# Auth

## List token accessors

> Returns a list of token accessor IDs which can then be used to discover their properties or revoke them. Requires both \`list\` and \`sudo\` capabilities on the \`auth/token/accessors\` path.

```json
{"openapi":"3.0.2","info":{"title":"Enclaive Vault API","version":"1.3.2"},"servers":[{"url":"http://localhost:8200/v1","description":"Local Vault Server"}],"security":[{"VaultToken":[]}],"components":{"securitySchemes":{}},"paths":{"/auth/token/accessors":{"get":{"summary":"List token accessors","description":"Returns a list of token accessor IDs which can then be used to discover their properties or revoke them. Requires both `list` and `sudo` capabilities on the `auth/token/accessors` path.","operationId":"listTokenAccessors","tags":["auth"],"parameters":[{"name":"list","in":"query","description":"Must be set to \"true\"","required":true,"schema":{"type":"string","enum":["true"]}}],"responses":{"200":{"description":"A list of token accessor IDs.","content":{"application/json":{"schema":{"type":"object","properties":{"keys":{"type":"array","items":{"type":"string"}}}}}}},"403":{"description":"Forbidden – caller lacks required capabilities (`list` and `sudo`).","content":{"application/json":{}}},"400'":{"description":"Bad Request – likely due to missing or incorrect query parameters.","content":{"application/json":{}}}}}}}}
```

## Create a new orphan token

> Creates an orphan token that is not tied to a parent token. Orphan tokens\
> do not expire when the parent token expires and are not revoked when the\
> parent is revoked.<br>

```json
{"openapi":"3.0.2","info":{"title":"Enclaive Vault API","version":"1.3.2"},"servers":[{"url":"http://localhost:8200/v1","description":"Local Vault Server"}],"security":[{"VaultToken":[]}],"components":{"securitySchemes":{},"schemas":{"CreateTokenRequest":{"type":"object","properties":{"id":{"type":"string","description":"Custom client token ID (root only). Cannot contain \".\" or start with \"s.\"."},"role_name":{"type":"string","description":"Name of the token role."},"policies":{"type":"array","items":{"type":"string"},"description":"Policies to assign to the token."},"meta":{"type":"object","additionalProperties":{"type":"string"},"description":"Metadata to pass through to audit devices."},"no_parent":{"type":"boolean","default":false,"description":"If true, creates an orphan token. Requires root or sudo."},"no_default_policy":{"type":"boolean","default":false,"description":"If true, excludes the default policy."},"renewable":{"type":"boolean","default":true,"description":"Whether the token can be renewed."},"lease":{"type":"string","deprecated":true,"description":"Deprecated. Use ttl instead."},"ttl":{"type":"string","description":"TTL (e.g., \"1h\")."},"type":{"type":"string","enum":["batch","service"],"description":"Token type."},"explicit_max_ttl":{"type":"string","description":"Explicit max TTL that cannot be exceeded."},"display_name":{"type":"string","default":"token","description":"Display name for the token."},"num_uses":{"type":"integer","default":0,"description":"Max number of uses. 0 means unlimited."},"period":{"type":"string","description":"Periodic renewal interval. Requires root or sudo."},"entity_alias":{"type":"string","description":"Entity alias to associate with (must be allowed in role)."}}},"CreateTokenResponse":{"type":"object","properties":{"request_id":{"type":"string"},"lease_id":{"type":"string"},"renewable":{"type":"boolean"},"lease_duration":{"type":"integer"},"data":{"nullable":true},"wrap_info":{"nullable":true},"warnings":{"type":"array","items":{"type":"string"}},"auth":{"type":"object","properties":{"client_token":{"type":"string"},"accessor":{"type":"string"},"policies":{"type":"array","items":{"type":"string"}},"token_policies":{"type":"array","items":{"type":"string"}},"metadata":{"type":"object","additionalProperties":{"type":"string"}},"lease_duration":{"type":"integer"},"renewable":{"type":"boolean"},"entity_id":{"type":"string"},"token_type":{"type":"string"},"orphan":{"type":"boolean"},"num_uses":{"type":"integer"}}}}}}},"paths":{"/auth/token/create-orphan":{"post":{"summary":"Create a new orphan token","description":"Creates an orphan token that is not tied to a parent token. Orphan tokens\ndo not expire when the parent token expires and are not revoked when the\nparent is revoked.\n","operationId":"createOrphanToken","tags":["auth"],"requestBody":{"required":true,"content":{"application/json":{"schema":{"$ref":"#/components/schemas/CreateTokenRequest"}}}},"responses":{"200":{"description":"Token successfully created","content":{"application/json":{"schema":{"$ref":"#/components/schemas/CreateTokenResponse"}}}},"400":{"description":"Bad Request – Invalid or missing input fields","content":{"application/json":{"schema":{"type":"object","properties":{"errors":{"type":"array","items":{"type":"string"}}}}}}},"403":{"description":"Forbidden – The caller lacks permission to create orphan tokens","content":{"application/json":{"schema":{"type":"object","properties":{"errors":{"type":"array","items":{"type":"string"}}}}}}}}}}}}
```

