Virtual HSM
Home
  • Virtual HSM
  • Documentation
    • What is Virtual HSM?
    • Use Case: Attested Secret Provisioning in the Cloud
    • Setup
      • Install
      • vHSM Server Configuration
        • Parameters
        • vHSM Telemetry Parameters
      • vHSM Agent
        • Agent Configuration
      • vHSM Proxy
        • Proxy Configuration
    • Get Started
      • Start the Vault server
      • MariaDB root admin password provisioning on Azure DCXas_v5 VM
    • Supported Cloud Configurations
  • Tutorials
    • Deploying the vhsm Container on an EC2 Instance
    • CLI quickstart
    • vHSM Agent quickstart
    • vHSM Proxy quickstart
    • Passing vHSM secrets using ConfigMaps
    • Provisioning MariaDB Password on Azure DCXas_v5 VM
    • Registering a buckypaper plugin
    • Monitoring vHSM with Grafana
  • Integration with Utimaco SecurityServer
    • Integrate enclaive vHSM with Utimaco HSM
  • API
    • Auth
    • Default
    • Secrets
    • System
    • Identity
    • Models
  • vHSM CLI
    • Server and Infrastructure Management
      • vhsm server
      • vhsm proxy
      • vhsm monitor
      • vhsm status
      • vhsm agent
    • Secret Management
      • vhsm read
      • vhsm write
      • vhsm delete
      • vhsm list
      • vhsm secrets
        • vhsm secrets enable
        • vhsm secrets disable
        • vhsm secrets list
        • vhsm secrets move
        • vhsm secrets tune
      • vhsm unwrap
    • Configuration and Management
      • vhsm plugin
        • vhsm plugin info
        • vhsm plugin deregister
        • vhsm plugin list
        • vhsm plugin register
        • vhsm plugin reload
        • vhsm plugin reload-status
      • vhsm namespace
      • vhsm operator
      • vhsm print
      • vhsm path-help
      • vhsm lease
    • Auditing and Debugging
      • vhsm audit
      • vhsm debug
    • Attestation
    • Security and Encryption
      • vhsm pki
        • vhsm pki health-check
        • vhsm pki issue
        • vhsm pki list-intermediates
        • vhsm pki reissue
        • vhsm pki verify-sign
      • vhsm transit
      • vhsm ssh
      • vhsm transform
    • Authentication and Authorization
      • vhsm login
      • vhsm auth
      • vhsm token
      • vhsm policy
    • Storage and Data Mangement
      • vhsm kv
      • vhsm patch
    • vhsm version
      • vhsm version-history
  • Troubleshooting
    • CA Validity Period
    • CRL Validity Period
    • Root Certificate Issued Non-CA Leaves
    • Role Allows Implicit Localhost Issuance
    • Role Allows Glob-Based Wildcard Issuance
    • Performance Impact
    • Accessibility of Audit Information
    • Allow If-Modified-Since Requests
    • Auto-Tidy Disabled
    • Tidy Hasn't Run
    • Too Many Certificates
    • Enable ACME Issuance
    • ACME Response Headers Configuration
  • Resources
    • Community
    • GitHub
    • Youtube
    • CCx101 wiki
Powered by GitBook
On this page

Was this helpful?

  1. API

System

PreviousSecretsNextIdentity

Was this helpful?

Disable the audit device at the given path.

delete
Path parameters
pathstringRequired

The name of the backend. Cannot be delimited. Example: 'mysql'

Responses
204
Audit device successfully disabled. No content is returned.
application/json
400
Bad Request - The provided path is invalid or the device cannot be disabled.
application/json
401
Unauthorized - Authentication failed or no access rights.
application/json
404
Not Found - The specified audit device path was not found.
application/json
delete
DELETE /v1/sys/audit/{path} HTTP/1.1
Host: localhost:8200
Accept: */*
{}

Read the configuration of the auth engine at the given path.

get
Path parameters
pathstringRequired

The path to mount to. Cannot be delimited. Example: 'user'

Responses
200
Successfully read the auth configuration.
application/json
400
Bad Request - Invalid path or request format.
application/json
401
Unauthorized - Authentication failure.
application/json
404
Not Found - No auth engine found at this path.
application/json
get
GET /v1/sys/auth/{path} HTTP/1.1
Host: localhost:8200
Accept: */*
{
  "type": "userpass",
  "description": "User/password based authentication",
  "config": {
    "default_lease_ttl": "768h",
    "max_lease_ttl": "768h"
  }
}

Disable the auth method at the given auth path.

delete
Path parameters
pathstringRequired

The path to mount to. Cannot be delimited. Example: 'user'

Responses
204
Auth method successfully disabled. No content is returned.
application/json
400
Bad Request - Invalid path or request format.
application/json
401
Unauthorized - Authentication or permission failure.
application/json
404
Not Found - The specified auth method path was not found.
application/json
delete
DELETE /v1/sys/auth/{path} HTTP/1.1
Host: localhost:8200
Accept: */*
{}

Reads the given auth path's configuration.

get

This endpoint requires sudo capability on the final path, but the same functionality can be achieved without sudo via sys/mounts/auth/[auth-path]/tune.

Path parameters
pathstringRequired

Tune the configuration parameters for an auth path.

Responses
200
Successfully read tuning information.
application/json
400
Bad Request - Invalid request or path.
application/json
401
Unauthorized - Token missing or access denied.
application/json
get
GET /v1/sys/auth/{path}/tune HTTP/1.1
Host: localhost:8200
Accept: */*
{
  "default_lease_ttl": "768h",
  "max_lease_ttl": "768h",
  "audit_non_hmac_request_keys": [
    "user"
  ],
  "audit_non_hmac_response_keys": [
    "metadata"
  ],
  "listing_visibility": "unauth",
  "passthrough_request_headers": [
    "X-My-Header"
  ]
}

List the request headers that are configured to be audited.

get
Responses
200
Successfully listed the configured audited request headers.
application/json
400
Bad Request - Server failed to process the request.
application/json
401
Unauthorized - Token is missing or does not have sufficient privileges.
application/json
get
GET /v1/sys/config/auditing/request-headers HTTP/1.1
Host: localhost:8200
Accept: */*
{
  "headers": [
    {
      "name": "X-Request-ID",
      "hmac": true
    },
    {
      "name": "Authorization",
      "hmac": false
    }
  ]
}

List the information for the given request header.

get
Path parameters
headerstringRequired

The name of the request header to audit.

