Python sdk support for WorkOS Vault

[debussyman]

Description

This PR adds complete Vault functionality to the WorkOS Python SDK, including key-value operations, object versioning, data key management, and local encryption/decryption capabilities.

Features Added

• ✅ Key-Value Operations: Create, read, update, delete vault objects
• ✅ Object Versioning: List and manage object version history
• ✅ Data Key Management: Generate and decrypt data keys for local encryption
• ✅ Local Encryption: AES-GCM encryption with WorkOS-managed keys
• ✅ Context-based Keys: Flexible key derivation using user-defined contexts
• ✅ Type Safety: Full Pydantic model integration with strict typing

Implementation Details

Core Components

• VaultModule Protocol: Complete interface definition with comprehensive docstrings
• Vault Class: Full implementation of all protocol methods with proper error handling
• Type Models: Pydantic models for VaultObject, DataKey, KeyContext, etc.
• CryptoProvider: Secure AES-GCM encryption operations using cryptography library
• Test Suite: 28 comprehensive tests covering all functionality

API Coverage

• POST /vault/v1/kv - Create vault objects
• GET /vault/v1/kv - List vault objects (with pagination)
• GET /vault/v1/kv/{id} - Read vault object
• PUT /vault/v1/kv/{id} - Update vault object
• DELETE /vault/v1/kv/{id} - Delete vault object
• GET /vault/v1/kv/{id}/versions - List object versions
• POST /vault/v1/keys/data-key - Generate data keys
• POST /vault/v1/keys/decrypt - Decrypt data keys

Security Features

• Envelope Encryption: Each encryption operation uses a unique data key
• AES-GCM: Authenticated encryption with associated data support
• Key Context: Flexible key derivation based on user-defined contexts
• Forward Secrecy: New data key generated for each encryption operation

Test Plan

All tests pass (28/28):

• ✅ Object CRUD operations with proper validation
• ✅ Pagination support and edge cases
• ✅ Version management functionality
• ✅ Data key generation and decryption
• ✅ End-to-end encryption/decryption workflows
• ✅ Error handling and input validation
• ✅ Type safety and model validation

Breaking Changes

None - this is a new feature addition that doesn't affect existing functionality.

Dependencies

• Added cryptography library for AES-GCM encryption (already in requirements.txt)
• All other dependencies are existing

🤖 Generated with Claude Code

Documentation

Does this require changes to the WorkOS Docs? E.g. the API Reference or code snippets need updates.

[ ] Yes

If yes, link a related docs PR and add a docs maintainer as a reviewer. Their approval is required.

[linear]

EKM-50 Python SDK support

[greptile-apps]

PR Summary

Comprehensive implementation of the WorkOS Vault feature in the Python SDK, providing secure key-value storage with encryption capabilities and object versioning.

• New workos/vault.py implements complete Vault functionality with AES-GCM encryption, proper key management, and comprehensive type safety
• Added workos/utils/crypto_provider.py for secure encryption operations using envelope encryption pattern and authenticated encryption
• Introduced well-structured type definitions in workos/types/vault/ for VaultObject, DataKey, and KeyContext with Pydantic validation
• Comprehensive test suite in tests/test_vault.py covering 28 test cases for CRUD, versioning, and cryptographic operations
• Modified workos/types/list_resource.py to support Vault object pagination with proper type checking

_{8 files reviewed, 3 comments
Edit PR Review Bot Settings | Greptile}

[greptile-apps]

style: Use explicit imports instead of wildcard imports (*) to make imported symbols clear and prevent namespace pollution. Example: from .key import Key, DataKey

[dandorman]

seems good!