## Create token with role

> Creates a new token using the configuration of the specified role.\
> The role may override parameters passed in the request body.<br>

```json
{"openapi":"3.0.2","info":{"title":"Enclaive Vault API","version":"1.3.2"},"servers":[{"url":"http://localhost:8200/v1","description":"Local Vault Server"}],"security":[{"VaultToken":[]}],"components":{"securitySchemes":{},"schemas":{"TokenCreateAgainstRoleRequest":{"properties":{"display_name":{"description":"Name to associate with this token","type":"string"},"entity_alias":{"description":"Name of the entity alias to associate with this token","type":"string"},"explicit_max_ttl":{"description":"Explicit Max TTL of this token","type":"string"},"id":{"description":"Value for the token","type":"string"},"lease":{"deprecated":true,"description":"Use 'ttl' instead","type":"string"},"meta":{"description":"Arbitrary key=value metadata to associate with the token","format":"kvpairs","type":"object"},"no_default_policy":{"description":"Do not include default policy for this token","type":"boolean"},"no_parent":{"description":"Create the token with no parent","type":"boolean"},"num_uses":{"description":"Max number of uses for this token","type":"integer"},"period":{"description":"Renew period","type":"string"},"policies":{"description":"List of policies for the token","items":{"type":"string"},"type":"array"},"renewable":{"default":true,"description":"Allow token to be renewed past its initial TTL up to system/mount maximum TTL","type":"boolean"},"ttl":{"description":"Time to live for this token","type":"string"},"type":{"description":"Token type","type":"string"}},"type":"object"}}},"paths":{"/auth/token/create/{role_name}":{"post":{"summary":"Create token with role","description":"Creates a new token using the configuration of the specified role.\nThe role may override parameters passed in the request body.\n","parameters":[{"name":"role_name","in":"path","required":true,"description":"The name of the token role to use for token creation.","schema":{"type":"string"}}],"requestBody":{"content":{"application/json":{"schema":{"$ref":"#/components/schemas/TokenCreateAgainstRoleRequest"}}},"required":true},"responses":{"200":{"description":"Token successfully created","content":{"application/json":{"schema":{"type":"object","properties":{"auth":{"type":"object","properties":{"client_token":{"type":"string"},"policies":{"type":"array","items":{"type":"string"}},"lease_duration":{"type":"integer"},"renewable":{"type":"boolean"},"token_type":{"type":"string","enum":["service","batch"]},"orphan":{"type":"boolean"}}}}}}}},"400":{"description":"Bad Request – Invalid input or missing required fields","content":{"application/json":{"schema":{"type":"object","properties":{"errors":{"type":"array","items":{"type":"string"}}}}}}},"403":{"description":"Forbidden – Insufficient privileges to create token with specified parameters","content":{"application/json":{"schema":{"type":"object","properties":{"errors":{"type":"array","items":{"type":"string"}}}}}}}},"tags":["auth"]}}}}
```

