Identity
Name of the alias.
Entity ID the alias should be associated with.
Accessor of the mount that the alias belongs to.
Alias successfully created.
Invalid request payload.
Insufficient permissions to create alias.
Internal server error.
POST /v1/identity/alias HTTP/1.1
Host: localhost:8200
Content-Type: application/json
Accept: */*
Content-Length: 172
{
"name": "web-entity-alias",
"canonical_id": "f8caa34f-5914-5a27-13b3-1be6bdf562b9",
"mount_accessor": "auth_userpass_12345678",
"custom_metadata": {
"team": "dev",
"location": "IN"
}
}{
"data": {
"id": "bda7a8b6-dbe9-4622-3a34-8904589d3a17",
"name": "web-entity-alias",
"mount_type": "userpass",
"canonical_id": "f8caa34f-5914-5a27-13b3-1be6bdf562b9",
"custom_metadata": {
"team": "dev",
"location": "IN"
}
}
}Must be set to true
Successfully listed alias IDs
Bad request – missing or incorrect query param.
Internal server error.
GET /v1/identity/alias/id HTTP/1.1
Host: localhost:8200
Accept: */*
{
"request_id": "f31e1be4-bae6-8709-b173-69c2e7846211",
"lease_id": "",
"renewable": false,
"lease_duration": 0,
"data": {
"keys": [
"bda7a8b6-dbe9-4622-3a34-8904589d3a17",
"cbe1d3af-d9cd-43b9-9e29-54a17dc830d9"
]
},
"wrap_info": null,
"warnings": null,
"auth": null
}ID of the alias
Alias details retrieved successfully.
Invalid alias ID or malformed request.
Permission denied to read alias.
Internal server error.
GET /v1/identity/alias/id/{id} HTTP/1.1
Host: localhost:8200
Accept: */*
{
"request_id": "a3d8e7f2-25be-abc1-3cd4-84792cbbd9f5",
"lease_id": "",
"renewable": false,
"lease_duration": 0,
"data": {
"id": "bda7a8b6-dbe9-4622-3a34-8904589d3a17",
"name": "my-alias",
"mount_type": "userpass",
"canonical_id": "abcd1234-ef56-7890-ghij-klmnopqrstuv",
"custom_metadata": {}
},
"wrap_info": null,
"warnings": null,
"auth": null
}ID of the alias
Entity ID to which this alias should be tied to
Entity ID to which this alias should be tied to. This field is deprecated in favor of 'canonical_id'.
Mount accessor to which this alias belongs to
Name of the alias
Alias updated successfully.
Malformed request or missing fields.
Not authorized to update alias.
Internal server error during update.
POST /v1/identity/alias/id/{id} HTTP/1.1
Host: localhost:8200
Content-Type: application/json
Accept: */*
Content-Length: 170
{
"name": "my-updated-alias",
"mount_accessor": "auth_userpass_12345678",
"canonical_id": "abcd1234-ef56-7890-ghij-klmnopqrstuv",
"custom_metadata": {
"department": "engineering"
}
}{
"data": {
"id": "bda7a8b6-dbe9-4622-3a34-8904589d3a17",
"name": "my-updated-alias",
"mount_type": "userpass",
"canonical_id": "abcd1234-ef56-7890-ghij-klmnopqrstuv",
"custom_metadata": {
"department": "engineering"
}
}
}ID of the alias
Alias deleted successfully. No content is returned.
Invalid alias ID.
Not authorized to delete alias.
Internal error during deletion.
DELETE /v1/identity/alias/id/{id} HTTP/1.1
Host: localhost:8200
Accept: */*
No content
If set true, tokens tied to this identity will not be able to be used (but will not be revoked).
ID of the entity. If set, updates the corresponding existing entity.
Metadata to be associated with the entity. In CLI, this parameter can be repeated multiple times, and it all gets merged together. For example: vault metadata=key1=value1 metadata=key2=value2
Name of the entity
Policies to be tied to the entity.
Entity created successfully.
Invalid request payload.
Insufficient permissions to create entity.
Internal server error.
POST /v1/identity/entity HTTP/1.1
Host: localhost:8200
Content-Type: application/json
Accept: */*
Content-Length: 110
{
"name": "web-user-entity",
"metadata": {
"team": "devops",
"location": "us-west"
},
"policies": [
"default",
"dev-team"
]
}{
"data": {
"id": "a1234567-b890-4def-8123-abcdef123456",
"name": "web-user-entity",
"metadata": {
"team": "devops",
"location": "us-west"
},
"policies": [
"default",
"dev-team"
]
}
}Entity ID to which this alias belongs
User provided key-value pairs
Entity ID to which this alias belongs. This field is deprecated, use canonical_id.
ID of the entity alias. If set, updates the corresponding entity alias.
Mount accessor to which this alias belongs to; unused for a modify
Name of the alias; unused for a modify
Alias successfully created.
Invalid request payload.
Insufficient permissions to create alias.
Internal server error.
POST /v1/identity/entity-alias HTTP/1.1
Host: localhost:8200
Content-Type: application/json
Accept: */*
Content-Length: 182
{
"name": "login-alias-web",
"canonical_id": "ef42e3d6-8121-4211-b7f4-123456789abc",
"mount_accessor": "auth_userpass_a1b2c3d4",
"custom_metadata": {
"environment": "prod",
"region": "eu-west"
}
}{
"data": {
"id": "12e458c2-6df4-44b3-bbea-928a1e0073b5",
"name": "login-alias-web",
"mount_type": "userpass",
"canonical_id": "ef42e3d6-8121-4211-b7f4-123456789abc",
"custom_metadata": {
"environment": "prod",
"region": "eu-west"
}
}
}Must be set to true
Successfully listed alias IDs.
Bad request – missing or incorrect query param.
Insufficient permissions to list aliases.
Internal server error.
GET /v1/identity/entity-alias/id HTTP/1.1
Host: localhost:8200
Accept: */*
{
"request_id": "a11b22c3-d4ef-5678-9abc-000000000000",
"lease_id": "",
"renewable": false,
"lease_duration": 0,
"data": {
"keys": [
"bda7a8b6-dbe9-4622-3a34-8904589d3a17",
"cbe1d3af-d9cd-43b9-9e29-54a17dc830d9"
]
},
"wrap_info": null,
"warnings": null,
"auth": null
}ID of the alias
Alias details retrieved successfully.
Invalid alias ID
Permission denied
Internal server error
GET /v1/identity/entity-alias/id/{id} HTTP/1.1
Host: localhost:8200
Accept: */*
{
"request_id": "1234abcd-ef56-7890-gh12-ijklmnopqrst",
"data": {
"id": "a1b2c3d4-e5f6-7890-abcd-1234567890ef",
"name": "my-entity-alias",
"mount_type": "userpass",
"canonical_id": "canonical-123",
"custom_metadata": {
"role": "devops"
}
}
}ID of the alias
Entity ID to which this alias should be tied to
User provided key-value pairs
Entity ID to which this alias belongs to. This field is deprecated, use canonical_id.
(Unused)
(Unused)
Alias updated successfully.