Example: X-Request-ID
Responses
200
Successfully retrieved the request header auditing information.
application/json
Responseany
400
Bad Request - Invalid header format.
application/json
401
Unauthorized - Insufficient permissions.
application/json
get
GET /v1/sys/config/auditing/request-headers/{header} HTTP/1.1
Host: localhost:8200
Accept: */*
{
  "name": "X-Request-ID",
  "hmac": true
}

Disable auditing of the given request header.

delete
Path parameters
headerstringRequired

The name of the request header to audit.

Example: X-Request-ID
Responses
204
Auditing for the header disabled successfully.
400
Bad Request - Header not found.
application/json
401
Unauthorized - Insufficient permissions.
application/json
delete
DELETE /v1/sys/config/auditing/request-headers/{header} HTTP/1.1
Host: localhost:8200
Accept: */*

No content

Read the current control group configuration.

get
Responses
200
Successfully retrieved the control group configuration.
application/json
Responseany
400
Bad Request - Invalid request.
application/json
401
Unauthorized - Missing or invalid credentials.
application/json
get
GET /v1/sys/config/control-group HTTP/1.1
Host: localhost:8200
Accept: */*
{
  "control_group": {
    "enforcement_level": "soft-mandatory",
    "thresholds": {
      "approvals": 2,
      "reviewers": [
        "team-leads",
        "security-admins"
      ]
    }
  }
}

Delete the control group configuration.

delete
Responses
204
Control group configuration deleted successfully.
400
Bad Request - Cannot delete configuration.
application/json
401
Unauthorized - Access denied.
application/json
delete
DELETE /v1/sys/config/control-group HTTP/1.1
Host: localhost:8200
Accept: */*

No content

Return the current CORS settings.

get
Responses
200
Current CORS settings returned successfully.
application/json
400
Invalid request.
application/json
403
Forbidden. Not authorized.
application/json
get
GET /v1/sys/config/cors HTTP/1.1
Host: localhost:8200
Accept: */*
{
  "enabled": true,
  "allowed_origins": [
    "https://example.com"
  ],
  "allowed_headers": [
    "X-Custom-Header"
  ],
  "allowed_methods": [
    "GET",
    "POST"
  ],
  "allow_credentials": true,
  "expose_headers": [
    "X-Expose-This"
  ]
}

Remove any CORS settings.

delete
Responses
204
CORS settings removed successfully.
403
Not authorized.
application/json
delete
DELETE /v1/sys/config/cors HTTP/1.1
Host: localhost:8200
Accept: */*

No content

Read the group policy application configuration.

get
Responses
200
Group policy application configuration retrieved successfully.
application/json
Responseany
400
Invalid request.
application/json
403
Forbidden. The client does not have permission.
application/json
500
Internal server error.
application/json
get
GET /v1/sys/config/group-policy-application HTTP/1.1
Host: localhost:8200
Accept: */*
{
  "enabled": true,
  "default_policy": "default",
  "override_allowed": false
}

Return a sanitized version of the Vault server configuration.

get

The sanitized output strips configuration values in the storage, HA storage, and seals stanzas, which may contain sensitive values such as API tokens. It also removes any token or secret fields in other stanzas, such as the circonus_api_token from telemetry.

Responses
200
Sanitized configuration retrieved successfully.
application/json
Responseany
403
Forbidden. The client does not have sufficient privileges.
application/json
500
Internal server error.
application/json
get
GET /v1/sys/config/state/sanitized HTTP/1.1
Host: localhost:8200
Accept: */*
{
  "listener": [
    {
      "tcp": {
        "address": "127.0.0.1:8200",
        "tls_disable": true
      }
    }
  ],
  "storage": {
    "file": {
      "path": "<stripped>"
    }
  },
  "seal": {
    "type": "<stripped>"
  },
  "telemetry": {
    "dogstatsd_addr": "localhost:8125",
    "circonus_api_token": "<stripped>"
  }
}

Return the given UI header's configuration.

get
Path parameters
headerstringRequired

The name of the header.

Responses
200
Returns the configuration of the specified UI header.
application/json
404
Not Found. The requested header does not exist.
application/json
500
Internal Server Error. A server-side error occurred.
application/json
get
GET /v1/sys/config/ui/headers/{header} HTTP/1.1
Host: localhost:8200
Accept: */*
{
  "value": "text",
  "values": [
    "text"
  ]
}

Remove a UI header.

delete
Path parameters
headerstringRequired

The name of the header.

Responses
204
Header successfully removed.
400
Bad request. The request is malformed or missing required parameters.
application/json
404
Not Found. The requested header does not exist.
application/json
500
Internal Server Error. A server-side error occurred.
application/json
delete
DELETE /v1/sys/config/ui/headers/{header} HTTP/1.1
Host: localhost:8200
Accept: */*

No content

Read the current root token generation progress.

get

Returns the configuration and progress details of the ongoing root token generation process.

Responses
200
Successfully retrieved the root generation progress.
application/json
400
Bad Request - The request is malformed or invalid.
application/json
401
Unauthorized - Authentication credentials are missing or invalid.
application/json
403
Forbidden - Insufficient permissions to read root generation progress.
application/json
404
Not Found - No active root generation attempt found.
application/json
500
Internal Server Error - Unexpected server-side error.
application/json
get
GET /v1/sys/generate-root HTTP/1.1
Host: localhost:8200
Accept: */*
{
  "complete": true,
  "encoded_root_token": "text",
  "encoded_token": "text",
  "nonce": "text",
  "otp": "text",
  "otp_length": 1,
  "pgp_fingerprint": "text",
  "progress": 1,
  "required": 1,
  "started": true
}

Cancel an ongoing root token generation attempt.

delete

Cancels any in-progress root token generation attempt, allowing a new attempt to be started.

