API Explorer

The Vault UI includes a handy API explorer feature that you can use to both interactively learn about the Vault HTTP API and try live requests against your Vault cluster or dev mode server.

Required policy

Your token ACL policy will limit the capabilities you have on the API endpoints.

For the purpose of this tutorial, a minimal policy including the paths used in all of UI tutorials can be found in this example. This way, you can try the underlying API endpoint paths that correspond with the auth method and secrets engine configured in the other tutorials.

Example tutorial policy named learn-ui-api:

# Read the configuration secret example
path "secret/config" {
    capabilities = ["read"]
}

# Read the host information example
path "sys/host-info" {
    capabilities = ["read"]
}

# List secrets engines
path "sys/mounts" {
    capabilities = ["read"]
}

# Enable Transit secrets engine
path "sys/mounts/transit" {
    capabilities = ["create", "update"]
}

# Manage Transit secrets engine keys
path "transit/keys" {
    capabilities = ["list"]
}
path "transit/keys/*" {
    capabilities = ["create", "list", "read", "update"]
}
path "transit/keys/+/config" {
    capabilities = ["create", "update"]
}

# Encrypt with any Transit secrets engine key
path "transit/encrypt/*" {
    capabilities = ["create", "update"]
}

# Decrypt with any Transit secrets engine key
path "transit/decrypt/*" {
    capabilities = ["create", "update"]
}

You need to Sign out and use the root_token value you copy from the downloaded key file to sign back in to create a new policy since webapp policy does not grant permission to create policies.

Use the steps from Create Vault Policies tutorial with a highly privileged token to create this policy. Name it learn-ui-api.

You can then attach the learn-ui-api policy to the userpass auth method that you configured in the Manage Authentication Methods tutorial.

Although you can continue working with the root token, the best practice is to sign out of the UI and sign in with the userpass auth method. By doing so, you are practicing the principle of least privilege by having only the capabilities required to complete this tutorial.

Once you have signed into Vault as webapp user, proceed with the rest of the tutorial.

Access API Explorer

To access the API explorer, open the browser CLI by choosing the terminal icon as shown in the navigation screen shot.

The CLI will open to reveal a > prompt. Type help at any time to get help with using it.

Access the API explorer by typing api at the prompt and pressing return.

A warning is emitted for the first access to the API explorer, you should read and carefully understand it before experimenting with requests, particularly when using a highly privileged token.

The "Try it out" functionality in this API explorer will make requests to this Vault server on your behalf. IF YOUR TOKEN HAS THE PROPER CAPABILITIES, THIS WILL CREATE AND DELETE ITEMS ON THE VAULT SERVER. Your token will also be shown on the screen in the example curl command output.

PreviousUnseal / Seal NextSecrets

Last updated 1 year ago

# Read the configuration secret example path "secret/config" { capabilities = ["read"] } # Read the host information example path "sys/host-info" { capabilities = ["read"] } # List secrets engines path "sys/mounts" { capabilities = ["read"] } # Enable Transit secrets engine path "sys/mounts/transit" { capabilities = ["create", "update"] } # Manage Transit secrets engine keys path "transit/keys" { capabilities = ["list"] } path "transit/keys/*" { capabilities = ["create", "list", "read", "update"] } path "transit/keys/+/config" { capabilities = ["create", "update"] } # Encrypt with any Transit secrets engine key path "transit/encrypt/*" { capabilities = ["create", "update"] } # Decrypt with any Transit secrets engine key path "transit/decrypt/*" { capabilities = ["create", "update"] }