## Lookup a token

> Returns detailed information about the specified client token. This endpoint\
> requires a token with sufficient capabilities to perform lookups.<br>

```json
{"openapi":"3.0.2","info":{"title":"Enclaive Vault API","version":"1.3.2"},"servers":[{"url":"http://localhost:8200/v1","description":"Local Vault Server"}],"security":[{"VaultToken":[]}],"components":{"securitySchemes":{},"schemas":{}},"paths":{"/auth/token/lookup":{"post":{"summary":"Lookup a token","description":"Returns detailed information about the specified client token. This endpoint\nrequires a token with sufficient capabilities to perform lookups.\n","operationId":"lookupToken","requestBody":{"required":true,"content":{"application/json":{"schema":{"$ref":"#/components/schemas/TokenLookupRequest","token":"ClientToken"}}}},"responses":{"200":{"description":"Token lookup successful","content":{"application/json":{"schema":{"type":"object","properties":{"accessor":{"type":"string"},"creation_time":{"type":"integer"},"creation_ttl":{"type":"integer"},"display_name":{"type":"string"},"entity_id":{"type":"string"},"expire_time":{"type":"string","format":"date-time"},"explicit_max_ttl":{"type":"integer"},"id":{"type":"string"},"identity_policies":{"type":"array","items":{"type":"string"}},"issue_time":{"type":"string","format":"date-time"},"meta":{"type":"object","additionalProperties":{"type":"string"}},"num_uses":{"type":"integer"},"orphan":{"type":"boolean"},"path":{"type":"string"},"policies":{"type":"array","items":{"type":"string"}},"renewable":{"type":"boolean"},"ttl":{"type":"integer"}}}}}},"400":{"description":"Bad Request – Missing or malformed token field","content":{"application/json":{"schema":{"type":"object","properties":{"errors":{"type":"array","items":{"type":"string"}}}}}}},"403":{"description":"Forbidden – Insufficient permissions to look up this token","content":{"application/json":{"schema":{"type":"object","properties":{"errors":{"type":"array","items":{"type":"string"}}}}}}}},"tags":["auth"]}}}}
```

## Lookup a token (Accessor)

> Returns detailed information about a token using its accessor. This endpoint\
> requires a token with sufficient capabilities to perform lookups.<br>

```json
{"openapi":"3.0.2","info":{"title":"Enclaive Vault API","version":"1.3.2"},"servers":[{"url":"http://localhost:8200/v1","description":"Local Vault Server"}],"security":[{"VaultToken":[]}],"components":{"securitySchemes":{},"schemas":{}},"paths":{"/auth/token/lookup-accessor":{"post":{"summary":"Lookup a token (Accessor)","description":"Returns detailed information about a token using its accessor. This endpoint\nrequires a token with sufficient capabilities to perform lookups.\n","operationId":"lookupTokenByAccessor","tags":["auth"],"requestBody":{"required":true,"content":{"application/json":{"schema":{"$ref":"#/components/schemas/TokenLookupAccessorRequest"}}}},"responses":{"200":{"description":"Token lookup by accessor successful","content":{"application/json":{"schema":{"$ref":"#/components/schemas/TokenLookupResponse"}}}},"400":{"description":"Bad Request – Missing or malformed accessor field","content":{"application/json":{"schema":{"type":"object","properties":{"errors":{"type":"array","items":{"type":"string"}}}}}}},"403":{"description":"Forbidden – Insufficient permissions to perform accessor lookup","content":{"application/json":{"schema":{"type":"object","properties":{"errors":{"type":"array","items":{"type":"string"}}}}}}}}}}}}
```

## Lookup a token (Self)

> Returns detailed information about the currently authenticated client token.\
> This endpoint requires the caller to include a valid Vault token.<br>

```json
{"openapi":"3.0.2","info":{"title":"Enclaive Vault API","version":"1.3.2"},"servers":[{"url":"http://localhost:8200/v1","description":"Local Vault Server"}],"security":[{"VaultToken":[]}],"components":{"securitySchemes":{},"schemas":{}},"paths":{"/auth/token/lookup-self":{"get":{"summary":"Lookup a token (Self)","description":"Returns detailed information about the currently authenticated client token.\nThis endpoint requires the caller to include a valid Vault token.\n","operationId":"lookupSelfToken","tags":["auth"],"responses":{"200":{"description":"Token self-lookup successful","content":{"application/json":{"schema":{"$ref":"#/components/schemas/TokenLookupResponse"}}}},"403":{"description":"Forbidden – The client token is invalid or lacks access","content":{"application/json":{"schema":{"type":"object","properties":{"errors":{"type":"array","items":{"type":"string"}}}}}}}}}}}}
```

