Identity
Name of the alias.
Entity ID the alias should be associated with.
Accessor of the mount that the alias belongs to.
POST /v1/identity/alias HTTP/1.1
Host: localhost:8200
Content-Type: application/json
Accept: */*
Content-Length: 172
{
"name": "web-entity-alias",
"canonical_id": "f8caa34f-5914-5a27-13b3-1be6bdf562b9",
"mount_accessor": "auth_userpass_12345678",
"custom_metadata": {
"team": "dev",
"location": "IN"
}
}
{
"data": {
"id": "bda7a8b6-dbe9-4622-3a34-8904589d3a17",
"name": "web-entity-alias",
"mount_type": "userpass",
"canonical_id": "f8caa34f-5914-5a27-13b3-1be6bdf562b9",
"custom_metadata": {
"team": "dev",
"location": "IN"
}
}
}
Must be set to true
GET /v1/identity/alias/id HTTP/1.1
Host: localhost:8200
Accept: */*
{
"request_id": "f31e1be4-bae6-8709-b173-69c2e7846211",
"lease_id": "",
"renewable": false,
"lease_duration": 0,
"data": {
"keys": [
"bda7a8b6-dbe9-4622-3a34-8904589d3a17",
"cbe1d3af-d9cd-43b9-9e29-54a17dc830d9"
]
},
"wrap_info": null,
"warnings": null,
"auth": null
}
ID of the alias
GET /v1/identity/alias/id/{id} HTTP/1.1
Host: localhost:8200
Accept: */*
{
"request_id": "a3d8e7f2-25be-abc1-3cd4-84792cbbd9f5",
"lease_id": "",
"renewable": false,
"lease_duration": 0,
"data": {
"id": "bda7a8b6-dbe9-4622-3a34-8904589d3a17",
"name": "my-alias",
"mount_type": "userpass",
"canonical_id": "abcd1234-ef56-7890-ghij-klmnopqrstuv",
"custom_metadata": {}
},
"wrap_info": null,
"warnings": null,
"auth": null
}
ID of the alias
Entity ID to which this alias should be tied to
Entity ID to which this alias should be tied to. This field is deprecated in favor of 'canonical_id'.
Mount accessor to which this alias belongs to
Name of the alias
POST /v1/identity/alias/id/{id} HTTP/1.1
Host: localhost:8200
Content-Type: application/json
Accept: */*
Content-Length: 170
{
"name": "my-updated-alias",
"mount_accessor": "auth_userpass_12345678",
"canonical_id": "abcd1234-ef56-7890-ghij-klmnopqrstuv",
"custom_metadata": {
"department": "engineering"
}
}
{
"data": {
"id": "bda7a8b6-dbe9-4622-3a34-8904589d3a17",
"name": "my-updated-alias",
"mount_type": "userpass",
"canonical_id": "abcd1234-ef56-7890-ghij-klmnopqrstuv",
"custom_metadata": {
"department": "engineering"
}
}
}
ID of the alias
DELETE /v1/identity/alias/id/{id} HTTP/1.1
Host: localhost:8200
Accept: */*
No content
If set true, tokens tied to this identity will not be able to be used (but will not be revoked).
ID of the entity. If set, updates the corresponding existing entity.
Metadata to be associated with the entity. In CLI, this parameter can be repeated multiple times, and it all gets merged together. For example: vault metadata=key1=value1 metadata=key2=value2
Name of the entity
Policies to be tied to the entity.
POST /v1/identity/entity HTTP/1.1
Host: localhost:8200
Content-Type: application/json
Accept: */*
Content-Length: 110
{
"name": "web-user-entity",
"metadata": {
"team": "devops",
"location": "us-west"
},
"policies": [
"default",
"dev-team"
]
}
{
"data": {
"id": "a1234567-b890-4def-8123-abcdef123456",
"name": "web-user-entity",
"metadata": {
"team": "devops",
"location": "us-west"
},
"policies": [
"default",
"dev-team"
]
}
}
Entity ID to which this alias belongs
User provided key-value pairs
Entity ID to which this alias belongs. This field is deprecated, use canonical_id.
ID of the entity alias. If set, updates the corresponding entity alias.
Mount accessor to which this alias belongs to; unused for a modify
Name of the alias; unused for a modify
POST /v1/identity/entity-alias HTTP/1.1
Host: localhost:8200
Content-Type: application/json
Accept: */*
Content-Length: 182
{
"name": "login-alias-web",
"canonical_id": "ef42e3d6-8121-4211-b7f4-123456789abc",
"mount_accessor": "auth_userpass_a1b2c3d4",
"custom_metadata": {
"environment": "prod",
"region": "eu-west"
}
}
{
"data": {
"id": "12e458c2-6df4-44b3-bbea-928a1e0073b5",
"name": "login-alias-web",
"mount_type": "userpass",
"canonical_id": "ef42e3d6-8121-4211-b7f4-123456789abc",
"custom_metadata": {
"environment": "prod",
"region": "eu-west"
}
}
}
Must be set to true
GET /v1/identity/entity-alias/id HTTP/1.1
Host: localhost:8200
Accept: */*
{
"request_id": "a11b22c3-d4ef-5678-9abc-000000000000",
"lease_id": "",
"renewable": false,
"lease_duration": 0,
"data": {
"keys": [
"bda7a8b6-dbe9-4622-3a34-8904589d3a17",
"cbe1d3af-d9cd-43b9-9e29-54a17dc830d9"
]
},
"wrap_info": null,
"warnings": null,
"auth": null
}
ID of the alias
GET /v1/identity/entity-alias/id/{id} HTTP/1.1
Host: localhost:8200
Accept: */*
{
"request_id": "1234abcd-ef56-7890-gh12-ijklmnopqrst",
"data": {
"id": "a1b2c3d4-e5f6-7890-abcd-1234567890ef",
"name": "my-entity-alias",
"mount_type": "userpass",
"canonical_id": "canonical-123",
"custom_metadata": {
"role": "devops"
}
}
}
ID of the alias
Entity ID to which this alias should be tied to
User provided key-value pairs
Entity ID to which this alias belongs to. This field is deprecated, use canonical_id.