Responses
204
Successfully canceled the root generation attempt.
400
Bad Request - The request is malformed or invalid.
application/json
401
Unauthorized - Authentication credentials are missing or invalid.
application/json
403
Forbidden - Insufficient permissions to cancel the root generation.
application/json
500
Internal Server Error - Unexpected server-side error.
application/json
delete
DELETE /v1/sys/generate-root HTTP/1.1
Host: localhost:8200
Accept: */*

No content

Read the progress of the current root generation attempt.

get

Returns configuration and current progress details for an active root token generation attempt.

Responses
200
Successfully retrieved root generation progress.
application/json
400
Bad Request - The request is malformed or invalid.
application/json
401
Unauthorized - Missing or invalid authentication credentials.
application/json
403
Forbidden - You do not have permission to read the root generation progress.
application/json
404
Not Found - No active root generation attempt found.
application/json
500
Internal Server Error - An unexpected server-side error occurred.
application/json
get
GET /v1/sys/generate-root/attempt HTTP/1.1
Host: localhost:8200
Accept: */*
{
  "complete": true,
  "encoded_root_token": "text",
  "encoded_token": "text",
  "nonce": "text",
  "otp": "text",
  "otp_length": 1,
  "pgp_fingerprint": "text",
  "progress": 1,
  "required": 1,
  "started": true
}

Cancel an ongoing root token generation attempt.

delete

Cancels any in-progress root token generation attempt to allow a new one to begin.

Responses
204
Successfully canceled the root generation attempt.
400
Bad Request - The request is malformed or invalid.
application/json
401
Unauthorized - Missing or invalid authentication credentials.
application/json
403
Forbidden - You do not have permission to cancel the root generation.
application/json
500
Internal Server Error - An unexpected server-side error occurred.
application/json
delete
DELETE /v1/sys/generate-root/attempt HTTP/1.1
Host: localhost:8200
Accept: */*

No content

Retrieve the HA status of a Vault cluster.

get

Retrieves detailed information regarding the HA cluster setup, including whether the node is active, standby, and information about the leader.

Responses
200
Successfully retrieved the HA status.
application/json
500
Internal Server Error - Failed to retrieve HA status due to server-side issues.
application/json
get
GET /v1/sys/ha-status HTTP/1.1
Host: localhost:8200
Accept: */*
{
  "nodes": [
    {}
  ]
}

Retrieve the health status of the Vault server.

get

Returns different HTTP status codes depending on Vault's current state: - 200: Vault is initialized, unsealed, and active. - 429: Vault is unsealed and in standby mode. - 472: Vault is in data recovery mode, acting as replication secondary and active. - 501: Vault is not initialized. - 503: Vault is sealed and unavailable.

Responses
200
Initialized, unsealed, and active.
400
Bad Request - Invalid request parameters or format.
application/json
401
Unauthorized - Missing or invalid authentication credentials.
application/json
429
Unsealed and standby.
472
Data recovery mode replication secondary and active.
500
Internal Server Error - An unexpected error occurred.
application/json
501
Not initialized.
503
Sealed.
get
GET /v1/sys/health HTTP/1.1
Host: localhost:8200
Accept: */*

No content

Retrieve host instance information for the Vault server.

get

Collects and returns host-level system information including hardware details, CPU utilization, disk usage, and memory statistics. Useful for monitoring the resource consumption of the Vault instance.

Responses
200
Successfully retrieved host information.
application/json
400
Bad Request - Malformed request or invalid parameters.
application/json
401
Unauthorized - Authentication credentials missing or invalid.
application/json
500
Internal Server Error - Failed to retrieve host information.
application/json
get
GET /v1/sys/host-info HTTP/1.1
Host: localhost:8200
Accept: */*
{
  "cpu": [
    {}
  ],
  "cpu_times": [
    {}
  ],
  "disk": [
    {}
  ],
  "host": {},
  "memory": {},
  "timestamp": "2025-05-09T09:42:38.637Z"
}

List in-flight requests being processed by Vault.

get

Returns a map of ongoing API requests ("in-flight requests") to assist with debugging and load monitoring. Each entry provides information such as client details, request path, and duration.

Responses
200
Successfully retrieved in-flight request information.
application/json
Responseany
400
Bad Request - Malformed request or invalid parameters.
application/json
401
Unauthorized - Authentication credentials missing or invalid.
application/json
500
Internal Server Error - Failed to retrieve in-flight request information.
application/json
get
GET /v1/sys/in-flight-req HTTP/1.1
Host: localhost:8200
Accept: */*

No content

Returns the initialization status of Vault.

get

Checks whether Vault has already been initialized. This endpoint returns the initialization status without making any modifications to the Vault state.

Responses
200
Successfully retrieved initialization status.
application/json
Responseany
400
Bad Request - Malformed request.
application/json
500
Internal Server Error - Failed to retrieve initialization status.
application/json
get
GET /v1/sys/init HTTP/1.1
Host: localhost:8200
Accept: */*

No content

Report the historical client count metrics.

get

Retrieves historical counts of unique clients that interacted with Vault, covering the current namespace and all child namespaces.

Responses
200
Successfully retrieved client activity counts.
application/json
Responseany
400
Bad Request - Malformed request.
application/json
500
Internal Server Error - Failed to retrieve counts.
application/json
get
GET /v1/sys/internal/counters/activity HTTP/1.1
Host: localhost:8200
Accept: */*

No content

Export the historical client count data.

get

Exports detailed raw historical client activity data for analysis and reporting outside of Vault.

Responses
200
Successfully exported client activity data.
application/json
Responseany
400
Bad Request - Malformed request.
application/json
500
Internal Server Error - Failed to export activity data.
application/json
get
GET /v1/sys/internal/counters/activity/export HTTP/1.1
Host: localhost:8200
Accept: */*

No content

Report the client count for the current month.

get

Returns the number of unique clients that have interacted with Vault during the current month for this namespace and all child namespaces.

Responses
200
Successfully retrieved monthly client counts.
application/json
Responseany
400
Bad Request - Malformed request.
application/json
500
Internal Server Error - Failed to retrieve monthly counts.
application/json
get
GET /v1/sys/internal/counters/activity/monthly HTTP/1.1
Host: localhost:8200
Accept: */*

No content

Read the client count tracking configuration.

get

Returns the current configuration settings for client count collection, including status, retention period, and default reporting period.