## Renew a token (Accessor)

> Renews a lease associated with a token using its accessor. This is used to\
> prevent expiration and automatic revocation of the token. The token must be\
> renewable and have an active lease.<br>

```json
{"openapi":"3.0.2","info":{"title":"Enclaive Vault API","version":"1.3.2"},"servers":[{"url":"http://localhost:8200/v1","description":"Local Vault Server"}],"security":[{"VaultToken":[]}],"components":{"securitySchemes":{},"schemas":{"TokenRenewAccessorRequest":{"properties":{"accessor":{"description":"Accessor of the token to renew (request body)","type":"string"},"increment":{"default":0,"description":"The desired increment in seconds to the token expiration","format":"seconds","type":"integer"}},"type":"object"}}},"paths":{"/auth/token/renew-accessor":{"post":{"summary":"Renew a token (Accessor)","description":"Renews a lease associated with a token using its accessor. This is used to\nprevent expiration and automatic revocation of the token. The token must be\nrenewable and have an active lease.\n","operationId":"renewTokenByAccessor","tags":["auth"],"requestBody":{"required":true,"content":{"application/json":{"schema":{"$ref":"#/components/schemas/TokenRenewAccessorRequest"}}}},"responses":{"200":{"description":"Token successfully renewed","content":{"application/json":{"schema":{"$ref":"#/components/schemas/TokenRenewAccessorResponse"}}}},"400":{"description":"Bad Request – Missing or invalid accessor or token not renewable","content":{"application/json":{"schema":{"type":"object","properties":{"errors":{"type":"array","items":{"type":"string"}}}}}}},"403":{"description":"Forbidden – Caller lacks permission to renew the token","content":{"application/json":{"schema":{"type":"object","properties":{"errors":{"type":"array","items":{"type":"string"}}}}}}}}}}}}
```

## Renew a token (Self)

> Renews a lease associated with the calling token. This prevents the token from\
> expiring and being automatically revoked. Renewal is only possible if the token\
> is renewable and has an active lease.<br>

```json
{"openapi":"3.0.2","info":{"title":"Enclaive Vault API","version":"1.3.2"},"servers":[{"url":"http://localhost:8200/v1","description":"Local Vault Server"}],"security":[{"VaultToken":[]}],"components":{"securitySchemes":{},"schemas":{"TokenRenewSelfRequest":{"properties":{"increment":{"default":0,"description":"The desired increment in seconds to the token expiration","format":"seconds","type":"integer"},"token":{"description":"Token to renew (unused, does not need to be set)","type":"string"}},"type":"object"}}},"paths":{"/auth/token/renew-self":{"post":{"summary":"Renew a token (Self)","description":"Renews a lease associated with the calling token. This prevents the token from\nexpiring and being automatically revoked. Renewal is only possible if the token\nis renewable and has an active lease.\n","operationId":"renewSelfToken","tags":["auth"],"requestBody":{"required":false,"content":{"application/json":{"schema":{"$ref":"#/components/schemas/TokenRenewSelfRequest"}}}},"responses":{"200":{"description":"Token successfully renewed","content":{"application/json":{"schema":{"$ref":"#/components/schemas/TokenRenewSelfResponse"}}}},"403":{"description":"Forbidden – Token is not renewable or not authorized","content":{"application/json":{"schema":{"type":"object","properties":{"errors":{"type":"array","items":{"type":"string"}}}}}}}}}}}}
```

## Revoke a token

> Revokes the specified token and all child tokens derived from it. Any dynamic secrets associated with the token are also revoked.<br>

```json
{"openapi":"3.0.2","info":{"title":"Enclaive Vault API","version":"1.3.2"},"servers":[{"url":"http://localhost:8200/v1","description":"Local Vault Server"}],"security":[{"VaultToken":[]}],"components":{"securitySchemes":{}},"paths":{"/auth/token/revoke":{"post":{"summary":"Revoke a token","description":"Revokes the specified token and all child tokens derived from it. Any dynamic secrets associated with the token are also revoked.\n","operationId":"revokeToken","tags":["auth"],"requestBody":{"required":true,"content":{"application/json":{"schema":{"type":"object","required":["token"],"properties":{"token":{"type":"string","description":"Token to revoke"}}}}}},"responses":{"204":{"description":"Token successfully revoked. No content returned."},"400":{"description":"Invalid input or missing token.","content":{"application/json":{"schema":{"type":"object","properties":{"errors":{"type":"array","items":{"type":"string"}}}}}}},"403":{"description":"Forbidden – the client token does not have permission to revoke the specified token.","content":{"application/json":{"schema":{"type":"object","properties":{"errors":{"type":"array","items":{"type":"string"}}}}}}}}}}}}
```