(Unused)
(Unused)
POST /v1/identity/entity-alias/id/{id} HTTP/1.1
Host: localhost:8200
Content-Type: application/json
Accept: */*
Content-Length: 143
{
"name": "updated-alias-name",
"mount_accessor": "auth_userpass_98765432",
"canonical_id": "canonical-123",
"custom_metadata": {
"team": "engineering"
}
}
{
"data": {
"id": "a1b2c3d4-e5f6-7890-abcd-1234567890ef",
"name": "updated-alias-name",
"mount_type": "userpass",
"canonical_id": "canonical-123",
"custom_metadata": {
"team": "engineering"
}
}
}
ID of the alias
DELETE /v1/identity/entity-alias/id/{id} HTTP/1.1
Host: localhost:8200
Accept: */*
No content
Entity IDs to delete
POST /v1/identity/entity/batch-delete HTTP/1.1
Host: localhost:8200
Content-Type: application/json
Accept: */*
Content-Length: 55
{
"entity_ids": [
"entity-123",
"entity-456",
"entity-789"
]
}
{
"request_id": "1234abcd-ef56-7890-gh12-ijklmnopqrst",
"deleted_ids": [
"entity-123",
"entity-456",
"entity-789"
],
"errors": []
}
Must be set to true
true
Possible values: GET /v1/identity/entity/id HTTP/1.1
Host: localhost:8200
Accept: */*
{
"request_id": "d34db33f-b6e1-4ea7-8180-9827e9f8e5ac",
"data": {
"keys": [
"entity-123",
"entity-456",
"entity-789"
]
}
}
ID of the entity. If set, updates the corresponding existing entity.
GET /v1/identity/entity/id/{id} HTTP/1.1
Host: localhost:8200
Accept: */*
{
"request_id": "dd1f7b72-05d4-4234-b8e5-cb61e2dfb942",
"data": {
"id": "a1b2c3d4",
"name": "developer-entity",
"metadata": {
"department": "engineering"
}
}
}
ID of the entity. If set, updates the corresponding existing entity.
If set true, tokens tied to this identity will not be able to be used (but will not be revoked).
Metadata to be associated with the entity. In CLI, this parameter can be repeated multiple times, and it all gets merged together. For example: vault metadata=key1=value1 metadata=key2=value2
Name of the entity
Policies to be tied to the entity.
POST /v1/identity/entity/id/{id} HTTP/1.1
Host: localhost:8200
Content-Type: application/json
Accept: */*
Content-Length: 53
{
"name": "updated-entity",
"metadata": {
"role": "admin"
}
}
{
"data": {
"id": "a1b2c3d4",
"name": "updated-entity",
"metadata": {
"role": "admin"
}
}
}
ID of the entity. If set, updates the corresponding existing entity.
DELETE /v1/identity/entity/id/{id} HTTP/1.1
Host: localhost:8200
Accept: */*
No content
Alias IDs to keep in case of conflicting aliases. Ignored if no conflicting aliases found
Setting this will follow the 'mine' strategy for merging MFA secrets. If there are secrets of the same type both in entities that are merged from and in entity into which all others are getting merged, secrets in the destination will be unaltered. If not set, this API will throw an error containing all the conflicts.
Entity IDs which need to get merged
Entity ID into which all the other entities need to get merged
POST /v1/identity/entity/merge HTTP/1.1
Host: localhost:8200
Content-Type: application/json
Accept: */*
Content-Length: 125
{
"primary_entity_id": "entity-001",
"secondary_entity_ids": [
"entity-002",
"entity-003"
],
"metadata": {
"source": "admin-initiated"
}
}
{
"request_id": "78e1b3f6-482b-47f6-90a1-c5b6dc94d9f1",
"data": {
"id": "entity-001",
"merged_from": [
"entity-002",
"entity-003"
],
"metadata": {
"source": "admin-initiated"
}
}
}
Must be set to true
true
Possible values: GET /v1/identity/entity/name HTTP/1.1
Host: localhost:8200
Accept: */*
{
"request_id": "8df8b7f3-4c1a-45b8-b23a-e4c1b61c5f95",
"data": {
"keys": [
"developer-entity",
"admin-entity",
"viewer-entity"
]
}
}
Name of the entity
GET /v1/identity/entity/name/{name} HTTP/1.1
Host: localhost:8200
Accept: */*
{
"request_id": "d7c78b49-235b-4e3a-b2ef-237bb9a1fe3e",
"data": {
"id": "3dfb7a63-d826-4b8d-97c5-b31fc109e8c5",
"name": "developer-entity",
"metadata": {
"team": "engineering"
},
"policies": [
"default",
"admin"
]
}
}
Name of the entity
If set true, tokens tied to this identity will not be able to be used (but will not be revoked).
ID of the entity. If set, updates the corresponding existing entity.
Metadata to be associated with the entity. In CLI, this parameter can be repeated multiple times, and it all gets merged together. For example: vault metadata=key1=value1 metadata=key2=value2
Policies to be tied to the entity.
POST /v1/identity/entity/name/{name} HTTP/1.1
Host: localhost:8200
Content-Type: application/json
Accept: */*
Content-Length: 65
{
"metadata": {
"team": "platform"
},
"policies": [
"developer",
"audit"
]
}
{
"data": {
"id": "3dfb7a63-d826-4b8d-97c5-b31fc109e8c5",
"name": "developer-entity",
"metadata": {
"team": "platform"
},
"policies": [
"developer",
"audit"
]
}
}
Name of the entity
DELETE /v1/identity/entity/name/{name} HTTP/1.1
Host: localhost:8200
Accept: */*
No content
ID of the group. If set, updates the corresponding existing group.
Entity IDs to be assigned as group members.
