: schema: type: object properties: err: type: object nullable: true res: type: object example: OPEN_API_KEY: OPEN_API_VALUE security: - apiKeyAuth: [] components: securitySchemes: apiKeyAuth: type: http scheme: bearer bearerFormat: JWT ````