Invalid request payload
Unauthorized to update alias
Server error
POST /v1/identity/entity-alias/id/{id} HTTP/1.1
Host: localhost:8200
Content-Type: application/json
Accept: */*
Content-Length: 143
{
"name": "updated-alias-name",
"mount_accessor": "auth_userpass_98765432",
"canonical_id": "canonical-123",
"custom_metadata": {
"team": "engineering"
}
}{
"data": {
"id": "a1b2c3d4-e5f6-7890-abcd-1234567890ef",
"name": "updated-alias-name",
"mount_type": "userpass",
"canonical_id": "canonical-123",
"custom_metadata": {
"team": "engineering"
}
}
}ID of the alias
Alias deleted successfully. No content returned.
Invalid alias ID
Unauthorized to delete alias
Server error
DELETE /v1/identity/entity-alias/id/{id} HTTP/1.1
Host: localhost:8200
Accept: */*
No content
Entity IDs to delete
Entities deleted successfully.
Bad request due to invalid input.
Permission denied.
Server error.
POST /v1/identity/entity/batch-delete HTTP/1.1
Host: localhost:8200
Content-Type: application/json
Accept: */*
Content-Length: 55
{
"entity_ids": [
"entity-123",
"entity-456",
"entity-789"
]
}{
"request_id": "1234abcd-ef56-7890-gh12-ijklmnopqrst",
"deleted_ids": [
"entity-123",
"entity-456",
"entity-789"
],
"errors": []
}Must be set to true
truePossible values: Successfully retrieved the list of entity IDs.
Invalid or missing query parameter.
Access denied due to insufficient permissions.
Server encountered an unexpected condition.
GET /v1/identity/entity/id HTTP/1.1
Host: localhost:8200
Accept: */*
{
"request_id": "d34db33f-b6e1-4ea7-8180-9827e9f8e5ac",
"data": {
"keys": [
"entity-123",
"entity-456",
"entity-789"
]
}
}ID of the entity. If set, updates the corresponding existing entity.
Entity details retrieved successfully.
Invalid request.
Forbidden. You don’t have permission to perform this action.
Internal server error.
GET /v1/identity/entity/id/{id} HTTP/1.1
Host: localhost:8200
Accept: */*
{
"request_id": "dd1f7b72-05d4-4234-b8e5-cb61e2dfb942",
"data": {
"id": "a1b2c3d4",
"name": "developer-entity",
"metadata": {
"department": "engineering"
}
}
}ID of the entity. If set, updates the corresponding existing entity.
If set true, tokens tied to this identity will not be able to be used (but will not be revoked).
Metadata to be associated with the entity. In CLI, this parameter can be repeated multiple times, and it all gets merged together. For example: vault metadata=key1=value1 metadata=key2=value2
Name of the entity
Policies to be tied to the entity.
Entity updated successfully.
Invalid request body.
Unauthorized request.
Internal server error.
POST /v1/identity/entity/id/{id} HTTP/1.1
Host: localhost:8200
Content-Type: application/json
Accept: */*
Content-Length: 53
{
"name": "updated-entity",
"metadata": {
"role": "admin"
}
}{
"data": {
"id": "a1b2c3d4",
"name": "updated-entity",
"metadata": {
"role": "admin"
}
}
}ID of the entity. If set, updates the corresponding existing entity.
Entity deleted successfully. No content is returned.
Invalid entity ID.
Access denied.
Server error during deletion.
DELETE /v1/identity/entity/id/{id} HTTP/1.1
Host: localhost:8200
Accept: */*
No content
Alias IDs to keep in case of conflicting aliases. Ignored if no conflicting aliases found
Setting this will follow the 'mine' strategy for merging MFA secrets. If there are secrets of the same type both in entities that are merged from and in entity into which all others are getting merged, secrets in the destination will be unaltered. If not set, this API will throw an error containing all the conflicts.
Entity IDs which need to get merged
Entity ID into which all the other entities need to get merged
Entities merged successfully.
Invalid merge request.
Access denied.
Internal server error.
POST /v1/identity/entity/merge HTTP/1.1
Host: localhost:8200
Content-Type: application/json
Accept: */*
Content-Length: 125
{
"primary_entity_id": "entity-001",
"secondary_entity_ids": [
"entity-002",
"entity-003"
],
"metadata": {
"source": "admin-initiated"
}
}{
"request_id": "78e1b3f6-482b-47f6-90a1-c5b6dc94d9f1",
"data": {
"id": "entity-001",
"merged_from": [
"entity-002",
"entity-003"
],
"metadata": {
"source": "admin-initiated"
}
}
}Must be set to true
truePossible values: A list of entity names was successfully retrieved.
Bad request due to missing or invalid query parameter.
Forbidden. The user does not have permission to access this resource.
Internal server error occurred while processing the request.
GET /v1/identity/entity/name HTTP/1.1
Host: localhost:8200
Accept: */*
{
"request_id": "8df8b7f3-4c1a-45b8-b23a-e4c1b61c5f95",
"data": {
"keys": [
"developer-entity",
"admin-entity",
"viewer-entity"
]
}
}Name of the entity
Entity retrieved successfully.
Bad request due to invalid input.
Forbidden. Access denied.
Internal server error.
GET /v1/identity/entity/name/{name} HTTP/1.1
Host: localhost:8200
Accept: */*
{
"request_id": "d7c78b49-235b-4e3a-b2ef-237bb9a1fe3e",
"data": {
"id": "3dfb7a63-d826-4b8d-97c5-b31fc109e8c5",
"name": "developer-entity",
"metadata": {
"team": "engineering"
},
"policies": [
"default",
"admin"
]
}
}Name of the entity
If set true, tokens tied to this identity will not be able to be used (but will not be revoked).
ID of the entity. If set, updates the corresponding existing entity.
Metadata to be associated with the entity. In CLI, this parameter can be repeated multiple times, and it all gets merged together. For example: vault metadata=key1=value1 metadata=key2=value2
Policies to be tied to the entity.
Entity updated successfully.
Invalid request data.
Unauthorized request.
Server error occurred.
POST /v1/identity/entity/name/{name} HTTP/1.1
Host: localhost:8200
Content-Type: application/json
Accept: */*
Content-Length: 65
{
"metadata": {
"team": "platform"
},
"policies": [
"developer",
"audit"
]
}{
"data": {
"id": "3dfb7a63-d826-4b8d-97c5-b31fc109e8c5",
"name": "developer-entity",
"metadata": {
"team": "platform"
},
"policies": [
"developer",
"audit"
]
}
}Name of the entity
Entity deleted successfully. No content returned.
Bad request.
Forbidden.
Internal error.
DELETE /v1/identity/entity/name/{name} HTTP/1.1
Host: localhost:8200
Accept: */*
No content
ID of the group. If set, updates the corresponding existing group.
Entity IDs to be assigned as group members.
Group IDs to be assigned as group members.
Metadata to be associated with the group. In CLI, this parameter can be repeated multiple times, and it all gets merged together. For example: vault metadata=key1=value1 metadata=key2=value2
Name of the group.
Policies to be tied to the group.
Type of the group, 'internal' or 'external'. Defaults to 'internal'
Group created successfully.
Bad request due to missing or invalid fields.
Forbidden. You do not have permission to create a group.
Internal server error.