Group IDs to be assigned as group members.
Metadata to be associated with the group. In CLI, this parameter can be repeated multiple times, and it all gets merged together. For example: vault metadata=key1=value1 metadata=key2=value2
Name of the group.
Policies to be tied to the group.
Type of the group, 'internal' or 'external'. Defaults to 'internal'
POST /v1/identity/group HTTP/1.1
Host: localhost:8200
Content-Type: application/json
Accept: */*
Content-Length: 97
{
"name": "dev-team",
"metadata": {
"project": "internal-tools"
},
"policies": [
"read-only",
"dev-access"
]
}
{
"data": {
"id": "c1f90532-f01b-4fcd-8029-8f3ad5a58f6d",
"name": "dev-team",
"metadata": {
"project": "internal-tools"
},
"policies": [
"read-only",
"dev-access"
]
}
}
ID of the group to which this is an alias.
ID of the group alias.
Mount accessor to which this alias belongs to.
Alias of the group.
POST /v1/identity/group-alias HTTP/1.1
Host: localhost:8200
Content-Type: application/json
Accept: */*
Content-Length: 151
{
"name": "ldap-alias-devs",
"mount_accessor": "ldap_12345678",
"canonical_id": "group-abc123-def456-ghi789",
"custom_metadata": {
"region": "APAC",
"env": "dev"
}
}
{
"data": {
"id": "alias-9876-5432-10ab",
"name": "ldap-alias-devs",
"mount_type": "ldap",
"canonical_id": "group-abc123-def456-ghi789",
"custom_metadata": {
"region": "APAC",
"env": "dev"
}
}
}
Must be set to true
true
Possible values: GET /v1/identity/group-alias/id HTTP/1.1
Host: localhost:8200
Accept: */*
{
"group_alias_ids": [
"alias1",
"alias2",
"alias3"
]
}
ID of the group alias.
alias123
GET /v1/identity/group-alias/id/{id} HTTP/1.1
Host: localhost:8200
Accept: */*
{
"id": "alias123",
"name": "Group Alias Name",
"description": "A description of the group alias."
}
ID of the group alias.
alias123
ID of the group to which this is an alias.
Mount accessor to which this alias belongs to.
Alias of the group.
POST /v1/identity/group-alias/id/{id} HTTP/1.1
Host: localhost:8200
Content-Type: application/json
Accept: */*
Content-Length: 85
{
"name": "Updated Alias Name",
"description": "Updated description of the group alias."
}
{
"id": "alias123",
"name": "Updated Alias Name",
"description": "Updated description of the group alias."
}
ID of the group alias.
alias123
DELETE /v1/identity/group-alias/id/{id} HTTP/1.1
Host: localhost:8200
Accept: */*
No content
Must be set to true
true
Possible values: GET /v1/identity/group/id HTTP/1.1
Host: localhost:8200
Accept: */*
{
"groups": [
{
"id": "group1"
},
{
"id": "group2"
},
{
"id": "group3"
}
]
}
ID of the group. If set, updates the corresponding existing group.
group123
GET /v1/identity/group/id/{id} HTTP/1.1
Host: localhost:8200
Accept: */*
{
"id": "group123",
"name": "Admins",
"description": "Administrators group"
}
ID of the group. If set, updates the corresponding existing group.
group123
Entity IDs to be assigned as group members.
Group IDs to be assigned as group members.
Metadata to be associated with the group. In CLI, this parameter can be repeated multiple times, and it all gets merged together. For example: vault metadata=key1=value1 metadata=key2=value2
Name of the group.
Policies to be tied to the group.
Type of the group, 'internal' or 'external'. Defaults to 'internal'
POST /v1/identity/group/id/{id} HTTP/1.1
Host: localhost:8200
Content-Type: application/json
Accept: */*
Content-Length: 74
{
"name": "New Group Name",
"description": "Updated description of the group"
}
{
"id": "group123",
"name": "New Group Name",
"description": "Updated description of the group"
}
ID of the group. If set, updates the corresponding existing group.
group123
DELETE /v1/identity/group/id/{id} HTTP/1.1
Host: localhost:8200
Accept: */*
No content
Must be set to true
true
Possible values: GET /v1/identity/group/name HTTP/1.1
Host: localhost:8200
Accept: */*
{
"groups": [
{
"name": "Admins"
},
{
"name": "Developers"
},
{
"name": "Support"
}
]
}
Name of the group.
Admins
GET /v1/identity/group/name/{name} HTTP/1.1
Host: localhost:8200
Accept: */*
{
"name": "Admins",
"id": "group123",
"description": "Group for admin users"
}
Name of the group.
Admins
ID of the group. If set, updates the corresponding existing group.
Entity IDs to be assigned as group members.
Group IDs to be assigned as group members.
Metadata to be associated with the group. In CLI, this parameter can be repeated multiple times, and it all gets merged together. For example: vault metadata=key1=value1 metadata=key2=value2
Policies to be tied to the group.
Type of the group, 'internal' or 'external'. Defaults to 'internal'
POST /v1/identity/group/name/{name} HTTP/1.1
Host: localhost:8200
Content-Type: application/json
Accept: */*
Content-Length: 47
{
"description": "Updated group for admin users"
}
{
"name": "Admins",
"id": "group123",
"description": "Updated group for admin users"
}
Name of the group.
Admins
DELETE /v1/identity/group/name/{name} HTTP/1.1
Host: localhost:8200
Accept: */*
No content
ID of the alias.
Accessor of the mount to which the alias belongs to. This should be supplied in conjunction with 'alias_name'.
Name of the alias. This should be supplied in conjunction with 'alias_mount_accessor'.
ID of the entity.
Name of the entity.
POST /v1/identity/lookup/entity HTTP/1.1
Host: localhost:8200
Content-Type: application/json
Accept: */*
Content-Length: 20
{
"alias": "john.doe"
}
{
"entities": [
{
"id": "1234",
"alias": "john.doe",
"name": "John Doe",
"metadata": {
"department": "Engineering"
}
}
]
}
ID of the alias.