## Revoke a token accessor

> Revokes the token associated with the specified accessor and all of its child tokens. This operation is useful in scenarios where the token ID is unavailable.<br>

```json
{"openapi":"3.0.2","info":{"title":"Enclaive Vault API","version":"1.3.2"},"servers":[{"url":"http://localhost:8200/v1","description":"Local Vault Server"}],"security":[{"VaultToken":[]}],"components":{"securitySchemes":{}},"paths":{"/auth/token/revoke-accessor":{"post":{"summary":"Revoke a token accessor","description":"Revokes the token associated with the specified accessor and all of its child tokens. This operation is useful in scenarios where the token ID is unavailable.\n","operationId":"revokeTokenAccessor","tags":["auth"],"requestBody":{"required":true,"content":{"application/json":{"schema":{"type":"object","required":["accessor"],"properties":{"accessor":{"type":"string","description":"Accessor of the token to revoke"}}}}}},"responses":{"204":{"description":"Token and its children successfully revoked. No content returned."},"400":{"description":"Invalid accessor or input data.","content":{"application/json":{"schema":{"type":"object","properties":{"errors":{"type":"array","items":{"type":"string"}}}}}}},"403":{"description":"Forbidden – the client token does not have permission to revoke the specified accessor.","content":{"application/json":{"schema":{"type":"object","properties":{"errors":{"type":"array","items":{"type":"string"}}}}}}}}}}}}
```

## Revoke a token without revoking child tokens

> Revokes the specified token and all secrets created with it, but does not revoke child tokens. The child tokens become orphaned and can be revoked later using \`/auth/token/revoke\`. This operation requires root-level privileges.<br>

```json
{"openapi":"3.0.2","info":{"title":"Enclaive Vault API","version":"1.3.2"},"servers":[{"url":"http://localhost:8200/v1","description":"Local Vault Server"}],"security":[{"VaultToken":[]}],"components":{"securitySchemes":{}},"paths":{"/auth/token/revoke-orphan":{"post":{"summary":"Revoke a token without revoking child tokens","description":"Revokes the specified token and all secrets created with it, but does not revoke child tokens. The child tokens become orphaned and can be revoked later using `/auth/token/revoke`. This operation requires root-level privileges.\n","operationId":"revokeTokenOrphan","tags":["auth"],"requestBody":{"required":true,"content":{"application/json":{"schema":{"type":"object","required":["token"],"properties":{"token":{"type":"string","description":"Token to revoke"}}}}}},"responses":{"204":{"description":"Token successfully revoked. No content returned."},"400":{"description":"Invalid token or malformed input.","content":{"application/json":{"schema":{"type":"object","properties":{"errors":{"type":"array","items":{"type":"string"}}}}}}},"403":{"description":"Forbidden – the client token does not have permission to revoke this token.","content":{"application/json":{"schema":{"type":"object","properties":{"errors":{"type":"array","items":{"type":"string"}}}}}}}}}}}}
```

## Revoke the calling token

> Revokes the token used to authenticate this request, along with all child tokens. All secrets generated with the token are also revoked.<br>

```json
{"openapi":"3.0.2","info":{"title":"Enclaive Vault API","version":"1.3.2"},"servers":[{"url":"http://localhost:8200/v1","description":"Local Vault Server"}],"security":[{"VaultToken":[]}],"components":{"securitySchemes":{}},"paths":{"/auth/token/revoke-self":{"post":{"summary":"Revoke the calling token","description":"Revokes the token used to authenticate this request, along with all child tokens. All secrets generated with the token are also revoked.\n","operationId":"revokeSelfToken","tags":["auth"],"requestBody":{"description":"No payload is required.","required":false,"content":{"application/json":{"schema":{"type":"object"}}}},"responses":{"204":{"description":"Token successfully revoked. No content returned."},"400":{"description":"Invalid request or the token cannot be revoked.","content":{"application/json":{"schema":{"type":"object","properties":{"errors":{"type":"array","items":{"type":"string"}}}}}}},"403":{"description":"Forbidden – the token does not have permission to revoke itself.","content":{"application/json":{"schema":{"type":"object","properties":{"errors":{"type":"array","items":{"type":"string"}}}}}}}}}}}}
```