POST /v1/identity/group HTTP/1.1
Host: localhost:8200
Content-Type: application/json
Accept: */*
Content-Length: 97
{
"name": "dev-team",
"metadata": {
"project": "internal-tools"
},
"policies": [
"read-only",
"dev-access"
]
}{
"data": {
"id": "c1f90532-f01b-4fcd-8029-8f3ad5a58f6d",
"name": "dev-team",
"metadata": {
"project": "internal-tools"
},
"policies": [
"read-only",
"dev-access"
]
}
}ID of the group to which this is an alias.
ID of the group alias.
Mount accessor to which this alias belongs to.
Alias of the group.
Group alias created or updated successfully.
Bad request due to missing or invalid fields.
Forbidden. You do not have permission to create or update a group alias.
Internal server error.
POST /v1/identity/group-alias HTTP/1.1
Host: localhost:8200
Content-Type: application/json
Accept: */*
Content-Length: 151
{
"name": "ldap-alias-devs",
"mount_accessor": "ldap_12345678",
"canonical_id": "group-abc123-def456-ghi789",
"custom_metadata": {
"region": "APAC",
"env": "dev"
}
}{
"data": {
"id": "alias-9876-5432-10ab",
"name": "ldap-alias-devs",
"mount_type": "ldap",
"canonical_id": "group-abc123-def456-ghi789",
"custom_metadata": {
"region": "APAC",
"env": "dev"
}
}
}Must be set to true
truePossible values: OK
Bad Request - The request is malformed or invalid.
Forbidden - The user does not have permission to access the resource.
Internal Server Error - An error occurred on the server.
GET /v1/identity/group-alias/id HTTP/1.1
Host: localhost:8200
Accept: */*
{
"group_alias_ids": [
"alias1",
"alias2",
"alias3"
]
}ID of the group alias.
alias123OK
Bad Request - Invalid alias ID.
Forbidden - Access to the alias is not allowed.
Internal Server Error
GET /v1/identity/group-alias/id/{id} HTTP/1.1
Host: localhost:8200
Accept: */*
{
"id": "alias123",
"name": "Group Alias Name",
"description": "A description of the group alias."
}ID of the group alias.
alias123ID of the group to which this is an alias.
Mount accessor to which this alias belongs to.
Alias of the group.
OK
Bad Request - Invalid input data.
Forbidden - User lacks permission to update alias.
Internal Server Error
POST /v1/identity/group-alias/id/{id} HTTP/1.1
Host: localhost:8200
Content-Type: application/json
Accept: */*
Content-Length: 85
{
"name": "Updated Alias Name",
"description": "Updated description of the group alias."
}{
"id": "alias123",
"name": "Updated Alias Name",
"description": "Updated description of the group alias."
}ID of the group alias.
alias123No content - The alias was successfully deleted.
Bad Request - Invalid alias ID format.
Forbidden - Insufficient permissions to delete the alias.
Internal Server Error
DELETE /v1/identity/group-alias/id/{id} HTTP/1.1
Host: localhost:8200
Accept: */*
No content
Must be set to true
truePossible values: List of group IDs retrieved successfully.
Bad Request - Missing or invalid query parameter.
Forbidden - You are not authorized to list group IDs.
Internal Server Error - Unexpected failure while retrieving groups.
GET /v1/identity/group/id HTTP/1.1
Host: localhost:8200
Accept: */*
{
"groups": [
{
"id": "group1"
},
{
"id": "group2"
},
{
"id": "group3"
}
]
}ID of the group. If set, updates the corresponding existing group.
group123Group retrieved successfully.
Bad Request - Invalid ID format.
Forbidden - Access denied to group.
Internal Server Error
GET /v1/identity/group/id/{id} HTTP/1.1
Host: localhost:8200
Accept: */*
{
"id": "group123",
"name": "Admins",
"description": "Administrators group"
}ID of the group. If set, updates the corresponding existing group.
group123Entity IDs to be assigned as group members.
Group IDs to be assigned as group members.
Metadata to be associated with the group. In CLI, this parameter can be repeated multiple times, and it all gets merged together. For example: vault metadata=key1=value1 metadata=key2=value2
Name of the group.
Policies to be tied to the group.
Type of the group, 'internal' or 'external'. Defaults to 'internal'
Group updated successfully.
Bad Request - Invalid input data.
Forbidden - Not authorized to update group.
Internal Server Error
POST /v1/identity/group/id/{id} HTTP/1.1
Host: localhost:8200
Content-Type: application/json
Accept: */*
Content-Length: 74
{
"name": "New Group Name",
"description": "Updated description of the group"
}{
"id": "group123",
"name": "New Group Name",
"description": "Updated description of the group"
}ID of the group. If set, updates the corresponding existing group.
group123No content - The group was deleted successfully.
Bad Request - Invalid group ID.
Forbidden - Not authorized to delete group.
Internal Server Error
DELETE /v1/identity/group/id/{id} HTTP/1.1
Host: localhost:8200
Accept: */*
No content
Must be set to true
truePossible values: Successfully retrieved list of group names.
Bad Request - Missing or invalid query parameter.
Forbidden - Access denied to list group names.
Internal Server Error - Unexpected failure.
GET /v1/identity/group/name HTTP/1.1
Host: localhost:8200
Accept: */*
{
"groups": [
{
"name": "Admins"
},
{
"name": "Developers"
},
{
"name": "Support"
}
]
}Name of the group.
AdminsGroup retrieved successfully.
Bad Request - Invalid group name.
Forbidden - You are not authorized to access this group.
Internal Server Error - Failed to retrieve group.
GET /v1/identity/group/name/{name} HTTP/1.1
Host: localhost:8200
Accept: */*
{
"name": "Admins",
"id": "group123",
"description": "Group for admin users"
}Name of the group.
AdminsID of the group. If set, updates the corresponding existing group.
Entity IDs to be assigned as group members.
Group IDs to be assigned as group members.
Metadata to be associated with the group. In CLI, this parameter can be repeated multiple times, and it all gets merged together. For example: vault metadata=key1=value1 metadata=key2=value2
Policies to be tied to the group.
Type of the group, 'internal' or 'external'. Defaults to 'internal'
Group updated successfully.
Bad Request - Invalid input.
Forbidden - You are not authorized to update this group.
Internal Server Error - Failed to update group.
POST /v1/identity/group/name/{name} HTTP/1.1
Host: localhost:8200
Content-Type: application/json
Accept: */*
Content-Length: 47
{
"description": "Updated group for admin users"
}{
"name": "Admins",
"id": "group123",
"description": "Updated group for admin users"
}Name of the group.
AdminsNo content - The group was deleted successfully.
Bad Request - Invalid group name.
Forbidden - You are not authorized to delete this group.
Internal Server Error - Failed to delete group.
DELETE /v1/identity/group/name/{name} HTTP/1.1
Host: localhost:8200
Accept: */*
No content
ID of the alias.
Accessor of the mount to which the alias belongs to. This should be supplied in conjunction with 'alias_name'.
Name of the alias. This should be supplied in conjunction with 'alias_mount_accessor'.
ID of the entity.
Name of the entity.
Matching entities retrieved successfully.
Bad Request - Invalid input format.
Forbidden - You do not have permission to perform this lookup.
Internal Server Error - Unexpected failure during lookup.
POST /v1/identity/lookup/entity HTTP/1.1
Host: localhost:8200
Content-Type: application/json
Accept: */*
Content-Length: 20
{
"alias": "john.doe"
}{
"entities": [
{
"id": "1234",
"alias": "john.doe",
"name": "John Doe",
"metadata": {
"department": "Engineering"
}
}
]
}ID of the alias.