Accessor of the mount to which the alias belongs to. This should be supplied in conjunction with 'alias_name'.
Name of the alias. This should be supplied in conjunction with 'alias_mount_accessor'.
ID of the group.
Name of the group.
POST /v1/identity/lookup/group HTTP/1.1
Host: localhost:8200
Content-Type: application/json
Accept: */*
Content-Length: 17
{
"name": "Admins"
}
{
"groups": [
{
"id": "group-123",
"name": "Admins",
"description": "Administrative users group"
}
]
}
Must be set to true
true
Possible values: GET /v1/identity/mfa/login-enforcement HTTP/1.1
Host: localhost:8200
Accept: */*
{
"enforcements": [
{
"id": "rule-001",
"name": "Require MFA for admins",
"condition": "role == admin",
"enabled": true
},
{
"id": "rule-002",
"name": "MFA for all users",
"condition": "true",
"enabled": false
}
]
}
Retrieve details of a specific MFA login enforcement rule by name.
Name for this login enforcement configuration
require-admin-mfa
GET /v1/identity/mfa/login-enforcement/{name} HTTP/1.1
Host: localhost:8200
Accept: */*
{
"id": "rule-001",
"name": "require-admin-mfa",
"condition": "role == admin",
"enabled": true
}
Create a new or update an existing MFA login enforcement rule.
Name for this login enforcement configuration
require-admin-mfa
Array of auth mount accessor IDs
Array of auth mount types
Array of identity entity IDs
Array of identity group IDs
Array of Method IDs that determine what methods will be enforced
POST /v1/identity/mfa/login-enforcement/{name} HTTP/1.1
Host: localhost:8200
Content-Type: application/json
Accept: */*
Content-Length: 71
{
"name": "require-admin-mfa",
"condition": "role == admin",
"enabled": true
}
{
"id": "rule-001",
"name": "require-admin-mfa",
"condition": "role == admin",
"enabled": true
}
Remove an existing MFA login enforcement rule identified by its name.
Name for this login enforcement configuration
require-admin-mfa
DELETE /v1/identity/mfa/login-enforcement/{name} HTTP/1.1
Host: localhost:8200
Accept: */*
No content
Retrieve a list of all configured Multi-Factor Authentication (MFA) methods in the system.
Must be set to true
true
Possible values: GET /v1/identity/mfa/method HTTP/1.1
Host: localhost:8200
Accept: */*
{
"methods": [
{
"name": "totp",
"enabled": true,
"description": "Time-based One-Time Password (TOTP)"
},
{
"name": "webauthn",
"enabled": false,
"description": "WebAuthn biometric authentication"
}
]
}
Retrieve the configuration for the Duo MFA method if it is enabled and configured.
Must be set to true
true
Possible values: GET /v1/identity/mfa/method/duo HTTP/1.1
Host: localhost:8200
Accept: */*
{
"method": "duo",
"enabled": true,
"integration_key": "DIXXXXXXXXXXXXXXXXXX",
"api_hostname": "api-XXXXXXXX.duosecurity.com",
"description": "Duo Security multi-factor authentication"
}
The unique identifier for this MFA method.
GET /v1/identity/mfa/method/duo/{method_id} HTTP/1.1
Host: localhost:8200
Accept: */*
{
"method_id": "duo-primary",
"method": "duo",
"enabled": true,
"integration_key": "DIXXXXXXXXXXXXXXXXXX",
"api_hostname": "api-XXXXXXX.duosecurity.com",
"description": "Primary Duo MFA config for admins"
}
The unique identifier for this MFA method.
DELETE /v1/identity/mfa/method/duo/{method_id} HTTP/1.1
Host: localhost:8200
Accept: */*
No content
Must be set to true
GET /v1/identity/mfa/method/okta HTTP/1.1
Host: localhost:8200
Accept: */*
[
{
"method_id": "okta-primary",
"method": "okta",
"enabled": true,
"okta_domain": "https://dev-123456.okta.com",
"client_id": "0oab4exampleID",
"description": "Primary Okta MFA config"
},
{
"method_id": "okta-secondary",
"method": "okta",
"enabled": false,
"okta_domain": "https://dev-789012.okta.com",
"client_id": "0oab5exampleID",
"description": "Backup Okta configuration"
}
]
The unique identifier for this MFA method.
GET /v1/identity/mfa/method/okta/{method_id} HTTP/1.1
Host: localhost:8200
Accept: */*
{
"method_id": "okta-primary",
"method": "okta",
"enabled": true,
"okta_domain": "https://dev-123456.okta.com",
"client_id": "0oab4exampleID",
"description": "Primary Okta MFA config"
}
The unique identifier for this MFA method.
Okta API key.
The base domain to use for the Okta API. When not specified in the configuration, "okta.com" is used.
The unique name identifier for this MFA method.
Name of the organization to be used in the Okta API.
If true, the username will only match the primary email for the account. Defaults to false.
(DEPRECATED) Use base_url instead.
A template string for mapping Identity names to MFA method names. Values to substitute should be placed in {{}}. For example, "{{entity.name}}@example.com". If blank, the Entity's name field will be used as-is.
POST /v1/identity/mfa/method/okta/{method_id} HTTP/1.1
Host: localhost:8200
Content-Type: application/json
Accept: */*
Content-Length: 191
{
"method_id": "okta-primary",
"okta_domain": "https://dev-123456.okta.com",
"client_id": "0oab4exampleID",
"client_secret": "supersecretvalue",
"enabled": true,
"description": "Updated config for Okta"
}
{
"method_id": "okta-primary",
"method": "okta",
"enabled": true,
"okta_domain": "https://dev-123456.okta.com",
"client_id": "0oab4exampleID",
"description": "Updated config for Okta"
}
The unique identifier for this MFA method.
