The Vault UI includes a handy API explorer feature that you can use to both interactively learn about the Vault HTTP API and try live requests against your Vault cluster or dev mode server.

Required policy

Your token ACL policy will limit the capabilities you have on the API endpoints.

For the purpose of this tutorial, a minimal policy including the paths used in all of UI tutorials can be found in this example. This way, you can try the underlying API endpoint paths that correspond with the auth method and secrets engine configured in the other tutorials.

Example tutorial policy named learn-ui-api:

# Read the configuration secret example
path "secret/config" {
    capabilities = ["read"]
}

# Read the host information example
path "sys/host-info" {
    capabilities = ["read"]
}

# List secrets engines
path "sys/mounts" {
    capabilities = ["read"]
}

# Enable Transit secrets engine
path "sys/mounts/transit" {
    capabilities = ["create", "update"]
}

# Manage Transit secrets engine keys
path "transit/keys" {
    capabilities = ["list"]
}
path "transit/keys/*" {
    capabilities = ["create", "list", "read", "update"]
}
path "transit/keys/+/config" {
    capabilities = ["create", "update"]
}

# Encrypt with any Transit secrets engine key
path "transit/encrypt/*" {
    capabilities = ["create", "update"]
}

# Decrypt with any Transit secrets engine key
path "transit/decrypt/*" {
    capabilities = ["create", "update"]
}

Use the steps from Create Vault Policies tutorial with a highly privileged token to create this policy. Name it learn-ui-api.

You can then attach the learn-ui-api policy to the userpass auth method that you configured in the Manage Authentication Methods tutorial.

Although you can continue working with the root token, the best practice is to sign out of the UI and sign in with the userpass auth method. By doing so, you are practicing the principle of least privilege by having only the capabilities required to complete this tutorial.

Once you have signed into Vault as webapp user, proceed with the rest of the tutorial.

Access API Explorer

To access the API explorer, open the browser CLI by choosing the terminal icon as shown in the navigation screen shot.

The CLI will open to reveal a > prompt. Type help at any time to get help with using it.

Access the API explorer by typing api at the prompt and pressing return.

A warning is emitted for the first access to the API explorer, you should read and carefully understand it before experimenting with requests, particularly when using a highly privileged token.