Accessor of the mount to which the alias belongs to. This should be supplied in conjunction with 'alias_name'.
Name of the alias. This should be supplied in conjunction with 'alias_mount_accessor'.
ID of the group.
Name of the group.
Matching groups retrieved successfully.
Bad Request - Invalid or missing lookup parameter.
Forbidden - You are not authorized to perform this operation.
Internal Server Error - Lookup operation failed.
POST /v1/identity/lookup/group HTTP/1.1
Host: localhost:8200
Content-Type: application/json
Accept: */*
Content-Length: 17
{
"name": "Admins"
}{
"groups": [
{
"id": "group-123",
"name": "Admins",
"description": "Administrative users group"
}
]
}Must be set to true
truePossible values: MFA login enforcements retrieved successfully.
Bad Request - Invalid query parameters.
Forbidden - You are not authorized to view this information.
Internal Server Error - Unable to retrieve enforcement list.
GET /v1/identity/mfa/login-enforcement HTTP/1.1
Host: localhost:8200
Accept: */*
{
"enforcements": [
{
"id": "rule-001",
"name": "Require MFA for admins",
"condition": "role == admin",
"enabled": true
},
{
"id": "rule-002",
"name": "MFA for all users",
"condition": "true",
"enabled": false
}
]
}Retrieve details of a specific MFA login enforcement rule by name.
Name for this login enforcement configuration
require-admin-mfaLogin enforcement rule retrieved successfully.
Bad Request - Invalid rule name.
Forbidden - Not authorized to access the rule.
Internal Server Error
GET /v1/identity/mfa/login-enforcement/{name} HTTP/1.1
Host: localhost:8200
Accept: */*
{
"id": "rule-001",
"name": "require-admin-mfa",
"condition": "role == admin",
"enabled": true
}Create a new or update an existing MFA login enforcement rule.
Name for this login enforcement configuration
require-admin-mfaArray of auth mount accessor IDs
Array of auth mount types
Array of identity entity IDs
Array of identity group IDs
Array of Method IDs that determine what methods will be enforced
Login enforcement rule created or updated successfully.
Bad Request - Invalid request body.
Forbidden - You do not have permission to modify this rule.
Internal Server Error - Failure during write.
POST /v1/identity/mfa/login-enforcement/{name} HTTP/1.1
Host: localhost:8200
Content-Type: application/json
Accept: */*
Content-Length: 71
{
"name": "require-admin-mfa",
"condition": "role == admin",
"enabled": true
}{
"id": "rule-001",
"name": "require-admin-mfa",
"condition": "role == admin",
"enabled": true
}Remove an existing MFA login enforcement rule identified by its name.
Name for this login enforcement configuration
require-admin-mfaLogin enforcement deleted successfully. No content returned.
Bad Request - Invalid rule name.
Forbidden - You are not authorized to delete this rule.
Internal Server Error - Failed to delete rule.
DELETE /v1/identity/mfa/login-enforcement/{name} HTTP/1.1
Host: localhost:8200
Accept: */*
No content
Retrieve a list of all configured Multi-Factor Authentication (MFA) methods in the system.
Must be set to true
truePossible values: A list of configured MFA methods
Bad Request – The query parameter is missing or invalid.
Forbidden – The client does not have access rights to the content.
Internal Server Error – Something went wrong on the server.
GET /v1/identity/mfa/method HTTP/1.1
Host: localhost:8200
Accept: */*
{
"methods": [
{
"name": "totp",
"enabled": true,
"description": "Time-based One-Time Password (TOTP)"
},
{
"name": "webauthn",
"enabled": false,
"description": "WebAuthn biometric authentication"
}
]
}Retrieve the configuration for the Duo MFA method if it is enabled and configured.
Must be set to true
truePossible values: Duo MFA configuration details
Bad Request – Missing or incorrect query parameter.
Forbidden – Access denied to Duo configuration.
Internal Server Error – Failed to fetch Duo configuration.
GET /v1/identity/mfa/method/duo HTTP/1.1
Host: localhost:8200
Accept: */*
{
"method": "duo",
"enabled": true,
"integration_key": "DIXXXXXXXXXXXXXXXXXX",
"api_hostname": "api-XXXXXXXX.duosecurity.com",
"description": "Duo Security multi-factor authentication"
}The unique identifier for this MFA method.
Successfully deleted. No content returned.
Bad Request – Invalid method ID format.
Forbidden – Insufficient permissions.
Internal Server Error
DELETE /v1/identity/mfa/method/duo/{method_id} HTTP/1.1
Host: localhost:8200
Accept: */*
No content
Must be set to true
Successfully retrieved Okta MFA method configurations
Bad Request – Invalid query parameter.
Forbidden – Insufficient permissions.
Internal Server Error – Something went wrong.
GET /v1/identity/mfa/method/okta HTTP/1.1
Host: localhost:8200
Accept: */*
[
{
"method_id": "okta-primary",
"method": "okta",
"enabled": true,
"okta_domain": "https://dev-123456.okta.com",
"client_id": "0oab4exampleID",
"description": "Primary Okta MFA config"
},
{
"method_id": "okta-secondary",
"method": "okta",
"enabled": false,
"okta_domain": "https://dev-789012.okta.com",
"client_id": "0oab5exampleID",
"description": "Backup Okta configuration"
}
]The unique identifier for this MFA method.
Successfully retrieved the Okta MFA configuration
Invalid method_id provided
Forbidden – You don’t have permission
Internal Server Error
GET /v1/identity/mfa/method/okta/{method_id} HTTP/1.1
Host: localhost:8200
Accept: */*
{
"method_id": "okta-primary",
"method": "okta",
"enabled": true,
"okta_domain": "https://dev-123456.okta.com",
"client_id": "0oab4exampleID",
"description": "Primary Okta MFA config"
}The unique identifier for this MFA method.
Okta API key.
The base domain to use for the Okta API. When not specified in the configuration, "okta.com" is used.
The unique name identifier for this MFA method.
Name of the organization to be used in the Okta API.
If true, the username will only match the primary email for the account. Defaults to false.
(DEPRECATED) Use base_url instead.
A template string for mapping Identity names to MFA method names. Values to substitute should be placed in {{}}. For example, "{{entity.name}}@example.com". If blank, the Entity's name field will be used as-is.
Successfully configured the Okta MFA method
Invalid input
Unauthorized to update method
Configuration error
POST /v1/identity/mfa/method/okta/{method_id} HTTP/1.1
Host: localhost:8200
Content-Type: application/json
Accept: */*
Content-Length: 191
{
"method_id": "okta-primary",
"okta_domain": "https://dev-123456.okta.com",
"client_id": "0oab4exampleID",
"client_secret": "supersecretvalue",
"enabled": true,
"description": "Updated config for Okta"
}{
"method_id": "okta-primary",
"method": "okta",
"enabled": true,
"okta_domain": "https://dev-123456.okta.com",
"client_id": "0oab4exampleID",
"description": "Updated config for Okta"
}The unique identifier for this MFA method.