DELETE /v1/identity/mfa/method/okta/{method_id} HTTP/1.1
Host: localhost:8200
Accept: */*
No content
Must be set to true
GET /v1/identity/mfa/method/pingid HTTP/1.1
Host: localhost:8200
Accept: */*
{
"methods": [
{
"method_id": "pingid-primary",
"method": "pingid",
"enabled": true,
"pingid_environment_id": "abc123",
"description": "Primary PingID method"
},
{
"method_id": "pingid-secondary",
"method": "pingid",
"enabled": false,
"pingid_environment_id": "xyz789",
"description": "Backup PingID method"
}
]
}
The unique identifier for the PingID MFA method configuration.
GET /v1/identity/mfa/method/pingid/{method_id} HTTP/1.1
Host: localhost:8200
Accept: */*
{
"method_id": "pingid-primary",
"method": "pingid",
"enabled": true,
"pingid_environment_id": "env-123",
"description": "Primary PingID configuration"
}
The unique identifier for the PingID MFA method configuration.
The unique name identifier for this MFA method.
The settings file provided by Ping, Base64-encoded. This must be a settings file suitable for third-party clients, not the PingID SDK or PingFederate.
A template string for mapping Identity names to MFA method names. Values to subtitute should be placed in {{}}. For example, "{{alias.name}}@example.com". Currently-supported mappings: alias.name: The name returned by the mount configured via the mount_accessor parameter If blank, the Alias's name field will be used as-is.
POST /v1/identity/mfa/method/pingid/{method_id} HTTP/1.1
Host: localhost:8200
Content-Type: application/json
Accept: */*
Content-Length: 124
{
"method_id": "pingid-primary",
"pingid_environment_id": "env-123",
"enabled": true,
"description": "Updated PingID configuration"
}
{
"method_id": "pingid-primary",
"method": "pingid",
"enabled": true,
"pingid_environment_id": "env-123",
"description": "Updated PingID configuration"
}
The unique identifier for the PingID MFA method configuration.
DELETE /v1/identity/mfa/method/pingid/{method_id} HTTP/1.1
Host: localhost:8200
Accept: */*
{
"error": "Not Found",
"message": "No configuration found for method_id: pingid-primary"
}
Must be set to 'true'
to list configurations
GET /v1/identity/mfa/method/totp HTTP/1.1
Host: localhost:8200
Accept: */*
[
{
"method_id": "totp-default",
"method": "totp",
"enabled": true,
"issuer": "vault-auth",
"label": "Vault TOTP MFA",
"period": 30,
"digits": 6
}
]
Identifier of the entity from which the MFA method secret needs to be removed.
The unique identifier for this MFA method.
POST /v1/identity/mfa/method/totp/admin-destroy HTTP/1.1
Host: localhost:8200
Content-Type: application/json
Accept: */*
Content-Length: 79
{
"method_id": "totp-default",
"entity_id": "f398b240-ef4e-4b4a-a1ce-6be5f0e25d52"
}
{
"success": true,
"message": "TOTP secret destroyed for entity f398b240-ef4e-4b4a-a1ce-6be5f0e25d52"
}
Entity ID on which the generated secret needs to get stored.
The unique identifier for this MFA method.
POST /v1/identity/mfa/method/totp/admin-generate HTTP/1.1
Host: localhost:8200
Content-Type: application/json
Accept: */*
Content-Length: 79
{
"method_id": "totp-primary",
"entity_id": "ee2bb4a2-cc30-4e55-a2b6-7cb8dc0ed1f4"
}
{
"success": true,
"message": "TOTP secret generated",
"totp_url": "otpauth://totp/Example:[email protected]?secret=JBSWY3DPEHPK3PXP&issuer=Example"
}
The unique identifier for this MFA method.
POST /v1/identity/mfa/method/totp/generate HTTP/1.1
Host: localhost:8200
Content-Type: application/json
Accept: */*
Content-Length: 79
{
"method_id": "totp-primary",
"entity_id": "2e7b8a42-78fc-43d1-bf04-4fcf8c2c3d61"
}
{
"success": true,
"message": "TOTP secret generated",
"totp_url": "otpauth://totp/Example:[email protected]?secret=JBSWY3DPEHPK3PXP&issuer=Example"
}
The unique identifier for this TOTP MFA method.
GET /v1/identity/mfa/method/totp/{method_id} HTTP/1.1
Host: localhost:8200
Accept: */*
{
"method_id": "totp-123",
"issuer": "MyCompany",
"label": "[email protected]",
"algorithm": "SHA1",
"digits": 6,
"period": 30
}
The unique identifier for this TOTP MFA method.
The hashing algorithm used to generate the TOTP token. Options include SHA1, SHA256 and SHA512.
SHA1
The number of digits in the generated TOTP token. This value can either be 6 or 8.
6
The name of the key's issuing organization.
Determines the size in bytes of the generated key.
20
Max number of allowed validation attempts.
The unique name identifier for this MFA method.
The length of time used to generate a counter for the TOTP token calculation.
30
The pixel size of the generated square QR code.
200
The number of delay periods that are allowed when validating a TOTP token. This value can either be 0 or 1.
1
POST /v1/identity/mfa/method/totp/{method_id} HTTP/1.1
Host: localhost:8200
Content-Type: application/json
Accept: */*
Content-Length: 91
{
"issuer": "MyCompany",
"label": "[email protected]",
"algorithm": "SHA1",
"digits": 6,
"period": 30
}
{
"method_id": "totp-123",
"issuer": "MyCompany",
"label": "[email protected]",
"algorithm": "SHA1",
"digits": 6,
"period": 30
}
The unique identifier for this TOTP MFA method.
DELETE /v1/identity/mfa/method/totp/{method_id} HTTP/1.1
Host: localhost:8200
Accept: */*
No content
The unique identifier for this MFA method.