Responses
200
Successfully retrieved client count configuration.
application/json
Responseany
400
Bad Request - Malformed request.
application/json
500
Internal Server Error - Failed to retrieve configuration.
application/json
get
GET /v1/sys/internal/counters/config HTTP/1.1
Host: localhost:8200
Accept: */*

No content

Report the number of active identity entities in the Vault cluster.

get

Retrieves the current number of active identity entities managed by the Vault server. Note: Backward compatibility is not guaranteed for this endpoint.

Responses
200
Successfully retrieved entity count.
application/json
400
Bad Request - Malformed or invalid request.
application/json
500
Internal Server Error - Failed to retrieve entity count.
application/json
get
GET /v1/sys/internal/counters/entities HTTP/1.1
Host: localhost:8200
Accept: */*
{
  "counters": {}
}
Deprecated

Deprecated - Count of requests seen by the Vault cluster.

get

This endpoint is currently unsupported and deprecated. Previously, it provided a count of requests handled by the Vault cluster. Note: Backward compatibility is not guaranteed.

Responses
200
Deprecated API call successful (no useful output).
400
Bad Request - Invalid call to deprecated API.
application/json
500
Internal Server Error - Deprecated API failure.
application/json
get
GET /v1/sys/internal/counters/requests HTTP/1.1
Host: localhost:8200
Accept: */*

No content

Report the number of active tokens in the Vault cluster.

get

Retrieves the current number of active authentication tokens managed by Vault. Note: Backward compatibility is not guaranteed for this endpoint.

Responses
200
Successfully retrieved token count.
application/json
400
Bad Request - Malformed or invalid request.
application/json
500
Internal Server Error - Failed to retrieve token count.
application/json
get
GET /v1/sys/internal/counters/tokens HTTP/1.1
Host: localhost:8200
Accept: */*
{
  "counters": {}
}

Exposes the route entry and mount entry tables present in the router.

get

Retrieves the entries in the router for the specified subtree (uuid, accessor, storage, root). The tag path parameter must be one of the inspectable subtrees. This endpoint provides information about the structure and entries in the router trees.

Path parameters
tagstringRequired

Name of the subtree being observed (e.g., uuid, accessor, storage, root).

Responses
200
Successfully retrieved the entries in the router for the specified tag.
application/json
Responseany
400
Bad Request - Invalid or malformed tag or missing required parameters.
application/json
404
Not Found - The specified tag does not exist in the router.
application/json
500
Internal Server Error - Failed to retrieve router entries.
application/json
get
GET /v1/sys/internal/inspect/router/{tag} HTTP/1.1
Host: localhost:8200
Accept: */*

No content

Generate OpenAPI document for mounted paths

get
Query parameters
generic_mount_pathsbooleanOptional

Use generic mount paths

Default: false
Responses
200
Successfully generated OpenAPI document
application/json
Responseany
500
Internal server error
application/json
get
GET /v1/sys/internal/specs/openapi HTTP/1.1
Host: localhost:8200
Accept: */*
{
  "openapi": "3.0.0",
  "info": {
    "title": "Vault API",
    "version": "v1"
  },
  "paths": {}
}

Lists enabled feature flags

get
Responses
200
Successfully listed enabled feature flags
application/json
400
Invalid request
application/json
500
Internal server error
application/json
get
GET /v1/sys/internal/ui/feature-flags HTTP/1.1
Host: localhost:8200
Accept: */*
{
  "flags": [
    {
      "name": "advanced_mode",
      "enabled": true
    },
    {
      "name": "beta_theme",
      "enabled": false
    }
  ]
}

Lists all enabled and visible auth and secrets mounts

get
Responses
200
Successfully listed visible mounts
application/json
400
Invalid request
application/json
500
Internal server error
application/json
get
GET /v1/sys/internal/ui/mounts HTTP/1.1
Host: localhost:8200
Accept: */*
{
  "mounts": {
    "auth/": {
      "type": "userpass",
      "accessor": "auth_userpass_abcd",
      "visible": true
    },
    "secret/": {
      "type": "kv",
      "options": {
        "version": "2"
      },
      "visible": true
    }
  }
}

Lists visible child namespaces

get
Responses
200
Successfully listed namespaces
application/json
400
Invalid request
application/json
500
Internal server error
application/json
get
GET /v1/sys/internal/ui/namespaces HTTP/1.1
Host: localhost:8200
Accept: */*
{
  "namespaces": [
    {
      "name": "finance/"
    },
    {
      "name": "engineering/"
    }
  ]
}

Returns the resultant ACL for a client token

get
Responses
200
Successfully returned ACL policy
application/json
204
No client token present; empty response
400
Invalid request
application/json
500
Internal server error
application/json
get
GET /v1/sys/internal/ui/resultant-acl HTTP/1.1
Host: localhost:8200
Accept: */*
{
  "policies": [
    "default",
    "dev-policy"
  ],
  "capabilities": [
    "read",
    "list"
  ]
}

Reports backend encryption key status

get
Responses
200
Successfully retrieved key status
application/json
Responseany
400
Invalid request
application/json
500
Internal server error
application/json
get
GET /v1/sys/key-status HTTP/1.1
Host: localhost:8200
Accept: */*
{
  "term": 5,
  "install_time": "2024-11-05T12:00:00Z",
  "last_rotation": "2025-01-10T08:45:00Z"
}

Returns HA status and the current leader of Vault

get
Responses
200
Successfully returned leader status
application/json
400
Invalid request
application/json
500
Internal server error
application/json
get
GET /v1/sys/leader HTTP/1.1
Host: localhost:8200
Accept: */*
{
  "ha_enabled": true,
  "is_self": false,
  "leader_address": "https://vault-1.example.com:8200"
}

Lists active leases

get
Responses
200
Successfully listed leases
application/json
400
Invalid request
application/json
500
Internal server error
application/json
get
GET /v1/sys/leases HTTP/1.1
Host: localhost:8200
Accept: */*
{
  "leases": [
    {
      "path": "auth/token/create",
      "id": "a1b2c3"
    },
    {
      "path": "secret/myapp/config",
      "id": "d4e5f6"
    }
  ]
}

Returns the count of active leases

get
Responses
200
Successfully retrieved lease count
application/json
400
Invalid request
application/json
500
Internal server error
application/json
get
GET /v1/sys/leases/count HTTP/1.1
Host: localhost:8200
Accept: */*
{
  "lease_count": 1247
}

Lists all lease paths

get
Query parameters
liststring · enumRequired

Must be set to 'true' to trigger a list response.