Configuration deleted successfully
Invalid method_id
Forbidden – You do not have permission
Internal Server Error
DELETE /v1/identity/mfa/method/okta/{method_id} HTTP/1.1
Host: localhost:8200
Accept: */*
No content
Must be set to true
Successfully retrieved PingID MFA method configurations
Invalid request parameter
Internal server error
GET /v1/identity/mfa/method/pingid HTTP/1.1
Host: localhost:8200
Accept: */*
{
"methods": [
{
"method_id": "pingid-primary",
"method": "pingid",
"enabled": true,
"pingid_environment_id": "abc123",
"description": "Primary PingID method"
},
{
"method_id": "pingid-secondary",
"method": "pingid",
"enabled": false,
"pingid_environment_id": "xyz789",
"description": "Backup PingID method"
}
]
}The unique identifier for the PingID MFA method configuration.
Successfully retrieved the PingID method configuration
Configuration not found
Server error
GET /v1/identity/mfa/method/pingid/{method_id} HTTP/1.1
Host: localhost:8200
Accept: */*
{
"method_id": "pingid-primary",
"method": "pingid",
"enabled": true,
"pingid_environment_id": "env-123",
"description": "Primary PingID configuration"
}The unique identifier for the PingID MFA method configuration.
The unique name identifier for this MFA method.
The settings file provided by Ping, Base64-encoded. This must be a settings file suitable for third-party clients, not the PingID SDK or PingFederate.
A template string for mapping Identity names to MFA method names. Values to subtitute should be placed in {{}}. For example, "{{alias.name}}@example.com". Currently-supported mappings: alias.name: The name returned by the mount configured via the mount_accessor parameter If blank, the Alias's name field will be used as-is.
PingID MFA method configuration updated successfully
Invalid input
Internal server error
POST /v1/identity/mfa/method/pingid/{method_id} HTTP/1.1
Host: localhost:8200
Content-Type: application/json
Accept: */*
Content-Length: 124
{
"method_id": "pingid-primary",
"pingid_environment_id": "env-123",
"enabled": true,
"description": "Updated PingID configuration"
}{
"method_id": "pingid-primary",
"method": "pingid",
"enabled": true,
"pingid_environment_id": "env-123",
"description": "Updated PingID configuration"
}The unique identifier for the PingID MFA method configuration.
Configuration not found
Failed to delete configuration
DELETE /v1/identity/mfa/method/pingid/{method_id} HTTP/1.1
Host: localhost:8200
Accept: */*
{
"error": "Not Found",
"message": "No configuration found for method_id: pingid-primary"
}Must be set to 'true' to list configurations
List of TOTP MFA method configurations
Invalid query parameter
Internal server error
GET /v1/identity/mfa/method/totp HTTP/1.1
Host: localhost:8200
Accept: */*
[
{
"method_id": "totp-default",
"method": "totp",
"enabled": true,
"issuer": "vault-auth",
"label": "Vault TOTP MFA",
"period": 30,
"digits": 6
}
]Identifier of the entity from which the MFA method secret needs to be removed.
The unique identifier for this MFA method.
Secret destroyed successfully
Invalid request parameters
Entity or secret not found
Internal server error
POST /v1/identity/mfa/method/totp/admin-destroy HTTP/1.1
Host: localhost:8200
Content-Type: application/json
Accept: */*
Content-Length: 79
{
"method_id": "totp-default",
"entity_id": "f398b240-ef4e-4b4a-a1ce-6be5f0e25d52"
}{
"success": true,
"message": "TOTP secret destroyed for entity f398b240-ef4e-4b4a-a1ce-6be5f0e25d52"
}Entity ID on which the generated secret needs to get stored.
The unique identifier for this MFA method.
TOTP secret created or updated successfully
Invalid request payload
Entity not found
Internal server error
POST /v1/identity/mfa/method/totp/admin-generate HTTP/1.1
Host: localhost:8200
Content-Type: application/json
Accept: */*
Content-Length: 79
{
"method_id": "totp-primary",
"entity_id": "ee2bb4a2-cc30-4e55-a2b6-7cb8dc0ed1f4"
}{
"success": true,
"message": "TOTP secret generated",
"totp_url": "otpauth://totp/Example:[email protected]?secret=JBSWY3DPEHPK3PXP&issuer=Example"
}The unique identifier for this MFA method.
TOTP secret created or updated successfully
Invalid request
Entity not found
Internal server error
POST /v1/identity/mfa/method/totp/generate HTTP/1.1
Host: localhost:8200
Content-Type: application/json
Accept: */*
Content-Length: 79
{
"method_id": "totp-primary",
"entity_id": "2e7b8a42-78fc-43d1-bf04-4fcf8c2c3d61"
}{
"success": true,
"message": "TOTP secret generated",
"totp_url": "otpauth://totp/Example:[email protected]?secret=JBSWY3DPEHPK3PXP&issuer=Example"
}The unique identifier for this TOTP MFA method.
Configuration retrieved successfully
Bad request
Unauthorized
Forbidden
Configuration not found
Internal server error
GET /v1/identity/mfa/method/totp/{method_id} HTTP/1.1
Host: localhost:8200
Accept: */*
{
"method_id": "totp-123",
"issuer": "MyCompany",
"label": "[email protected]",
"algorithm": "SHA1",
"digits": 6,
"period": 30
}The unique identifier for this TOTP MFA method.
The hashing algorithm used to generate the TOTP token. Options include SHA1, SHA256 and SHA512.
SHA1The number of digits in the generated TOTP token. This value can either be 6 or 8.
6The name of the key's issuing organization.
Determines the size in bytes of the generated key.
20Max number of allowed validation attempts.
The unique name identifier for this MFA method.
The length of time used to generate a counter for the TOTP token calculation.
30The pixel size of the generated square QR code.
200The number of delay periods that are allowed when validating a TOTP token. This value can either be 0 or 1.
1Configuration created or updated successfully
Invalid request body
Unauthorized
Forbidden
Internal server error
POST /v1/identity/mfa/method/totp/{method_id} HTTP/1.1
Host: localhost:8200
Content-Type: application/json
Accept: */*
Content-Length: 91
{
"issuer": "MyCompany",
"label": "[email protected]",
"algorithm": "SHA1",
"digits": 6,
"period": 30
}{
"method_id": "totp-123",
"issuer": "MyCompany",
"label": "[email protected]",
"algorithm": "SHA1",
"digits": 6,
"period": 30
}The unique identifier for this TOTP MFA method.
Configuration deleted successfully (no content)
Unauthorized
Forbidden
Configuration not found
Internal server error
DELETE /v1/identity/mfa/method/totp/{method_id} HTTP/1.1
Host: localhost:8200
Accept: */*
No content
The unique identifier for this MFA method.