GET /v1/identity/mfa/method/{method_id} HTTP/1.1
Host: localhost:8200
Accept: */*
{
"method_id": "totp-456",
"type": "totp",
"config": {
"issuer": "ExampleCorp",
"label": "[email protected]",
"digits": 6,
"period": 30
}
}
GET /v1/identity/oidc/.well-known/keys HTTP/1.1
Host: localhost:8200
Accept: */*
{
"keys": [
{
"kid": "abc123",
"kty": "RSA",
"alg": "RS256",
"use": "sig",
"n": "oahUIzTYT7zK2A1eYAvay89R7hFvKVOw...",
"e": "AQAB"
}
]
}
GET /v1/identity/oidc/.well-known/openid-configuration HTTP/1.1
Host: localhost:8200
Accept: */*
{
"issuer": "https://example.com/v1/identity/oidc",
"authorization_endpoint": "https://example.com/v1/identity/oidc/auth",
"token_endpoint": "https://example.com/v1/identity/oidc/token",
"userinfo_endpoint": "https://example.com/v1/identity/oidc/userinfo",
"jwks_uri": "https://example.com/v1/identity/oidc/.well-known/keys",
"response_types_supported": [
"code",
"id_token",
"token id_token"
],
"subject_types_supported": [
"public"
],
"id_token_signing_alg_values_supported": [
"RS256"
],
"scopes_supported": [
"openid",
"email",
"profile"
],
"token_endpoint_auth_methods_supported": [
"client_secret_basic"
],
"claims_supported": [
"sub",
"email",
"name"
]
}
Must be set to true
to trigger the listing functionality
GET /v1/identity/oidc/assignment HTTP/1.1
Host: localhost:8200
Accept: */*
{
"keys": [
"assignment-role-1",
"assignment-role-2",
"assignment-role-3"
]
}
Name of the OIDC assignment
GET /v1/identity/oidc/assignment/{name} HTTP/1.1
Host: localhost:8200
Accept: */*
{
"name": "assignment-role-1",
"entity_id": "1234-5678",
"role": "oidc-role-1"
}
Name of the OIDC assignment
Comma separated string or array of identity entity IDs
Comma separated string or array of identity group IDs
POST /v1/identity/oidc/assignment/{name} HTTP/1.1
Host: localhost:8200
Content-Type: application/json
Accept: */*
Content-Length: 73
{
"name": "assignment-role-1",
"entity_id": "1234-5678",
"role": "oidc-role-1"
}
{
"success": true,
"message": "Assignment created successfully."
}
Name of the OIDC assignment
DELETE /v1/identity/oidc/assignment/{name} HTTP/1.1
Host: localhost:8200
Accept: */*
No content
Must be set to true
GET /v1/identity/oidc/client HTTP/1.1
Host: localhost:8200
Accept: */*
{
"keys": [
"client-one",
"client-two"
]
}
Name of the client.
GET /v1/identity/oidc/client/{name} HTTP/1.1
Host: localhost:8200
Accept: */*
{
"client_id": "example-client",
"redirect_uris": [
"https://app.example.com/callback"
],
"grant_types": [
"authorization_code"
],
"response_types": [
"code"
],
"client_secret": "s3cret"
}
Name of the client.
The time-to-live for access tokens obtained by the client.
24h
Comma separated string or array of assignment resources.
The client type based on its ability to maintain confidentiality of credentials. The following client types are supported: 'confidential', 'public'. Defaults to 'confidential'.
confidential
The time-to-live for ID tokens obtained by the client.
24h
A reference to a named key resource. Cannot be modified after creation. Defaults to the 'default' key.
default
Comma separated string or array of redirect URIs used by the client. One of these values must exactly match the redirect_uri parameter value used in each authentication request.
POST /v1/identity/oidc/client/{name} HTTP/1.1
Host: localhost:8200
Content-Type: application/json
Accept: */*
Content-Length: 176
{
"client_id": "example-client",
"redirect_uris": [
"https://app.example.com/callback"
],
"grant_types": [
"authorization_code"
],
"response_types": [
"code"
],
"client_secret": "supersecret"
}
{
"success": true,
"message": "Client created."
}
Name of the client.
DELETE /v1/identity/oidc/client/{name} HTTP/1.1
Host: localhost:8200
Accept: */*
No content
GET /v1/identity/oidc/config HTTP/1.1
Host: localhost:8200
Accept: */*
{
"issuer": "https://auth.example.com",
"client_id": "example-client",
"client_secret": "supersecret",
"scopes_supported": [
"openid",
"email"
]
}
Issuer URL to be used in the iss claim of the token. If not set, Vault's app_addr will be used.
POST /v1/identity/oidc/config HTTP/1.1
Host: localhost:8200
Content-Type: application/json
Accept: */*
Content-Length: 134
{
"issuer": "https://auth.example.com",
"client_id": "example-client",
"client_secret": "supersecret",
"scopes_supported": [
"openid",
"email"
]
}
{
"success": true,
"message": "OIDC configuration updated successfully."
}
Optional client_id to verify
Token to verify
POST /v1/identity/oidc/introspect HTTP/1.1
Host: localhost:8200
Content-Type: application/json
Accept: */*
Content-Length: 51
{
"token": "eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9..."
}
{
"active": true,
"sub": "1234567890",
"scope": "openid email",
"exp": 1713569920,
"iat": 1713566320,
"iss": "https://auth.example.com"
}
Must be set to true
true
Possible values: GET /v1/identity/oidc/key HTTP/1.1
Host: localhost:8200
Accept: */*
{
"keys": [
{
"name": "default",
"type": "rsa",
"algorithm": "RS256",
"creation_time": "2024-01-01T12:00:00Z"
}
]
}
Name of the key
default
GET /v1/identity/oidc/key/{name} HTTP/1.1
Host: localhost:8200
Accept: */*
{
"name": "default",
"type": "rsa",
"algorithm": "RS256",
"creation_time": "2024-01-01T12:00:00Z"
}
Name of the key
default
Signing algorithm to use. This will default to RS256.
