---
reference:
  curl:
    - key: create_data_key
      id: create_data_key
      url: /reference/vault/key/create-data-key
      title: /vault/v1/keys/data-key
      type: POST
      parameters:
        - key: context
          type: object
          description: (object_metadata.context)
      returns:
        - key: anonymous
          type: object
          unwrap: true
          properties:
            - key: id
              type: string
              description: (data_key.id)
            - key: data_key
              type: string
              description: (data_key.key)
            - key: encrypted_keys
              type: string
              description: (data_key.encrypted_keys)
            - key: context
              type: object
              description: (object_metadata.context)
  js:
    - key: createDataKey
      id: create_data_key
      url: /reference/vault/key/create-data-key
      title: vault.createDataKey()
      parameters:
        - key: options
          type: object
          unwrap: true
          properties:
            - key: context
              type: object
              description: (object_metadata.context)
      returns:
        - key: anonymous
          type: object
          unwrap: true
          properties:
            - key: dataKey
              type: object
              properties:
                - key: id
                  type: string
                  description: (data_key.id)
                - key: key
                  type: string
                  description: (data_key.key)
            - key: encryptedKeys
              type: string
              description: (data_key.encrypted_keys)
            - key: context
              type: object
              description: (object_metadata.context)
  go:
    - key: CreateDataKey
      id: create_data_key
      title: vault.CreateDataKey()
      parameters:
        - (ctx)
        - key: opts
          type: vault.CreateDataKeyOpts
          expanded: true
          properties:
            - key: KeyContext
              type: vault.KeyContext
              description: (object_metadata.context)
      returns:
        - key: response
          type: vault.DataKeyPair
          unwrap: true
          properties:
            - key: Id
              type: string
              description: (data_key.id)
            - key: DataKey
              type: string
              description: (data_key.key)
            - key: EncryptedKeys
              type: string
              description: (data_key.encrypted_keys)
            - key: KeyContext
              type: vault.KeyContext
              description: (object_metadata.context)
  python:
    - key: create_data_key
      id: create_data_key
      title: vault.create_data_key()
      parameters:
        - key: key_context
          type: vault.KeyContext
          description: (object_metadata.context)
      returns:
        - key: data_key_pair
          type: vault.DataKeyPair
          unwrap: true
          properties:
            - key: data_key
              type: vault.DataKey
              unwrap: true
              properties:
                - key: id
                  type: str
                  description: (data_key.id)
                - key: key
                  type: str
                  description: (data_key.key)
            - key: encrypted_keys
              type: str
              description: (data_key.encrypted_keys)
            - key: context
              type: vault.KeyContext
              description: (object_metadata.context)
originalPath: >-
  .tmp-workos-clone/packages/docs/content/reference/vault/key/create-data-key.mdx
---

## Create a data key

Generate a data key for local encryption based on the provided key context.

The encrypted data key **MUST** be stored by the application, as it cannot be retrieved after generation.

<CodeBlock referenceId="create_data_key">
  <CodeBlockTab title="Request" file="create-data-key-request" />
  <CodeBlockTab title="Response" file="create-data-key-response" />
</CodeBlock>