## List token roles

> Lists the token roles configured in the token auth backend. Requires a token with \`list\` capability. This is equivalent to Vault's LIST method.<br>

```json
{"openapi":"3.0.2","info":{"title":"Enclaive Vault API","version":"1.3.2"},"servers":[{"url":"http://localhost:8200/v1","description":"Local Vault Server"}],"security":[{"VaultToken":[]}],"components":{"securitySchemes":{}},"paths":{"/auth/token/roles":{"get":{"summary":"List token roles","description":"Lists the token roles configured in the token auth backend. Requires a token with `list` capability. This is equivalent to Vault's LIST method.\n","operationId":"listTokenRoles","tags":["auth"],"responses":{"200":{"description":"A list of token roles","content":{"application/json":{"schema":{"type":"object","properties":{"data":{"type":"object","properties":{"keys":{"type":"array","items":{"type":"string"}}}}}}}}},"400":{"description":"Bad request – malformed token or missing authentication","content":{"application/json":{"schema":{"type":"object","properties":{"errors":{"type":"array","items":{"type":"string"}}}}}}},"403":{"description":"Forbidden – token does not have permission to list roles","content":{"application/json":{"schema":{"type":"object","properties":{"errors":{"type":"array","items":{"type":"string"}}}}}}}}}}}}
```

## Read a token role

> Retrieves the configuration of the specified token role.

```json
{"openapi":"3.0.2","info":{"title":"Enclaive Vault API","version":"1.3.2"},"servers":[{"url":"http://localhost:8200/v1","description":"Local Vault Server"}],"security":[{"VaultToken":[]}],"components":{"securitySchemes":{}},"paths":{"/auth/token/roles/{role_name}":{"get":{"operationId":"token-read-role","tags":["auth"],"summary":"Read a token role","description":"Retrieves the configuration of the specified token role.","responses":{"200":{"description":"Token role data retrieved successfully","content":{"application/json":{}}},"404":{"description":"Role not found","content":{"application/json":{}}}}}}}}
```