Successfully retrieved configuration
Invalid request
Unauthorized
Forbidden
Configuration not found
Internal server error
GET /v1/identity/mfa/method/{method_id} HTTP/1.1
Host: localhost:8200
Accept: */*
{
"method_id": "totp-456",
"type": "totp",
"config": {
"issuer": "ExampleCorp",
"label": "[email protected]",
"digits": 6,
"period": 30
}
}Successfully retrieved OIDC public keys
Bad request
Unauthorized
Forbidden
Internal server error
GET /v1/identity/oidc/.well-known/keys HTTP/1.1
Host: localhost:8200
Accept: */*
{
"keys": [
{
"kid": "abc123",
"kty": "RSA",
"alg": "RS256",
"use": "sig",
"n": "oahUIzTYT7zK2A1eYAvay89R7hFvKVOw...",
"e": "AQAB"
}
]
}Successfully retrieved OIDC configuration
Bad request
Unauthorized
Forbidden
Internal server error
GET /v1/identity/oidc/.well-known/openid-configuration HTTP/1.1
Host: localhost:8200
Accept: */*
{
"issuer": "https://example.com/v1/identity/oidc",
"authorization_endpoint": "https://example.com/v1/identity/oidc/auth",
"token_endpoint": "https://example.com/v1/identity/oidc/token",
"userinfo_endpoint": "https://example.com/v1/identity/oidc/userinfo",
"jwks_uri": "https://example.com/v1/identity/oidc/.well-known/keys",
"response_types_supported": [
"code",
"id_token",
"token id_token"
],
"subject_types_supported": [
"public"
],
"id_token_signing_alg_values_supported": [
"RS256"
],
"scopes_supported": [
"openid",
"email",
"profile"
],
"token_endpoint_auth_methods_supported": [
"client_secret_basic"
],
"claims_supported": [
"sub",
"email",
"name"
]
}Must be set to true to trigger the listing functionality
Successfully retrieved the list of OIDC assignments
Bad request due to missing or invalid parameters
Unauthorized access
Forbidden due to insufficient permissions
Internal server error
GET /v1/identity/oidc/assignment HTTP/1.1
Host: localhost:8200
Accept: */*
{
"keys": [
"assignment-role-1",
"assignment-role-2",
"assignment-role-3"
]
}Name of the OIDC assignment
Assignment details retrieved successfully
Invalid assignment name
Unauthorized
Forbidden
Assignment not found
Server error
GET /v1/identity/oidc/assignment/{name} HTTP/1.1
Host: localhost:8200
Accept: */*
{
"name": "assignment-role-1",
"entity_id": "1234-5678",
"role": "oidc-role-1"
}Name of the OIDC assignment
Comma separated string or array of identity entity IDs
Comma separated string or array of identity group IDs
Assignment created or updated successfully
Bad request due to missing or invalid fields
Unauthorized
Forbidden
Internal server error
POST /v1/identity/oidc/assignment/{name} HTTP/1.1
Host: localhost:8200
Content-Type: application/json
Accept: */*
Content-Length: 73
{
"name": "assignment-role-1",
"entity_id": "1234-5678",
"role": "oidc-role-1"
}{
"success": true,
"message": "Assignment created successfully."
}Name of the OIDC assignment
Assignment deleted successfully
Invalid assignment name
Unauthorized
Forbidden
Assignment not found
Internal server error
DELETE /v1/identity/oidc/assignment/{name} HTTP/1.1
Host: localhost:8200
Accept: */*
No content
Must be set to true
List of clients
Bad request
Unauthorized
Internal server error
GET /v1/identity/oidc/client HTTP/1.1
Host: localhost:8200
Accept: */*
{
"keys": [
"client-one",
"client-two"
]
}Name of the client.
Client configuration
Unauthorized
Forbidden
Client not found
Internal server error
GET /v1/identity/oidc/client/{name} HTTP/1.1
Host: localhost:8200
Accept: */*
{
"client_id": "example-client",
"redirect_uris": [
"https://app.example.com/callback"
],
"grant_types": [
"authorization_code"
],
"response_types": [
"code"
],
"client_secret": "s3cret"
}Name of the client.
The time-to-live for access tokens obtained by the client.
24hComma separated string or array of assignment resources.
The client type based on its ability to maintain confidentiality of credentials. The following client types are supported: 'confidential', 'public'. Defaults to 'confidential'.
confidentialThe time-to-live for ID tokens obtained by the client.
24hA reference to a named key resource. Cannot be modified after creation. Defaults to the 'default' key.
defaultComma separated string or array of redirect URIs used by the client. One of these values must exactly match the redirect_uri parameter value used in each authentication request.
Client created or updated successfully
Validation error
Unauthorized
Forbidden
Internal server error
POST /v1/identity/oidc/client/{name} HTTP/1.1
Host: localhost:8200
Content-Type: application/json
Accept: */*
Content-Length: 176
{
"client_id": "example-client",
"redirect_uris": [
"https://app.example.com/callback"
],
"grant_types": [
"authorization_code"
],
"response_types": [
"code"
],
"client_secret": "supersecret"
}{
"success": true,
"message": "Client created."
}Name of the client.
Client deleted successfully
Unauthorized
Forbidden
Client not found
Internal server error
DELETE /v1/identity/oidc/client/{name} HTTP/1.1
Host: localhost:8200
Accept: */*
No content
OIDC configuration retrieved successfully
Unauthorized
Forbidden
Configuration not found
Internal server error
GET /v1/identity/oidc/config HTTP/1.1
Host: localhost:8200
Accept: */*
{
"issuer": "https://auth.example.com",
"client_id": "example-client",
"client_secret": "supersecret",
"scopes_supported": [
"openid",
"email"
]
}Issuer URL to be used in the iss claim of the token. If not set, Vault's app_addr will be used.
Configuration updated successfully
Invalid input
Unauthorized
Forbidden
Internal server error
POST /v1/identity/oidc/config HTTP/1.1
Host: localhost:8200
Content-Type: application/json
Accept: */*
Content-Length: 134
{
"issuer": "https://auth.example.com",
"client_id": "example-client",
"client_secret": "supersecret",
"scopes_supported": [
"openid",
"email"
]
}{
"success": true,
"message": "OIDC configuration updated successfully."
}Optional client_id to verify
Token to verify
Token introspection successful
Invalid request body
Unauthorized
Forbidden
Internal server error
POST /v1/identity/oidc/introspect HTTP/1.1
Host: localhost:8200
Content-Type: application/json
Accept: */*
Content-Length: 51
{
"token": "eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9..."
}{
"active": true,
"sub": "1234567890",
"scope": "openid email",
"exp": 1713569920,
"iat": 1713566320,
"iss": "https://auth.example.com"
}Must be set to true
truePossible values: OIDC keys listed successfully
Invalid query parameter
Unauthorized
Forbidden
Internal server error
GET /v1/identity/oidc/key HTTP/1.1
Host: localhost:8200
Accept: */*
{
"keys": [
{
"name": "default",
"type": "rsa",
"algorithm": "RS256",
"creation_time": "2024-01-01T12:00:00Z"
}
]
}Name of the key
defaultOIDC key retrieved successfully
Invalid key name
Unauthorized
Forbidden
Key not found
Internal server error
GET /v1/identity/oidc/key/{name} HTTP/1.1
Host: localhost:8200
Accept: */*
{
"name": "default",
"type": "rsa",
"algorithm": "RS256",
"creation_time": "2024-01-01T12:00:00Z"
}Name of the key
defaultSigning algorithm to use. This will default to RS256.
RS256Comma separated string or array of role client ids allowed to use this key for signing. If empty no roles are allowed. If "*" all roles are allowed.
How often to generate a new keypair.
24hControls how long the public portion of a key will be available for verification after being rotated.
