DROP VAULT / DROP CREDENTIAL

Removes a vault entry and wipes its backend-stored material. VAULT and CREDENTIAL are keyword aliases.

Category: configurationPrivilege: adminDeltaForge extension

Syntax

DROP { VAULT | CREDENTIAL } [IF EXISTS] <name>

Description

## Overview DROP VAULT (aliased as DROP CREDENTIAL) deletes the vault_entries row and best-effort-deletes the secret material from the backing credential store. VAULT and CREDENTIAL are true aliases: an entry created with CREATE VAULT can be dropped with DROP CREDENTIAL and vice versa because the operation matches by display_name, not by the keyword used at creation time. ## Behavior - The HTTP adapter resolves the name to an entry id via GET /vault/entries, then calls DELETE /vault/entries/{id}. With IF EXISTS, a 404 returns false (no-op); without IF EXISTS, a 404 raises an error. - For locally-stored entries, the Control Plane deletes the profile vault::<entry_id> from the backing credential store as part of the request. Material is overwritten and not recoverable. - For linked-external entries (created via LINKED EXTERNAL SECRET), the DeltaForge row is deleted but the external secret is left in place. The target cloud backend retains the secret according to its own lifecycle policy. - If any CONNECTION entries reference this vault entry via credential_id, those connections are not automatically updated. Their credential_id continues to point at the now-deleted row; test_connection and subsequent uses will fail until the connection is altered to reference a different credential. - The default OS Keychain backend's seeded entries (if any) cannot be dropped through this path. ## Access Control Requires the admin role. The Control Plane enforces vault:write on DELETE /vault/entries/{id}. ## Compatibility DeltaForge extension. No standard SQL equivalent.

Parameters

Name	Type	Description
`name`		Specifies the display_name of the vault entry to remove.
`if_exists`		When true, a missing entry is a clean no-op. Without IF EXISTS, a missing entry raises an error.

Examples

-- Drop an encryption key no longer in use
DROP VAULT obsolete_pii_key;

-- Drop a credential (CREDENTIAL keyword works identically)
DROP CREDENTIAL old_api_token;

-- Either keyword removes an entry regardless of which was used at CREATE
DROP CREDENTIAL entry_created_as_vault;
DROP VAULT entry_created_as_credential;

-- Idempotent cleanup
DROP VAULT IF EXISTS maybe_exists;
DROP CREDENTIAL IF EXISTS maybe_exists_either;

Pitfalls

DROP is destructive and the material is not recoverable. There is no undo. Any data encrypted with the dropped encryption key is permanently unreadable unless the workflow preserved the key elsewhere.
DROP does not cascade to CONNECTIONs that reference this credential. Those connections break silently at runtime. Before dropping, grep your catalog for CONNECTIONs whose credential_ref matches the entry name and update them first (ALTER CONNECTION ... SET CREDENTIAL = <new>).
For linked-external entries, dropping the DeltaForge pointer does not delete the external secret. Clean up in the target cloud backend separately if that is what you intend.
There is no DROP ... CASCADE or DROP ... FORCE variant in v1. Dependent cleanup is the caller's responsibility.