Possible values:
Responses
200
Successfully listed lease paths
application/json
400
Invalid query parameter
application/json
500
Internal server error
application/json
get
GET /v1/sys/leases/lookup/ HTTP/1.1
Host: localhost:8200
Accept: */*
{
  "keys": [
    "auth/token/create/",
    "secret/data/db-creds/"
  ]
}

Lists leases under the specified prefix

get
Path parameters
prefixstringRequired

The path to list leases under. Example: "aws/creds/deploy"

Query parameters
liststring · enumRequired

Must be set to 'true'

Possible values:
Responses
200
Successfully listed leases for the prefix
application/json
400
Invalid input
application/json
404
Prefix not found
application/json
500
Internal server error
application/json
get
GET /v1/sys/leases/lookup/{prefix} HTTP/1.1
Host: localhost:8200
Accept: */*
{
  "keys": [
    "aws/creds/deploy/app1",
    "aws/creds/deploy/app2"
  ]
}

Revokes all secrets or tokens generated under a given prefix immediately

post

Unlike /sys/leases/revoke-prefix, this path ignores backend errors encountered during revocation. This is potentially very dangerous and should only be used in specific emergency situations where errors in the backend or the connected backend service prevent normal revocation.

By ignoring these errors, Vault abdicates responsibility for ensuring that the issued credentials or secrets are properly revoked and/or cleaned up. Access to this endpoint should be tightly controlled.

Path parameters
prefixstringRequired

The path to revoke keys under. Example: "prod/aws/ops"

Responses
204
OK
post
POST /v1/sys/leases/revoke-force/{prefix} HTTP/1.1
Host: localhost:8200
Accept: */*
204

OK

No content

Retrieve the status of the currently installed license.

get
Responses
200
Successfully retrieved license status.
application/json
Responseany
500
Error retrieving license status.
application/json
get
GET /v1/sys/license/status HTTP/1.1
Host: localhost:8200
Accept: */*
{
  "license_type": "enterprise",
  "expiration_time": "2025-12-31T23:59:59Z",
  "status": "valid"
}

List the locked user count metrics for the current namespace and all child namespaces.

get
Responses
200
Successfully retrieved locked user metrics.
application/json
Responseany
500
Failed to retrieve locked user metrics.
application/json
get
GET /v1/sys/locked-users HTTP/1.1
Host: localhost:8200
Accept: */*
{
  "total_locked_users": 3,
  "namespaces": [
    {
      "name": "root",
      "locked_users": 1
    },
    {
      "name": "team-a",
      "locked_users": 2
    }
  ]
}

Unlock a locked user by mount accessor and alias identifier.

post
Path parameters
alias_identifierstringRequired

Identifier of the alias (e.g., username or RoleID).

mount_accessorstringRequired

Identifier of the mount entry associated with the user.

Responses
200
User successfully unlocked.
application/json
Responseany
404
User or mount not found.
application/json
500
Internal server error.
application/json
post
POST /v1/sys/locked-users/{mount_accessor}/unlock/{alias_identifier} HTTP/1.1
Host: localhost:8200
Accept: */*
{
  "success": true,
  "message": "User unlocked successfully"
}

Read the verbosity level for all existing loggers.

get
Responses
200
Current verbosity levels retrieved.
application/json
Responseany
500
Internal error while reading logger settings.
application/json
get
GET /v1/sys/loggers HTTP/1.1
Host: localhost:8200
Accept: */*
{
  "default": "info",
  "loggers": {
    "audit": "warn",
    "core": "debug"
  }
}

Revert all loggers to the configured log level.

delete
Responses
204
Log levels reverted.
500
Failed to revert logger settings.
application/json
delete
DELETE /v1/sys/loggers HTTP/1.1
Host: localhost:8200
Accept: */*

No content

Read verbosity level of a specific logger.

get
Path parameters
namestringRequired

Name of the logger to modify.

Responses
200
Logger verbosity level retrieved.
application/json
Responseany
404
Logger not found.
application/json
get
GET /v1/sys/loggers/{name} HTTP/1.1
Host: localhost:8200
Accept: */*
{
  "name": "audit",
  "level": "warn"
}

Revert a specific logger to the configured log level.

delete
Path parameters
namestringRequired

Name of the logger to modify.

Responses
204
Logger reverted.
404
Logger not found.
application/json
delete
DELETE /v1/sys/loggers/{name} HTTP/1.1
Host: localhost:8200
Accept: */*

No content

Manage lists of managed keys by type.

get
Path parameters
typestringRequired
Query parameters
liststring · enumRequired

Must be set to "true" to list keys.

Possible values:
Responses
200
Managed keys listed.
application/json
Responseany
400
Missing or incorrect query parameter.
application/json
get
GET /v1/sys/managed-keys/{type} HTTP/1.1
Host: localhost:8200
Accept: */*
{
  "keys": [
    "key1",
    "key2"
  ]
}

Get a specific managed key by type and name.

get
Path parameters
typestringRequired
namestringRequired
Responses
200
Managed key details.
application/json
Responseany
404
Managed key not found.
application/json
get
GET /v1/sys/managed-keys/{type}/{name} HTTP/1.1
Host: localhost:8200
Accept: */*
{
  "name": "key1",
  "type": "encryption",
  "status": "active"
}

Update a specific managed key by type and name.

post
Path parameters
typestringRequired
namestringRequired
Responses
200
Managed key written.
application/json
Responseany
400
Invalid input.
application/json
post
POST /v1/sys/managed-keys/{type}/{name} HTTP/1.1
Host: localhost:8200
Accept: */*

No content

Delete a specific managed key by type and name.

delete
Path parameters
typestringRequired
namestringRequired
Responses
204
Managed key deleted.
404
Managed key not found.
application/json
delete
DELETE /v1/sys/managed-keys/{type}/{name} HTTP/1.1
Host: localhost:8200
Accept: */*

No content

Read the configuration of a specific Okta MFA method.

get
Path parameters
namestringRequired

The unique name of the Okta MFA method.

