backend-api-internal/hvac_handler.py

import hvac
import base64
import os

HVAC_AGENT_URL = os.getenv("HVAC_AGENT_URL","http://vault-agent:8201")
client = hvac.Client(url=HVAC_AGENT_URL)

def decrypt_token(ciphertext: str) -> str:
    response = client.secrets.transit.decrypt_data(
        name="push-tokens",
        ciphertext=ciphertext
    )
    plaintext_b64 = response["data"]["plaintext"]
    return base64.b64decode(plaintext_b64).decode()