24hKey created or updated successfully
Invalid input
Unauthorized
Forbidden
Internal server error
POST /v1/identity/oidc/key/{name} HTTP/1.1
Host: localhost:8200
Content-Type: application/json
Accept: */*
Content-Length: 68
{
"type": "rsa",
"algorithm": "RS256",
"allowed_client_ids": [
"client-1"
]
}{
"name": "default",
"success": true
}Name of the key
defaultKey deleted successfully (empty body)
Invalid key name
Unauthorized
Forbidden
Key not found
Internal server error
DELETE /v1/identity/oidc/key/{name} HTTP/1.1
Host: localhost:8200
Accept: */*
No content
Name of the key
default-keyControls how long the public portion of a key will be available for verification after being rotated. Setting verification_ttl here will override the verification_ttl set on the key.
Key rotated successfully
Invalid request data
Unauthorized
Forbidden
Key not found
Internal server error
POST /v1/identity/oidc/key/{name}/rotate HTTP/1.1
Host: localhost:8200
Content-Type: application/json
Accept: */*
Content-Length: 38
{
"key_type": "rsa",
"algorithm": "RS256"
}{
"name": "default-key",
"rotated": true,
"creation_time": "2025-04-20T12:00:00Z"
}Must be set to true
truePossible values: Filters the list of OIDC providers to those that allow the given client ID in their set of allowed_client_ids.
""Example: my-client-idList of OIDC providers retrieved successfully
Invalid query parameters
Unauthorized request
Access forbidden
Resource not found
Internal server error
GET /v1/identity/oidc/provider HTTP/1.1
Host: localhost:8200
Accept: */*
{
"providers": [
{
"name": "provider-1",
"issuer": "https://provider-1.example.com",
"allowed_client_ids": [
"my-client-id",
"admin-client"
]
},
{
"name": "provider-2",
"issuer": "https://provider-2.example.com",
"allowed_client_ids": [
"my-client-id"
]
}
]
}Name of the provider
my-oidc-providerOIDC provider configuration retrieved successfully
Bad request
Unauthorized access
Access forbidden
Provider not found
Internal server error
GET /v1/identity/oidc/provider/{name} HTTP/1.1
Host: localhost:8200
Accept: */*
{
"name": "my-oidc-provider",
"issuer": "https://issuer.example.com",
"client_id": "client-123",
"client_secret": "secret-value"
}Name of the provider
my-oidc-providerThe client IDs that are permitted to use the provider
Specifies what will be used for the iss claim of ID tokens.
The scopes supported for requesting on the provider
Provider successfully created or updated
Validation error
Unauthorized
Forbidden
Internal server error
POST /v1/identity/oidc/provider/{name} HTTP/1.1
Host: localhost:8200
Content-Type: application/json
Accept: */*
Content-Length: 144
{
"issuer": "https://issuer.example.com",
"client_id": "client-123",
"client_secret": "secret-value",
"allowed_client_ids": [
"client-123",
"client-abc"
]
}{
"name": "my-oidc-provider",
"issuer": "https://issuer.example.com",
"client_id": "client-123",
"client_secret": "secret-value"
}Name of the provider
my-oidc-providerProvider deleted successfully (no content)
Bad request
Unauthorized
Forbidden
Provider not found
Internal server error
DELETE /v1/identity/oidc/provider/{name} HTTP/1.1
Host: localhost:8200
Accept: */*
No content
Name of the OIDC provider
my-oidc-providerSuccessfully retrieved public keys
Bad request (e.g., missing or malformed provider name)
Unauthorized (if incorrectly marked unauthenticated)
Forbidden (access denied)
Provider not found
Internal server error
GET /v1/identity/oidc/provider/{name}/.well-known/keys HTTP/1.1
Host: localhost:8200
Accept: */*
{
"keys": [
{
"kty": "RSA",
"kid": "1234abcd",
"use": "sig",
"alg": "RS256",
"n": "0vx7agoebGc...",
"e": "AQAB"
}
]
}Name of the OIDC provider
my-oidc-providerSuccessfully retrieved the OIDC configuration
Invalid request or malformed provider name
Unauthorized
Forbidden
Provider not found
Internal server error
GET /v1/identity/oidc/provider/{name}/.well-known/openid-configuration HTTP/1.1
Host: localhost:8200
Accept: */*
{
"issuer": "https://vault.example.com/v1/identity/oidc/provider/my-oidc-provider",
"authorization_endpoint": "https://vault.example.com/v1/identity/oidc/provider/my-oidc-provider/authorize",
"token_endpoint": "https://vault.example.com/v1/identity/oidc/provider/my-oidc-provider/token",
"jwks_uri": "https://vault.example.com/v1/identity/oidc/provider/my-oidc-provider/.well-known/keys",
"response_types_supported": [
"code"
],
"subject_types_supported": [
"public"
],
"id_token_signing_alg_values_supported": [
"RS256"
]
}Name of the OIDC provider
example-providerOAuth 2.0 response type
codeClient identifier
my-client-idCallback URI after successful authorization
https://example.com/callbackRequested scopes
openid profile emailClient state to be returned after auth
abc123Authorization parameters validated successfully
Bad request or missing parameters
Unauthorized
Forbidden
OIDC provider not found
Internal server error
GET /v1/identity/oidc/provider/{name}/authorize HTTP/1.1
Host: localhost:8200
Accept: */*
{
"redirect_to": "https://example.com/consent"
}Name of the OIDC provider
example-providerThe ID of the requesting client.
The code challenge derived from the code verifier.
The method that was used to derive the code challenge. The following methods are supported: 'S256', 'plain'. Defaults to 'plain'.
plainThe allowable elapsed time in seconds since the last time the end-user was actively authenticated.
The value that will be returned in the ID token nonce claim after a token exchange.
The redirection URI to which the response will be sent.
The OIDC authentication flow to be used. The following response types are supported: 'code'
A space-delimited, case-sensitive list of scopes to be requested. The 'openid' scope is required.
The value used to maintain state between the authentication request and client.
Authorization initiated successfully
Invalid request body or missing fields
Unauthorized
Forbidden
OIDC provider not found
Server error during authorization
POST /v1/identity/oidc/provider/{name}/authorize HTTP/1.1
Host: localhost:8200
Content-Type: application/json
Accept: */*
Content-Length: 145
{
"response_type": "code",
"client_id": "my-client-id",
"redirect_uri": "https://example.com/callback",
"scope": "openid email profile",
"state": "xyz789"
}{
"redirect_to": "https://example.com/consent"
}Name of the provider
example-providerThe ID of the requesting client.
The secret of the requesting client.
The authorization code received from the provider's authorization endpoint.
The code verifier associated with the authorization code.
The authorization grant type. The following grant types are supported: 'authorization_code'.
The callback location where the authentication response was sent.