RS256
Comma separated string or array of role client ids allowed to use this key for signing. If empty no roles are allowed. If "*" all roles are allowed.
How often to generate a new keypair.
24h
Controls how long the public portion of a key will be available for verification after being rotated.
24h
POST /v1/identity/oidc/key/{name} HTTP/1.1
Host: localhost:8200
Content-Type: application/json
Accept: */*
Content-Length: 68
{
"type": "rsa",
"algorithm": "RS256",
"allowed_client_ids": [
"client-1"
]
}
{
"name": "default",
"success": true
}
Name of the key
default
DELETE /v1/identity/oidc/key/{name} HTTP/1.1
Host: localhost:8200
Accept: */*
No content
Name of the key
default-key
Controls how long the public portion of a key will be available for verification after being rotated. Setting verification_ttl here will override the verification_ttl set on the key.
POST /v1/identity/oidc/key/{name}/rotate HTTP/1.1
Host: localhost:8200
Content-Type: application/json
Accept: */*
Content-Length: 38
{
"key_type": "rsa",
"algorithm": "RS256"
}
{
"name": "default-key",
"rotated": true,
"creation_time": "2025-04-20T12:00:00Z"
}
Must be set to true
true
Possible values: Filters the list of OIDC providers to those that allow the given client ID in their set of allowed_client_ids.
""
Example: my-client-id
GET /v1/identity/oidc/provider HTTP/1.1
Host: localhost:8200
Accept: */*
{
"providers": [
{
"name": "provider-1",
"issuer": "https://provider-1.example.com",
"allowed_client_ids": [
"my-client-id",
"admin-client"
]
},
{
"name": "provider-2",
"issuer": "https://provider-2.example.com",
"allowed_client_ids": [
"my-client-id"
]
}
]
}
Name of the provider
my-oidc-provider
GET /v1/identity/oidc/provider/{name} HTTP/1.1
Host: localhost:8200
Accept: */*
{
"name": "my-oidc-provider",
"issuer": "https://issuer.example.com",
"client_id": "client-123",
"client_secret": "secret-value"
}
Name of the provider
my-oidc-provider
The client IDs that are permitted to use the provider
Specifies what will be used for the iss claim of ID tokens.
The scopes supported for requesting on the provider
POST /v1/identity/oidc/provider/{name} HTTP/1.1
Host: localhost:8200
Content-Type: application/json
Accept: */*
Content-Length: 144
{
"issuer": "https://issuer.example.com",
"client_id": "client-123",
"client_secret": "secret-value",
"allowed_client_ids": [
"client-123",
"client-abc"
]
}
{
"name": "my-oidc-provider",
"issuer": "https://issuer.example.com",
"client_id": "client-123",
"client_secret": "secret-value"
}
Name of the provider
my-oidc-provider
DELETE /v1/identity/oidc/provider/{name} HTTP/1.1
Host: localhost:8200
Accept: */*
No content
Name of the OIDC provider
my-oidc-provider
GET /v1/identity/oidc/provider/{name}/.well-known/keys HTTP/1.1
Host: localhost:8200
Accept: */*
{
"keys": [
{
"kty": "RSA",
"kid": "1234abcd",
"use": "sig",
"alg": "RS256",
"n": "0vx7agoebGc...",
"e": "AQAB"
}
]
}
Name of the OIDC provider
my-oidc-provider
GET /v1/identity/oidc/provider/{name}/.well-known/openid-configuration HTTP/1.1
Host: localhost:8200
Accept: */*
{
"issuer": "https://vault.example.com/v1/identity/oidc/provider/my-oidc-provider",
"authorization_endpoint": "https://vault.example.com/v1/identity/oidc/provider/my-oidc-provider/authorize",
"token_endpoint": "https://vault.example.com/v1/identity/oidc/provider/my-oidc-provider/token",
"jwks_uri": "https://vault.example.com/v1/identity/oidc/provider/my-oidc-provider/.well-known/keys",
"response_types_supported": [
"code"
],
"subject_types_supported": [
"public"
],
"id_token_signing_alg_values_supported": [
"RS256"
]
}
Name of the OIDC provider
example-provider
OAuth 2.0 response type
code
Client identifier
my-client-id
Callback URI after successful authorization
https://example.com/callback
Requested scopes
openid profile email
Client state to be returned after auth
abc123
GET /v1/identity/oidc/provider/{name}/authorize HTTP/1.1
Host: localhost:8200
Accept: */*
{
"redirect_to": "https://example.com/consent"
}
Name of the OIDC provider
example-provider
The ID of the requesting client.
The code challenge derived from the code verifier.
The method that was used to derive the code challenge. The following methods are supported: 'S256', 'plain'. Defaults to 'plain'.
plain
The allowable elapsed time in seconds since the last time the end-user was actively authenticated.
The value that will be returned in the ID token nonce claim after a token exchange.
The redirection URI to which the response will be sent.
The OIDC authentication flow to be used. The following response types are supported: 'code'
A space-delimited, case-sensitive list of scopes to be requested. The 'openid' scope is required.
The value used to maintain state between the authentication request and client.
POST /v1/identity/oidc/provider/{name}/authorize HTTP/1.1
Host: localhost:8200
Content-Type: application/json
Accept: */*
Content-Length: 145
{
"response_type": "code",
"client_id": "my-client-id",
"redirect_uri": "https://example.com/callback",
"scope": "openid email profile",
"state": "xyz789"
}
{
"redirect_to": "https://example.com/consent"
}
Name of the provider
example-provider
The ID of the requesting client.
The secret of the requesting client.
The authorization code received from the provider's authorization endpoint.
The code verifier associated with the authorization code.
The authorization grant type. The following grant types are supported: 'authorization_code'.
The callback location where the authentication response was sent.
