# Enclaive Vault API

## Create Token

> Creates a new token. Certain options are only available when called by a root or sudo-capable token. If used with a role name in the path, the token will be created against the specified role name.<br>

```json
{"openapi":"3.0.2","info":{"title":"Enclaive Vault API","version":"1.3.2"},"servers":[{"url":"http://localhost:8200/v1","description":"Local Vault Server"}],"security":[{"vaultToken":[]}],"components":{"securitySchemes":{},"schemas":{"CreateTokenRequest":{"type":"object","properties":{"id":{"type":"string","description":"Custom client token ID (root only). Cannot contain \".\" or start with \"s.\"."},"role_name":{"type":"string","description":"Name of the token role."},"policies":{"type":"array","items":{"type":"string"},"description":"Policies to assign to the token."},"meta":{"type":"object","additionalProperties":{"type":"string"},"description":"Metadata to pass through to audit devices."},"no_parent":{"type":"boolean","default":false,"description":"If true, creates an orphan token. Requires root or sudo."},"no_default_policy":{"type":"boolean","default":false,"description":"If true, excludes the default policy."},"renewable":{"type":"boolean","default":true,"description":"Whether the token can be renewed."},"lease":{"type":"string","deprecated":true,"description":"Deprecated. Use ttl instead."},"ttl":{"type":"string","description":"TTL (e.g., \"1h\")."},"type":{"type":"string","enum":["batch","service"],"description":"Token type."},"explicit_max_ttl":{"type":"string","description":"Explicit max TTL that cannot be exceeded."},"display_name":{"type":"string","default":"token","description":"Display name for the token."},"num_uses":{"type":"integer","default":0,"description":"Max number of uses. 0 means unlimited."},"period":{"type":"string","description":"Periodic renewal interval. Requires root or sudo."},"entity_alias":{"type":"string","description":"Entity alias to associate with (must be allowed in role)."}}}}},"paths":{"/auth/token/create":{"post":{"summary":"Create Token","description":"Creates a new token. Certain options are only available when called by a root or sudo-capable token. If used with a role name in the path, the token will be created against the specified role name.\n","requestBody":{"required":true,"content":{"application/json":{"schema":{"$ref":"#/components/schemas/CreateTokenRequest"}}}},"responses":{"200":{"description":"Token created successfully","content":{"application/json":{}}},"400":{"description":"Bad Request – The input is malformed or missing required fields.","content":{"application/json":{}}},"403":{"description":"Forbidden – The requester's token lacks sufficient privileges","content":{"application/json":{}}}}}}}}
```

## GET /identity/mfa/method/duo/{method\_id}

> Read the current configuration for the given MFA method

```json
{"openapi":"3.0.2","info":{"title":"Enclaive Vault API","version":"1.3.2"},"servers":[{"url":"http://localhost:8200/v1","description":"Local Vault Server"}],"paths":{"/identity/mfa/method/duo/{method_id}":{"get":{"operationId":"mfa-read-duo-method-configuration","summary":"Read the current configuration for the given MFA method","responses":{"200":{"description":"Successfully retrieved Duo MFA configuration","content":{"application/json":{"schema":{"$ref":"#/components/schemas/DuoMfaMethodResponse"}}}},"400":{"description":"Bad Request – Invalid method ID format.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/ErrorResponse"}}}},"403":{"description":"Forbidden – Access denied to this configuration.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/ErrorResponse"}}}},"500":{"description":"Internal Server Error","content":{"application/json":{"schema":{"$ref":"#/components/schemas/ErrorResponse"}}}},"tags":["identity"]}}}},"components":{"schemas":{"ErrorResponse":{"type":"object","properties":{"errors":{"type":"array","items":{"type":"string"}}}}}}}
```