Token successfully issued
Invalid request, missing or malformed parameters
Unauthorized – Invalid client credentials
Forbidden – Client not allowed to obtain token
Provider not found
Internal server error
POST /v1/identity/oidc/provider/{name}/token HTTP/1.1
Host: localhost:8200
Content-Type: application/json
Accept: */*
Content-Length: 159
{
"grant_type": "authorization_code",
"code": "abc123",
"redirect_uri": "https://example.com/callback",
"client_id": "my-client-id",
"client_secret": "my-client-secret"
}{
"access_token": "eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9...",
"token_type": "Bearer",
"expires_in": 3600,
"id_token": "eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9...",
"refresh_token": "def456"
}Name of the provider
example-providerSuccessfully retrieved user information
Invalid request
Unauthorized – Invalid or expired token
Forbidden – Access denied
OIDC provider not found
Internal server error
GET /v1/identity/oidc/provider/{name}/userinfo HTTP/1.1
Host: localhost:8200
Accept: */*
{
"sub": "1234567890",
"name": "Jane Doe",
"email": "[email protected]"
}Name of the provider
example-providerSuccessfully retrieved user information
Invalid request
Unauthorized – Invalid or expired token
Forbidden – Access denied
OIDC provider not found
Internal server error
POST /v1/identity/oidc/provider/{name}/userinfo HTTP/1.1
Host: localhost:8200
Content-Type: application/json
Accept: */*
Content-Length: 58
{
"access_token": "eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9..."
}{
"sub": "1234567890",
"name": "Jane Doe",
"email": "[email protected]"
}Must be set to 'true' to list configured roles
truePossible values: Successfully retrieved list of OIDC roles
Invalid request parameter
Unauthorized – missing or invalid token
Internal server error
GET /v1/identity/oidc/role HTTP/1.1
Host: localhost:8200
Accept: */*
{
"keys": [
"example-role-1",
"example-role-2"
]
}Name of the role
developer-roleSuccessfully retrieved OIDC role configuration
Invalid request format
Unauthorized
Role not found
Internal server error
GET /v1/identity/oidc/role/{name} HTTP/1.1
Host: localhost:8200
Accept: */*
{
"name": "developer-role",
"user_claim": "sub",
"bound_audiences": [
"my-client"
],
"allowed_redirect_uris": [
"https://example.com/callback"
],
"ttl": "1h"
}Name of the role
developer-roleOptional client_id
The OIDC key to use for generating tokens. The specified key must already exist.
The template string to use for generating tokens. This may be in string-ified JSON or base64 format.
TTL of the tokens generated against the role.
24hSuccessfully created or updated the role
Validation error
Unauthorized
Server error
POST /v1/identity/oidc/role/{name} HTTP/1.1
Host: localhost:8200
Content-Type: application/json
Accept: */*
Content-Length: 144
{
"name": "developer-role",
"user_claim": "sub",
"bound_audiences": [
"my-client"
],
"allowed_redirect_uris": [
"https://example.com/callback"
],
"ttl": "1h"
}{
"success": true,
"data": {
"name": "developer-role"
}
}Name of the role
developer-roleRole successfully deleted (no content)
Invalid role name
Unauthorized
Role not found
Internal server error
DELETE /v1/identity/oidc/role/{name} HTTP/1.1
Host: localhost:8200
Accept: */*
No content
Must be set to 'true' to list configured scopes
truePossible values: Successfully retrieved list of OIDC scopes
Invalid request parameter
Unauthorized – missing or invalid token
Internal server error
GET /v1/identity/oidc/scope HTTP/1.1
Host: localhost:8200
Accept: */*
{
"keys": [
"read-only",
"admin"
]
}Name of the scope
read-onlySuccessfully retrieved OIDC scope configuration
Invalid request format
Unauthorized
Scope not found
Internal server error
GET /v1/identity/oidc/scope/{name} HTTP/1.1
Host: localhost:8200
Accept: */*
{
"name": "read-only",
"description": "Read-only access scope",
"claims": [
"sub",
"email"
]
}Name of the scope
read-onlyThe description of the scope
The template string to use for the scope. This may be in string-ified JSON or base64 format.
Successfully created or updated the scope
Validation error
Unauthorized
Server error
POST /v1/identity/oidc/scope/{name} HTTP/1.1
Host: localhost:8200
Content-Type: application/json
Accept: */*
Content-Length: 84
{
"name": "read-only",
"description": "Read-only access scope",
"claims": [
"sub",
"email"
]
}{
"name": "read-only",
"description": "Read-only access scope",
"claims": [
"sub",
"email"
]
}Name of the scope
read-onlyScope successfully deleted (no content)
Invalid scope name
Unauthorized
Scope not found
Internal server error
DELETE /v1/identity/oidc/scope/{name} HTTP/1.1
Host: localhost:8200
Accept: */*
No content
Name of the role
developer-roleSuccessfully generated OIDC token
Invalid request parameters
Unauthorized – missing or invalid token
Role not found
Internal server error
GET /v1/identity/oidc/token/{name} HTTP/1.1
Host: localhost:8200
Accept: */*
{
"access_token": "eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9...",
"token_type": "Bearer",
"expires_in": 3600,
"scope": "openid profile email"
}Entity ID to which this persona belongs to
ID of the persona
Metadata to be associated with the persona. In CLI, this parameter can be repeated multiple times, and it all gets merged together. For example: vault metadata=key1=value1 metadata=key2=value2
Mount accessor to which this persona belongs to
Name of the persona
Successfully created a new alias
Invalid request body
Unauthorized – missing or invalid token
Internal server error
POST /v1/identity/persona HTTP/1.1
Host: localhost:8200
Content-Type: application/json
Accept: */*
Content-Length: 82
{
"name": "john.doe",
"metadata": {
"department": "Engineering",
"location": "Hyderabad"
}
}{
"id": "123e4567-e89b-12d3-a456-426614174000",
"name": "john.doe",
"metadata": {
"department": "Engineering",
"location": "Hyderabad"
}
}Must be set to 'true' to list all alias IDs
truePossible values: Successfully retrieved list of alias IDs
Invalid request parameter
Unauthorized – missing or invalid token
Internal server error
GET /v1/identity/persona/id HTTP/1.1
Host: localhost:8200
Accept: */*
{
"ids": [
"123e4567-e89b-12d3-a456-426614174000",
"987f6543-e21b-34d3-b456-426614174999"
]
}ID of the persona
123e4567-e89b-12d3-a456-426614174000Successfully retrieved alias details
Invalid ID format
Unauthorized – missing or invalid credentials
Persona ID not found
Internal server error
GET /v1/identity/persona/id/{id} HTTP/1.1
Host: localhost:8200
Accept: */*
{
"id": "123e4567-e89b-12d3-a456-426614174000",
"name": "john.doe",
"metadata": {
"department": "Engineering",
"location": "Hyderabad"
}
}ID of the persona
123e4567-e89b-12d3-a456-426614174000Entity ID to which this persona should be tied to
Metadata to be associated with the persona. In CLI, this parameter can be repeated multiple times, and it all gets merged together. For example: vault metadata=key1=value1 metadata=key2=value2
Mount accessor to which this persona belongs to
Name of the persona
Successfully updated the alias
Invalid update payload
Unauthorized – authentication required
Persona ID not found
Internal server error
POST /v1/identity/persona/id/{id} HTTP/1.1
Host: localhost:8200
Content-Type: application/json
Accept: */*
Content-Length: 56
{
"metadata": {
"department": "Security",
"location": "Pune"
}
}{
"id": "123e4567-e89b-12d3-a456-426614174000",
"name": "john.doe",
"metadata": {
"department": "Security",
"location": "Pune"
}
}ID of the persona
123e4567-e89b-12d3-a456-426614174000Successfully deleted. No content returned.
Invalid ID format
Unauthorized – authentication required
Persona ID not found
Server error
DELETE /v1/identity/persona/id/{id} HTTP/1.1
Host: localhost:8200
Accept: */*
No content
Was this helpful?