Responses
200
Successfully retrieved the Okta MFA configuration.
application/json
Responseany
400
Invalid request syntax or parameters.
application/json
403
Forbidden – insufficient access rights.
application/json
404
The specified MFA method was not found.
application/json
500
Unexpected internal server error.
application/json
get
GET /v1/sys/mfa/method/okta/{name} HTTP/1.1
Host: localhost:8200
Accept: */*
{
  "data": {
    "name": "okta-main",
    "type": "okta",
    "org_name": "example-org",
    "token": "s.exampletoken"
  }
}

Delete the specified Okta MFA method configuration.

delete
Path parameters
namestringRequired

The unique name of the Okta MFA method.

Responses
204
The method was successfully deleted; no content returned.
400
Invalid request syntax or missing required fields.
application/json
403
Forbidden – client lacks necessary permissions.
application/json
404
The requested MFA method was not found.
application/json
500
Internal server error.
application/json
delete
DELETE /v1/sys/mfa/method/okta/{name} HTTP/1.1
Host: localhost:8200
Accept: */*

No content

Retrieve a PingID MFA method configuration.

get
Path parameters
namestringRequired

The name of the PingID MFA method configuration.

Responses
200
Successfully retrieved the PingID configuration.
application/json
Responseany
400
Invalid input.
application/json
403
Forbidden.
application/json
404
Method not found.
application/json
500
Server error.
application/json
get
GET /v1/sys/mfa/method/pingid/{name} HTTP/1.1
Host: localhost:8200
Accept: */*
{
  "data": {
    "name": "pingid-main",
    "type": "pingid",
    "apikey": "abc123",
    "org_alias": "my-org",
    "token": "s.mytoken"
  }
}

Delete a PingID MFA method configuration by name.

delete
Path parameters
namestringRequired

The name of the PingID MFA method configuration.

Responses
204
PingID method configuration deleted successfully. No content returned.
400
Invalid request or parameters.
application/json
403
Forbidden. Client lacks necessary permissions.
application/json
404
PingID method configuration not found.
application/json
500
Internal server error.
application/json
delete
DELETE /v1/sys/mfa/method/pingid/{name} HTTP/1.1
Host: localhost:8200
Accept: */*

No content

Read a TOTP MFA method configuration.

get
Path parameters
namestringRequired

The name of the TOTP MFA method configuration.

Responses
200
Successfully retrieved the TOTP method configuration.
application/json
Responseany
400
Invalid input or missing parameters.
application/json
403
Forbidden.
application/json
404
Method not found.
application/json
500
Server error.
application/json
get
GET /v1/sys/mfa/method/totp/{name} HTTP/1.1
Host: localhost:8200
Accept: */*
{
  "data": {
    "name": "totp-auth",
    "type": "totp",
    "issuer": "vault",
    "period": 30,
    "skew": 1
  }
}

Delete a TOTP MFA method configuration by name.

delete
Path parameters
namestringRequired

The name of the TOTP MFA method configuration.

Responses
204
TOTP method deleted successfully. No content returned.
400
Bad request or invalid input.
application/json
403
Forbidden. Insufficient permissions.
application/json
404
The specified TOTP method configuration was not found.
application/json
500
Internal server error.
application/json
delete
DELETE /v1/sys/mfa/method/totp/{name} HTTP/1.1
Host: localhost:8200
Accept: */*

No content

Admin-level destroy operation for a TOTP MFA method configuration.

post
Path parameters
namestringRequired

The name of the TOTP MFA method configuration to destroy.

Responses
200
The TOTP method was successfully destroyed.
application/json
Responseany
400
Invalid request format or parameters.
application/json
403
Forbidden. The user does not have the required permissions.
application/json
404
The specified TOTP method configuration was not found.
application/json
500
Internal server error.
application/json
post
POST /v1/sys/mfa/method/totp/{name}/admin-destroy HTTP/1.1
Host: localhost:8200
Accept: */*
{
  "data": {
    "destroyed": true
  }
}

Generate a TOTP key and OTP URL for a specific TOTP MFA method configuration.

get
Path parameters
namestringRequired

Name of the TOTP MFA method configuration to generate a key for.

Responses
200
Successfully retrieved the TOTP key and OTP URL.
application/json
Responseany
400
Bad request — invalid request parameters.
application/json
403
Forbidden — insufficient permissions to generate TOTP key.
application/json
404
Not found — specified TOTP method does not exist.
application/json
500
Internal server error — unexpected error occurred.
application/json
get
GET /v1/sys/mfa/method/totp/{name}/generate HTTP/1.1
Host: localhost:8200
Accept: */*
{
  "data": {
    "url": "otpauth://totp/vault:user@example.com?secret=XYZABC123456&issuer=vault",
    "barcode": "iVBORw0KGgoAAAANSUhEUgAA..."
  }
}

Retrieve system logs with specified log format and log level.

get

Fetch system logs based on the selected output format and log level.

Query parameters
log_formatstring · enumOptional

Output format of logs. Supported values are "standard" and "json". The default is "standard".

Default: standardPossible values:
log_levelstring · enumOptional

Log level to view system logs at. Currently supported values are "trace", "debug", "info", "warn", "error".