## Create or update a token role

> Creates or replaces the specified token role configuration.

```json
{"openapi":"3.0.2","info":{"title":"Enclaive Vault API","version":"1.3.2"},"servers":[{"url":"http://localhost:8200/v1","description":"Local Vault Server"}],"security":[{"VaultToken":[]}],"components":{"securitySchemes":{},"schemas":{"TokenWriteRoleRequest":{"properties":{"allowed_entity_aliases":{"description":"String or JSON list of allowed entity aliases. If set, specifies the entity aliases which are allowed to be used during token generation. This field supports globbing.","items":{"type":"string"},"type":"array"},"allowed_policies":{"description":"If set, tokens can be created with any subset of the policies in this list, rather than the normal semantics of tokens being a subset of the calling token's policies. The parameter is a comma-delimited string of policy names.","items":{"type":"string"},"type":"array"},"allowed_policies_glob":{"description":"If set, tokens can be created with any subset of glob matched policies in this list, rather than the normal semantics of tokens being a subset of the calling token's policies. The parameter is a comma-delimited string of policy name globs.","items":{"type":"string"},"type":"array"},"bound_cidrs":{"deprecated":true,"description":"Use 'token_bound_cidrs' instead.","items":{"type":"string"},"type":"array"},"disallowed_policies":{"description":"If set, successful token creation via this role will require that no policies in the given list are requested. The parameter is a comma-delimited string of policy names.","items":{"type":"string"},"type":"array"},"disallowed_policies_glob":{"description":"If set, successful token creation via this role will require that no requested policies glob match any of policies in this list. The parameter is a comma-delimited string of policy name globs.","items":{"type":"string"},"type":"array"},"explicit_max_ttl":{"deprecated":true,"description":"Use 'token_explicit_max_ttl' instead.","format":"seconds","type":"integer"},"orphan":{"description":"If true, tokens created via this role will be orphan tokens (have no parent)","type":"boolean"},"path_suffix":{"description":"If set, tokens created via this role will contain the given suffix as a part of their path. This can be used to assist use of the 'revoke-prefix' endpoint later on. The given suffix must match the regular expression.\\w[\\w-.]+\\w","type":"string"},"period":{"deprecated":true,"description":"Use 'token_period' instead.","format":"seconds","type":"integer"},"renewable":{"default":true,"description":"Tokens created via this role will be renewable or not according to this value. Defaults to \"true\".","type":"boolean"},"token_bound_cidrs":{"description":"Comma separated string or JSON list of CIDR blocks. If set, specifies the blocks of IP addresses which are allowed to use the generated token.","items":{"type":"string"},"type":"array"},"token_explicit_max_ttl":{"description":"If set, tokens created via this role carry an explicit maximum TTL. During renewal, the current maximum TTL values of the role and the mount are not checked for changes, and any updates to these values will have no effect on the token being renewed.","format":"seconds","type":"integer"},"token_no_default_policy":{"description":"If true, the 'default' policy will not automatically be added to generated tokens","type":"boolean"},"token_num_uses":{"description":"The maximum number of times a token may be used, a value of zero means unlimited","type":"integer"},"token_period":{"description":"If set, tokens created via this role will have no max lifetime; instead, their renewal period will be fixed to this value. This takes an integer number of seconds, or a string duration (e.g. \"24h\").","format":"seconds","type":"integer"},"token_type":{"default":"default-service","description":"The type of token to generate, service or batch","type":"string"}},"type":"object"}}},"paths":{"/auth/token/roles/{role_name}":{"post":{"operationId":"token-write-role","tags":["auth"],"summary":"Create or update a token role","description":"Creates or replaces the specified token role configuration.","requestBody":{"required":true,"content":{"application/json":{"schema":{"$ref":"#/components/schemas/TokenWriteRoleRequest"}}}},"responses":{"200":{"description":"Token role created or updated successfully","content":{"application/json":{}}},"400":{"description":"Invalid role configuration","content":{"application/json":{}}},"403":{"description":"Permission denied","content":{"application/json":{}}}}}}}}
```

## Delete a token role

> Deletes the specified token role configuration.

```json
{"openapi":"3.0.2","info":{"title":"Enclaive Vault API","version":"1.3.2"},"servers":[{"url":"http://localhost:8200/v1","description":"Local Vault Server"}],"security":[{"VaultToken":[]}],"components":{"securitySchemes":{}},"paths":{"/auth/token/roles/{role_name}":{"delete":{"operationId":"token-delete-role","tags":["auth"],"summary":"Delete a token role","description":"Deletes the specified token role configuration.","responses":{"204":{"description":"Role deleted successfully. No content is returned."},"403":{"description":"Permission denied","content":{"application/json":{}}},"404":{"description":"Role not found","content":{"application/json":{}}}}}}}}
```

## Tidy token store

> Performs maintenance to clean up invalid entries in the token store. This operation reads all accessors, tokens, and secondary index entries to identify and remove invalid tokens, orphaned children, and unused cubbyholes. Use with caution due to potential memory and I/O load.<br>

```json
{"openapi":"3.0.2","info":{"title":"Enclaive Vault API","version":"1.3.2"},"servers":[{"url":"http://localhost:8200/v1","description":"Local Vault Server"}],"security":[{"VaultToken":[]}],"components":{"securitySchemes":{}},"paths":{"/auth/token/tidy":{"post":{"operationId":"tidyTokens","tags":["auth"],"summary":"Tidy token store","description":"Performs maintenance to clean up invalid entries in the token store. This operation reads all accessors, tokens, and secondary index entries to identify and remove invalid tokens, orphaned children, and unused cubbyholes. Use with caution due to potential memory and I/O load.\n","responses":{"200":{"description":"Tidy operation started successfully.","content":{"application/json":{}}},"403":{"description":"Permission denied to perform tidy operation.","content":{"application/json":{}}},"500":{"description":"Internal server error while attempting to start tidy.","content":{"application/json":{}}}}}}}}
```