## Retrieve the configuration of the specified Duo MFA method.

> This operation retrieves the configuration details of the Duo MFA method identified by the \`name\` parameter.<br>

```json
{"openapi":"3.0.2","info":{"title":"Enclaive Vault API","version":"1.3.2"},"servers":[{"url":"http://localhost:8200/v1","description":"Local Vault Server"}],"paths":{"/sys/mfa/method/duo/{name}":{"get":{"operationId":"system-read-mfa-method-duo-name","summary":"Retrieve the configuration of the specified Duo MFA method.","description":"This operation retrieves the configuration details of the Duo MFA method identified by the `name` parameter.\n","responses":{"200":{"description":"Successfully retrieved the Duo MFA method configuration.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/MfaMethodConfiguration"}}}},"404":{"description":"The specified Duo MFA method configuration was not found.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/ErrorResponse"}}}},"500":{"description":"Internal server error while retrieving the Duo MFA method configuration.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/ErrorResponse"}}}}}}}},"components":{"schemas":{"ErrorResponse":{"type":"object","properties":{"errors":{"type":"array","items":{"type":"string"}}}}}}}
```

## Modify the specified Duo MFA method configuration.

> This operation modifies the configuration of the Duo MFA method identified by the \`name\` parameter. It requires the user to provide the new configuration details in the request body.<br>

```json
{"openapi":"3.0.2","info":{"title":"Enclaive Vault API","version":"1.3.2"},"servers":[{"url":"http://localhost:8200/v1","description":"Local Vault Server"}],"paths":{"/sys/mfa/method/duo/{name}":{"post":{"operationId":"system-write-mfa-method-duo-name","summary":"Modify the specified Duo MFA method configuration.","description":"This operation modifies the configuration of the Duo MFA method identified by the `name` parameter. It requires the user to provide the new configuration details in the request body.\n","requestBody":{"required":true,"content":{"application/json":{"schema":{"$ref":"#/components/schemas/MfaMethodConfiguration"}}}},"responses":{"200":{"description":"Successfully updated the Duo MFA method configuration."},"400":{"description":"Bad request. The provided configuration is invalid.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/ErrorResponse"}}}},"404":{"description":"The specified Duo MFA method configuration was not found.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/ErrorResponse"}}}},"500":{"description":"Internal server error while modifying the Duo MFA method configuration.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/ErrorResponse"}}}}}}}},"components":{"schemas":{"ErrorResponse":{"type":"object","properties":{"errors":{"type":"array","items":{"type":"string"}}}}}}}
```

## Delete the specified Duo MFA method.

> This operation deletes the Duo MFA method configuration identified by the \`name\` parameter.<br>

```json
{"openapi":"3.0.2","info":{"title":"Enclaive Vault API","version":"1.3.2"},"servers":[{"url":"http://localhost:8200/v1","description":"Local Vault Server"}],"paths":{"/sys/mfa/method/duo/{name}":{"delete":{"operationId":"system-delete-mfa-method-duo-name","summary":"Delete the specified Duo MFA method.","description":"This operation deletes the Duo MFA method configuration identified by the `name` parameter.\n","responses":{"204":{"description":"Successfully deleted the Duo MFA method configuration. The body is empty."},"400":{"description":"Bad request. The `name` parameter is invalid.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/ErrorResponse"}}}},"404":{"description":"The specified Duo MFA method configuration was not found.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/ErrorResponse"}}}},"500":{"description":"Internal server error while deleting the Duo MFA method configuration.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/ErrorResponse"}}}}}}}},"components":{"schemas":{"ErrorResponse":{"type":"object","properties":{"errors":{"type":"array","items":{"type":"string"}}}}}}}
```

## POST /sys/namespaces/api-lock/lock/{path}

> Lock the API at a specific namespace path.

```json
{"openapi":"3.0.2","info":{"title":"Enclaive Vault API","version":"1.3.2"},"servers":[{"url":"http://localhost:8200/v1","description":"Local Vault Server"}],"paths":{"/sys/namespaces/api-lock/lock/{path}":{"post":{"operationId":"system-write-namespaces-api-lock-lock-path","summary":"Lock the API at a specific namespace path.","requestBody":{"required":false},"responses":{"200":{"description":"OK","content":{"application/json":{"schema":{"type":"object","properties":{"success":{"type":"boolean"}}}}}},"400":{"description":"Bad Request","content":{"application/json":{"schema":{"type":"object","properties":{"errors":{"type":"array","items":{"type":"string"}}}}}}},"500":{"description":"Internal Server Error","content":{"application/json":{"schema":{"type":"object","properties":{"errors":{"type":"array","items":{"type":"string"}}}}}}}}}}}}
```


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.enclaive.cloud/virtual-hsm/api/enclaive-vault-api.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.