Possible values:
Responses
200
OK
application/json
get
GET /v1/sys/monitor HTTP/1.1
Host: localhost:8200
Accept: */*
200

OK

{
  "log_format": "standard",
  "log_level": "info",
  "logs": [
    "System initialized",
    "Connection successful",
    "Error at 10:23 AM"
  ]
}

Retrieve a list of currently mounted backends.

get
Responses
200
OK
application/json
400
Bad Request
application/json
500
Internal Server Error
application/json
get
GET /v1/sys/mounts HTTP/1.1
Host: localhost:8200
Accept: */*
{
  "mounts": [
    {
      "path": "secret/",
      "type": "kv",
      "description": "Key-Value secrets engine"
    },
    {
      "path": "pki/",
      "type": "cert",
      "description": "PKI secrets engine"
    }
  ]
}

Read the configuration of the secret engine at the given path.

get
Path parameters
pathstringRequired

The path to mount to. Example: "aws/east"

Responses
200
OK
application/json
get
GET /v1/sys/mounts/{path} HTTP/1.1
Host: localhost:8200
Accept: */*
200

OK

{
  "accessor": "text",
  "config": {},
  "deprecation_status": "text",
  "description": "text",
  "external_entropy_access": true,
  "local": true,
  "options": {},
  "plugin_version": "text",
  "running_plugin_version": "text",
  "running_sha256": "text",
  "seal_wrap": true,
  "type": "text",
  "uuid": "text"
}

Disable the mount point specified at the given path.

delete
Path parameters
pathstringRequired

The path to mount to. Example: "aws/east"

Responses
200
OK
delete
DELETE /v1/sys/mounts/{path} HTTP/1.1
Host: localhost:8200
Accept: */*
200

OK

No content

Read the tuning configuration of a mounted backend.

get
Path parameters
pathstringRequired

The path to mount to. Example: "aws/east"

Responses
200
OK
application/json
400
Bad Request
application/json
500
Internal Server Error
application/json
get
GET /v1/sys/mounts/{path}/tune HTTP/1.1
Host: localhost:8200
Accept: */*
{
  "default_lease_ttl": "768h",
  "max_lease_ttl": "768h",
  "description": "AWS Secrets Engine",
  "audit_non_hmac_request_keys": [
    "role"
  ]
}

List namespaces

get
Query parameters
liststring · enumRequired

Must be set to true

Possible values:
Responses
200
OK
application/json
get
GET /v1/sys/namespaces/ HTTP/1.1
Host: localhost:8200
Accept: */*
200

OK

{
  "keys": [
    "text"
  ]
}

Unlock the API at a specific namespace path.

post
Path parameters
pathstringRequired
Body
Responses
200
OK
application/json
400
Bad Request
application/json
500
Internal Server Error
application/json
post
POST /v1/sys/namespaces/api-lock/unlock/{path} HTTP/1.1
Host: localhost:8200
Accept: */*
{
  "success": true
}

Read namespace information

get
Path parameters
pathstringRequired

The path of the namespace

Responses
200
OK
application/json
get
GET /v1/sys/namespaces/{path} HTTP/1.1
Host: localhost:8200
Accept: */*
200

OK

{
  "custom_metadata": {},
  "id": "text",
  "path": "text"
}

Delete a namespace

delete
Path parameters
pathstringRequired

The path of the namespace

Responses
200
OK
delete
DELETE /v1/sys/namespaces/{path} HTTP/1.1
Host: localhost:8200
Accept: */*
200

OK

No content

List all the plugins registered with Vault.

get
Responses
200
OK
application/json
400
Bad Request
application/json
500
Internal Server Error
application/json
get
GET /v1/sys/plugins/catalog HTTP/1.1
Host: localhost:8200
Accept: */*
{
  "data": {
    "example-plugin": {
      "type": "auth",
      "sha256": "abc123...",
      "command": "vault-plugin-example",
      "args": []
    }
  }
}

Return the configuration data for the plugin with the given name.

get
Path parameters
namestringRequired

The name of the plugin

Responses
200
OK
application/json
get
GET /v1/sys/plugins/catalog/{name} HTTP/1.1
Host: localhost:8200
Accept: */*
200

OK

{
  "args": [
    "text"
  ],
  "builtin": true,
  "command": "text",
  "deprecation_status": "text",
  "name": "text",
  "sha256": "text",
  "version": "text"
}

Remove the plugin with the given name.

delete
Path parameters
namestringRequired

The name of the plugin

Responses
200
OK
delete
DELETE /v1/sys/plugins/catalog/{name} HTTP/1.1
Host: localhost:8200
Accept: */*
200

OK

No content

List the plugins in the catalog.

get
Path parameters
typestringRequired

The type of the plugin, may be auth, secret, or database

Query parameters
liststring · enumRequired

Must be set to true

Possible values:
Responses
200
OK
application/json
get
GET /v1/sys/plugins/catalog/{type} HTTP/1.1
Host: localhost:8200
Accept: */*
200

OK

{
  "keys": [
    "text"
  ]
}

Return the configuration data for the plugin with the given name.

get
Path parameters
namestringRequired

The name of the plugin

typestringRequired

The type of the plugin, may be auth, secret, or database

Responses
200
OK
application/json
get
GET /v1/sys/plugins/catalog/{type}/{name} HTTP/1.1
Host: localhost:8200
Accept: */*
200

OK

{
  "args": [
    "text"
  ],
  "builtin": true,
  "command": "text",
  "deprecation_status": "text",
  "name": "text",
  "sha256": "text",
  "version": "text"
}

Remove the plugin with the given name.

delete
Path parameters
namestringRequired

The name of the plugin

typestringRequired

The type of the plugin, may be auth, secret, or database

Responses
200
OK
delete
DELETE /v1/sys/plugins/catalog/{type}/{name} HTTP/1.1
Host: localhost:8200
Accept: */*
200

OK

No content

Check the status of any pending plugin reloads for secret backends.

get
Responses
200
OK
application/json
400
Bad Request
application/json
500
Internal Server Error
application/json
get
GET /v1/sys/plugins/reload/backend/status HTTP/1.1
Host: localhost:8200
Accept: */*
{
  "reload_required": true,
  "plugins": [
    "example-plugin",
    "database-plugin"
  ]
}

Retrieve a list of all configured ACL policies.

get
Query parameters
liststring · enumRequired

Must be set to true to list ACL policies.