POST /v1/identity/oidc/provider/{name}/token HTTP/1.1
Host: localhost:8200
Content-Type: application/json
Accept: */*
Content-Length: 159
{
"grant_type": "authorization_code",
"code": "abc123",
"redirect_uri": "https://example.com/callback",
"client_id": "my-client-id",
"client_secret": "my-client-secret"
}
{
"access_token": "eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9...",
"token_type": "Bearer",
"expires_in": 3600,
"id_token": "eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9...",
"refresh_token": "def456"
}
Name of the provider
example-provider
GET /v1/identity/oidc/provider/{name}/userinfo HTTP/1.1
Host: localhost:8200
Accept: */*
{
"sub": "1234567890",
"name": "Jane Doe",
"email": "[email protected]"
}
Name of the provider
example-provider
POST /v1/identity/oidc/provider/{name}/userinfo HTTP/1.1
Host: localhost:8200
Content-Type: application/json
Accept: */*
Content-Length: 58
{
"access_token": "eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9..."
}
{
"sub": "1234567890",
"name": "Jane Doe",
"email": "[email protected]"
}
Must be set to 'true'
to list configured roles
true
Possible values: GET /v1/identity/oidc/role HTTP/1.1
Host: localhost:8200
Accept: */*
{
"keys": [
"example-role-1",
"example-role-2"
]
}
Name of the role
developer-role
GET /v1/identity/oidc/role/{name} HTTP/1.1
Host: localhost:8200
Accept: */*
{
"name": "developer-role",
"user_claim": "sub",
"bound_audiences": [
"my-client"
],
"allowed_redirect_uris": [
"https://example.com/callback"
],
"ttl": "1h"
}
Name of the role
developer-role
Optional client_id
The OIDC key to use for generating tokens. The specified key must already exist.
The template string to use for generating tokens. This may be in string-ified JSON or base64 format.
TTL of the tokens generated against the role.
24h
POST /v1/identity/oidc/role/{name} HTTP/1.1
Host: localhost:8200
Content-Type: application/json
Accept: */*
Content-Length: 144
{
"name": "developer-role",
"user_claim": "sub",
"bound_audiences": [
"my-client"
],
"allowed_redirect_uris": [
"https://example.com/callback"
],
"ttl": "1h"
}
{
"success": true,
"data": {
"name": "developer-role"
}
}
Name of the role
developer-role
DELETE /v1/identity/oidc/role/{name} HTTP/1.1
Host: localhost:8200
Accept: */*
No content
Must be set to 'true'
to list configured scopes
true
Possible values: GET /v1/identity/oidc/scope HTTP/1.1
Host: localhost:8200
Accept: */*
{
"keys": [
"read-only",
"admin"
]
}
Name of the scope
read-only
GET /v1/identity/oidc/scope/{name} HTTP/1.1
Host: localhost:8200
Accept: */*
{
"name": "read-only",
"description": "Read-only access scope",
"claims": [
"sub",
"email"
]
}
Name of the scope
read-only
The description of the scope
The template string to use for the scope. This may be in string-ified JSON or base64 format.
POST /v1/identity/oidc/scope/{name} HTTP/1.1
Host: localhost:8200
Content-Type: application/json
Accept: */*
Content-Length: 84
{
"name": "read-only",
"description": "Read-only access scope",
"claims": [
"sub",
"email"
]
}
{
"name": "read-only",
"description": "Read-only access scope",
"claims": [
"sub",
"email"
]
}
Name of the scope
read-only
DELETE /v1/identity/oidc/scope/{name} HTTP/1.1
Host: localhost:8200
Accept: */*
No content
Name of the role
developer-role
GET /v1/identity/oidc/token/{name} HTTP/1.1
Host: localhost:8200
Accept: */*
{
"access_token": "eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9...",
"token_type": "Bearer",
"expires_in": 3600,
"scope": "openid profile email"
}
Entity ID to which this persona belongs to
ID of the persona
Metadata to be associated with the persona. In CLI, this parameter can be repeated multiple times, and it all gets merged together. For example: vault metadata=key1=value1 metadata=key2=value2
Mount accessor to which this persona belongs to
Name of the persona
POST /v1/identity/persona HTTP/1.1
Host: localhost:8200
Content-Type: application/json
Accept: */*
Content-Length: 82
{
"name": "john.doe",
"metadata": {
"department": "Engineering",
"location": "Hyderabad"
}
}
{
"id": "123e4567-e89b-12d3-a456-426614174000",
"name": "john.doe",
"metadata": {
"department": "Engineering",
"location": "Hyderabad"
}
}
Must be set to 'true'
to list all alias IDs
true
Possible values: GET /v1/identity/persona/id HTTP/1.1
Host: localhost:8200
Accept: */*
{
"ids": [
"123e4567-e89b-12d3-a456-426614174000",
"987f6543-e21b-34d3-b456-426614174999"
]
}
ID of the persona
123e4567-e89b-12d3-a456-426614174000
GET /v1/identity/persona/id/{id} HTTP/1.1
Host: localhost:8200
Accept: */*
{
"id": "123e4567-e89b-12d3-a456-426614174000",
"name": "john.doe",
"metadata": {
"department": "Engineering",
"location": "Hyderabad"
}
}
ID of the persona
123e4567-e89b-12d3-a456-426614174000
Entity ID to which this persona should be tied to
Metadata to be associated with the persona. In CLI, this parameter can be repeated multiple times, and it all gets merged together. For example: vault metadata=key1=value1 metadata=key2=value2
Mount accessor to which this persona belongs to
Name of the persona
POST /v1/identity/persona/id/{id} HTTP/1.1
Host: localhost:8200
Content-Type: application/json
Accept: */*
Content-Length: 56
{
"metadata": {
"department": "Security",
"location": "Pune"
}
}
{
"id": "123e4567-e89b-12d3-a456-426614174000",
"name": "john.doe",
"metadata": {
"department": "Security",
"location": "Pune"
}
}
ID of the persona
123e4567-e89b-12d3-a456-426614174000
DELETE /v1/identity/persona/id/{id} HTTP/1.1
Host: localhost:8200
Accept: */*
No content
Was this helpful?