The /sys/capabilities-accessor endpoint is used to fetch the capabilities of the token associated with the given accessor. The capabilities returned will be derived from the policies that are on the token, and from the policies to which the token is entitled to through the entity and entity's group memberships.

Query token accessor capabilities

This endpoint returns the capabilities of the token associated with the given accessor, for the given path. Multiple paths are taken in at once and the capabilities of the token associated with the given accessor for each path is returned. For backwards compatibility, if a single path is supplied, a capabilities field will also be returned.

Parameters

• accessor (string: <required>) – Accessor of the token for which capabilities are being queried.

• paths (list: <required>) – Paths on which capabilities are being queried.

Sample payload

{
  "accessor": "abcd1234",
  "paths": ["secret/foo"]
}

Sample request

$ curl \
    --header "X-Vault-Token: ..." \
    --request POST \
    --data @payload.json \
    http://127.0.0.1:8200/v1/sys/capabilities-accessor

Sample response

{
  "capabilities": ["delete", "list", "read", "update"],
  "secret/foo": ["delete", "list", "read", "update"]
}