search
DocumentationTutorialsTry Cloud!

tokens

hashtag
Configure the identity tokens backend

This endpoint updates configurations for OIDC-compliant identity tokens issued by Vault.

Method
Path

POST

identity/oidc/config

hashtag
Parameters

  • issuer (string: "") – Issuer URL to be used in the iss claim of the token. If not set, Vault's api_addr will be used. The issuer is a case sensitive URL using the https scheme that contains scheme, host, and an optional port number.

hashtag
Sample payload

{
  "issuer": "https://example.com:1234"
}

hashtag
Sample request

$ curl \
    --header "X-Vault-Token: ..." \
    --request POST \
    --data @payload.json \
    http://127.0.0.1:8200/v1/identity/oidc/config

hashtag
Sample response

{
  "data": null,
  "warnings": [
    "If \"issuer\" is set explicitly, all tokens must be validated against that address, including those issued by secondary clusters. Setting issuer to \"\" will restore the default behavior of using the cluster's api_addr as the issuer."
  ]
}

hashtag
Read configurations for the identity tokens backend

This endpoint queries vault identity tokens configurations.

Method
Path

GET

identity/oidc/config

hashtag
Sample request

hashtag
Sample response

hashtag
Create a named key

This endpoint creates or updates a named key which is used by a role to sign tokens.

Method
Path

POST

identity/oidc/key/:name

hashtag
Parameters

  • name (string) – Name of the named key.

  • rotation_period (int or time string: "24h") - How often to generate a new signing key. Uses duration format strings.

  • verification_ttl (int or time string: "24h") - Controls how long the public portion of a signing key will be available for verification after being rotated. Uses duration format strings.

  • allowed_client_ids (list: []) - Array of role client ids allowed to use this key for signing. If empty, no roles are allowed. If "*", all roles are allowed.

  • algorithm (string: "RS256") - Signing algorithm to use. Allowed values are: RS256 (default), RS384, RS512, ES256, ES384, ES512, EdDSA.

hashtag
Sample payload

hashtag
Sample request

hashtag
Read a named key

This endpoint queries a named key and returns its configurations.

Method
Path

GET

identity/oidc/key/:name

hashtag
Parameters

  • name (string) – Name of the key.

hashtag
Sample request

hashtag
Sample response

hashtag
Delete a named key

This endpoint deletes a named key.

Method
Path

DELETE

identity/oidc/key/:name

hashtag
Parameters

  • name (string) – Name of the key.

hashtag
Sample request

hashtag
List named keys

This endpoint will List all named keys.

Method
Path

LIST

identity/oidc/key

hashtag
Sample request

hashtag
Sample response

hashtag
Rotate a named key

This endpoint rotates a named key.

Method
Path

POST

identity/oidc/key/:name/rotate

hashtag
Parameters

  • name (string) – Name of the key to be rotated.

  • verification_ttl (string: <optional>) - Controls how long the public portion of the key will be available for verification after being rotated. Setting verification_ttl here will override the verification_ttl set on the key.

hashtag
Sample payload

hashtag
Sample request

hashtag
Create or update a role

Create or update a role. ID tokens are generated against a role and signed against a named key.

Method
Path

POST

identity/oidc/role/:name

hashtag
Parameters

  • name (string) – Name of the role.

  • key (string) – A configured named key, the key must already exist.

  • template (string: <optional>) - The template string to use for generating tokens. This may be in string-ified JSON or base64 format.

  • client_id (string: <optional>) - Optional client ID. A random ID will be generated if left unset.

  • ttl (int or time string: "24h") - TTL of the tokens generated against the role. Uses duration format strings.

hashtag
Sample payload

hashtag
Sample request

hashtag
Read a role

This endpoint queries a role and returs its configuration.

Method
Path

GET

identity/oidc/role/:name

hashtag
Parameters

  • name (string) – Name of the role.

hashtag
Sample request

hashtag
Sample response

hashtag
Delete a role

This endpoint deletes a role.

Method
Path

DELETE

identity/oidc/role/:name

hashtag
Parameters

  • name (string) – Name of the role.

hashtag
Sample request

hashtag
List roles

This endpoint will list all signing keys.

Method
Path

LIST

identity/oidc/role

hashtag
Sample request

hashtag
Sample response

hashtag
Generate a signed ID token

Use this endpoint to generate a signed ID (OIDC) token.

Method
Path

GET

identity/oidc/token/:name

hashtag
Parameters

  • name (string: "") – The name of the role against which to generate a signed ID token

hashtag
Sample request

hashtag
Sample response

hashtag
Introspect a signed ID token

This endpoint can verify the authenticity and active state of a signed ID token.

Method
Path

POST

identity/oidc/introspect

hashtag
Parameters

  • token (string) – A signed OIDC compliant ID token

  • client_id (string: <optional>) - Specifying the client ID additionally requires the token to contain a matching aud claim

hashtag
Sample payload

hashtag
Sample request

hashtag
Sample response

hashtag
Read .well-known configurations

Query this path to retrieve a set of claims about the identity tokens' configuration. The response is a compliant OpenID Provider Configuration Response.

Method
Path

GET

identity/oidc/.well-known/openid-configuration

hashtag
Sample request

hashtag
Sample response

hashtag
Read active public keys

Query this path to retrieve the public portion of named keys. Clients can use this to validate the authenticity of an identity token.

hashtag
Sample request

hashtag
Sample response

Previousgroup-aliasNextlookup

Last updated