diff --git a/session-logs/2026-06/2026-06-09-mike-datto-rmm-vaulting.md b/session-logs/2026-06/2026-06-09-mike-datto-rmm-vaulting.md
new file mode 100644
index 0000000..fc9564b
--- /dev/null
+++ b/session-logs/2026-06/2026-06-09-mike-datto-rmm-vaulting.md
@@ -0,0 +1,58 @@
+# Session Log — 2026-06-09 — Datto RMM API Credential Vaulting
+
+## User
+- **User:** Mike Swanson (mike)
+- **Machine:** GURU-5070
+- **Role:** admin
+
+## Session Summary
+
+Routine `/sync` at session start — repo was already in sync (HEAD `2a006483`), no commits moved in either direction, vault clean.
+
+Mike asked to check the Downloads folder for a Datto RMM API text file. Located two files: `DattoRMM-API.txt` (plaintext API key/secret for the zinfandel CentraStage platform) and `DattoRMMDevices.csv` (a device export). He confirmed he had staged the credentials there for collection and vaulting.
+
+Vaulted the Datto RMM API credentials into the SOPS vault at `msp-tools/datto-rmm.sops.yaml`, matching the existing `msp-tools` API-key schema (modeled on `autotask.sops.yaml` / `msp360-api.sops.yaml`). Wrote the plaintext entry, encrypted in place with `sops --encrypt --in-place`, verified the round-trip decrypt, then committed and pushed the vault repo. The `credentials` and `notes` blocks encrypted; structural metadata (base URL, swagger link, tags) left readable. Encrypted to both age recipients (Mike + Howard).
+
+Mike opted to delete the Downloads source files himself, then requested a save + machine reboot.
+
+## Key Decisions
+
+- Placed the entry under `msp-tools/` (alongside autotask, syncro, gravityzone, msp360-api) rather than `clients/` or `services/` — Datto RMM is an MSP-wide tool, not client- or single-service-scoped.
+- Used `kind: api-key` schema with `credentials.api_key` / `credentials.api_secret` to match the encrypted_regex (`^(credentials|password|secret|api_key|token|...|notes|content)$`) so the secret fields cipher automatically.
+- Encrypted via direct `sops --encrypt --in-place` on a hand-written plaintext file rather than `vault add` + `vault edit` (edit opens `$EDITOR` interactively — not usable non-interactively).
+- Left `DattoRMMDevices.csv` untouched (device data, not a credential); deferred its disposition to Mike.
+
+## Configuration Changes
+
+- Created: `D:/vault/msp-tools/datto-rmm.sops.yaml` (encrypted, committed + pushed to vault repo)
+
+## Credentials & Secrets
+
+- **Datto RMM API (zinfandel / CentraStage)** — vaulted at `msp-tools/datto-rmm.sops.yaml`
+  - api_key: `DGV7L0HT8GL9P0D0H7OBDO5EFP328LAS`
+  - api_secret: `52RAI4OO0B3U4LLN0A54GNP9ARE0L536`
+  - Retrieve: `bash .claude/scripts/vault.sh get msp-tools/datto-rmm.sops.yaml`
+
+## Infrastructure & Servers
+
+- Datto RMM API base URL: `https://zinfandel-api.centrastage.net`
+- Swagger UI: `https://zinfandel-api.centrastage.net/api/swagger-ui/index.html`
+- Auth: OAuth2 password grant (api_key + api_secret → bearer token → REST under `/api`)
+
+## Commands & Outputs
+
+- `sops --encrypt --in-place msp-tools/datto-rmm.sops.yaml` → encrypted; decrypt round-trip confirmed both secret fields intact.
+- Vault commit: `vault: add Datto RMM (zinfandel) API credentials` — pushed to origin.
+
+## Pending / Incomplete Tasks
+
+- Mike to delete plaintext source `C:\Users\guru\Downloads\DattoRMM-API.txt` (now redundant — vaulted).
+- Disposition of `C:\Users\guru\Downloads\DattoRMMDevices.csv` undecided (leave / vault / import).
+- No Datto RMM integration code written yet — credentials are collected only.
+- Machine reboot requested after save.
+
+## Reference Information
+
+- Vault entry: `msp-tools/datto-rmm.sops.yaml`
+- Source files: `C:\Users\guru\Downloads\DattoRMM-API.txt`, `C:\Users\guru\Downloads\DattoRMMDevices.csv`
+- Session-start HEAD: `2a006483`