From bb31a2b33fecb4c88d443fc4225d96daecc033b2 Mon Sep 17 00:00:00 2001
From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com>
Date: Sat, 21 Mar 2026 23:17:18 +0000
Subject: [PATCH 1/2] Initial plan


From c8d9a5e0f6f40b569ae8be2e614d4a0fe125ad6b Mon Sep 17 00:00:00 2001
From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com>
Date: Sat, 21 Mar 2026 23:20:45 +0000
Subject: [PATCH 2/2] Add unseal example and README documentation for
 already-initialized vaults

Co-authored-by: aviadhahami <7353632+aviadhahami@users.noreply.github.com>
Agent-Logs-Url: https://github.com/nodevault/node-vault/sessions/fc2e7a84-0c5f-4e07-b46c-977deb96edac
---
 README.md         | 38 ++++++++++++++++++++++++++++++++++++++
 example/unseal.js | 16 ++++++++++++++++
 package-lock.json |  4 ++--
 3 files changed, 56 insertions(+), 2 deletions(-)
 create mode 100644 example/unseal.js

diff --git a/README.md b/README.md
index f4fc526..6ffdb58 100644
--- a/README.md
+++ b/README.md
@@ -86,6 +86,44 @@ vault.init({ secret_shares: 1, secret_threshold: 1 })
   .catch(console.error);
 ```
 
+### Unseal a vault that is already initialized
+
+If the vault server has been restarted or sealed, you can unseal it using
+the unseal keys from the original initialization. If the vault was initialized
+with `secret_threshold > 1`, you must call `unseal` multiple times with
+different keys until the threshold is met.
+
+```javascript
+const vault = require('node-vault')({
+  apiVersion: 'v1',
+  endpoint: 'http://127.0.0.1:8200',
+});
+
+// unseal vault server with a single key
+vault.unseal({ key: 'my-unseal-key' })
+  .then(console.log)
+  .catch(console.error);
+```
+
+When the vault requires multiple unseal keys (threshold > 1):
+
+```javascript
+vault.unseal({ key: 'first-unseal-key' })
+  .then((result) => {
+    // result.sealed will be true until enough keys are provided
+    console.log('Sealed:', result.sealed);
+    console.log('Progress:', result.progress + '/' + result.t);
+    return vault.unseal({ key: 'second-unseal-key' });
+  })
+  .then((result) => {
+    // once the threshold is met, sealed will be false
+    console.log('Sealed:', result.sealed);
+  })
+  .catch(console.error);
+```
+
+See [example/unseal.js](example/unseal.js) for a working example.
+
 ### Write, read, update and delete secrets
 
 ```javascript
diff --git a/example/unseal.js b/example/unseal.js
new file mode 100644
index 0000000..ab5d837
--- /dev/null
+++ b/example/unseal.js
@@ -0,0 +1,16 @@
+// file: example/unseal.js
+
+process.env.DEBUG = 'node-vault'; // switch on debug mode
+
+const vault = require('./../src/index')();
+
+// Unseal a vault server that is already initialized.
+// Provide one of the unseal keys from the init response.
+// If the vault was initialized with secret_threshold > 1,
+// you must call unseal multiple times with different keys
+// until the threshold is met.
+const key = process.env.UNSEAL_KEY;
+
+vault.unseal({ key })
+    .then(console.log)
+    .catch((err) => console.error(err.message));
diff --git a/package-lock.json b/package-lock.json
index 52fbe91..2236e20 100644
--- a/package-lock.json
+++ b/package-lock.json
@@ -1,12 +1,12 @@
 {
   "name": "node-vault",
-  "version": "0.11.1",
+  "version": "0.12.0",
   "lockfileVersion": 3,
   "requires": true,
   "packages": {
     "": {
       "name": "node-vault",
-      "version": "0.11.1",
+      "version": "0.12.0",
       "license": "MIT",
       "dependencies": {
         "axios": "^1.13.6",