Example: truePossible values:
Responses
200
OK
application/json
400
Bad Request
application/json
500
Internal Server Error
application/json
get
GET /v1/sys/policies/acl HTTP/1.1
Host: localhost:8200
Accept: */*
{
  "data": {
    "keys": [
      "default",
      "admin",
      "readonly"
    ]
  }
}

Retrieve information about the named ACL policy.

get
Path parameters
namestringRequired

The name of the policy. Example: "ops"

Responses
200
OK
application/json
get
GET /v1/sys/policies/acl/{name} HTTP/1.1
Host: localhost:8200
Accept: */*
200

OK

{
  "name": "text",
  "policy": "text",
  "rules": "text"
}

Delete the ACL policy with the given name.

delete
Path parameters
namestringRequired

The name of the policy. Example: "ops"

Responses
204
OK
delete
DELETE /v1/sys/policies/acl/{name} HTTP/1.1
Host: localhost:8200
Accept: */*
204

OK

No content

List all externally managed group policies (EGPs).

get
Query parameters
liststring · enumRequired

Must be set to true to retrieve EGPs.

Example: truePossible values:
Responses
200
OK
application/json
400
Bad Request
application/json
500
Internal Server Error
application/json
get
GET /v1/sys/policies/egp HTTP/1.1
Host: localhost:8200
Accept: */*
{
  "data": {
    "keys": [
      "egp-policy-admin",
      "egp-policy-ops"
    ]
  }
}

Read an EGP policy by name.

get
Path parameters
namestringRequired

The name of the EGP policy.

Responses
200
OK
application/json
404
EGP policy not found
application/json
get
GET /v1/sys/policies/egp/{name} HTTP/1.1
Host: localhost:8200
Accept: */*
{
  "data": {
    "name": "egp-policy-admin",
    "policy": "path \"secret/*\" {\n  capabilities = [\"read\"]\n}\n"
  }
}

Delete an EGP policy by name.

delete
Path parameters
namestringRequired

The name of the EGP policy.

Responses
204
Policy deleted successfully (empty body)
404
EGP policy not found
application/json
500
Internal Server Error
application/json
delete
DELETE /v1/sys/policies/egp/{name} HTTP/1.1
Host: localhost:8200
Accept: */*

No content

List the existing password policies.

get
Query parameters
liststring · enumRequired

Must be set to true

Possible values:
Responses
200
OK
application/json
get
GET /v1/sys/policies/password HTTP/1.1
Host: localhost:8200
Accept: */*
200

OK

{
  "keys": [
    "text"
  ]
}

Retrieve an existing password policy.

get
Path parameters
namestringRequired

The name of the password policy.

Responses
204
OK
application/json
get
GET /v1/sys/policies/password/{name} HTTP/1.1
Host: localhost:8200
Accept: */*
204

OK

{
  "policy": "text"
}

Delete a password policy.

delete
Path parameters
namestringRequired

The name of the password policy.

Responses
204
OK
delete
DELETE /v1/sys/policies/password/{name} HTTP/1.1
Host: localhost:8200
Accept: */*
204

OK

No content

Generate a password from an existing password policy.

get
Path parameters
namestringRequired

The name of the password policy.

Responses
200
OK
application/json
get
GET /v1/sys/policies/password/{name}/generate HTTP/1.1
Host: localhost:8200
Accept: */*
200

OK

{
  "password": "text"
}

List all role-based group policies (RGPs).

get
Query parameters
liststring · enumRequired

Must be set to true to list RGPs.

Example: truePossible values:
Responses
200
OK
application/json
Responseany
400
Bad request
application/json
500
Internal server error
application/json
get
GET /v1/sys/policies/rgp HTTP/1.1
Host: localhost:8200
Accept: */*
{
  "data": {
    "keys": [
      "rgp-policy-admin",
      "rgp-policy-audit"
    ]
  }
}

Read a specific RGP policy by name.

get
Path parameters
namestringRequired

The name of the RGP policy.

Responses
200
OK
application/json
Responseany
404
RGP policy not found
application/json
get
GET /v1/sys/policies/rgp/{name} HTTP/1.1
Host: localhost:8200
Accept: */*
{
  "data": {
    "name": "rgp-policy-admin",
    "policy": "path \"sys/*\" {\n  capabilities = [\"create\", \"read\", \"update\"]\n}\n"
  }
}

Delete a specific RGP policy by name.

delete
Path parameters
namestringRequired

The name of the RGP policy.

Responses
204
Policy deleted successfully (empty body)
404
RGP policy not found
application/json
500
Internal server error
application/json
delete
DELETE /v1/sys/policies/rgp/{name} HTTP/1.1
Host: localhost:8200
Accept: */*

No content

List all access control policies.

get
Query parameters
liststringOptional

Return a list if true

Example: true
Responses
200
OK
application/json
500
Internal server error
application/json
get
GET /v1/sys/policy HTTP/1.1
Host: localhost:8200
Accept: */*
{
  "data": {
    "keys": [
      "default",
      "root",
      "readonly"
    ]
  }
}

Retrieve the policy body for the named policy.

get
Path parameters
namestringRequired

The name of the policy. Example: "ops"

Responses
200
OK
application/json
get
GET /v1/sys/policy/{name} HTTP/1.1
Host: localhost:8200
Accept: */*
200

OK

{
  "name": "text",
  "policy": "text",
  "rules": "text"
}

Delete the policy with the given name.

delete
Path parameters
namestringRequired

The name of the policy. Example: "ops"

Responses
204
OK
delete
DELETE /v1/sys/policy/{name} HTTP/1.1
Host: localhost:8200
Accept: */*
204

OK

No content

Returns an HTML page listing the available profiles.

get

Returns an HTML page listing the available profiles. This should be mainly accessed via browsers or applications that can render pages.

Responses
200
OK
get
GET /v1/sys/pprof HTTP/1.1
Host: localhost:8200
Accept: */*
200

OK

No content

Returns a sampling of all past memory allocations.

get

Returns a sampling of all past memory allocations.

Responses
200
OK
get
GET /v1/sys/pprof/allocs HTTP/1.1
Host: localhost:8200
Accept: */*
200

OK

No content

Returns stack traces that led to blocking on synchronization primitives

get

Returns stack traces that led to blocking on synchronization primitives

Responses
200
OK
get
GET /v1/sys/pprof/block HTTP/1.1
Host: localhost:8200
Accept: */*
200

OK

No content

Returns the running program's command line.

get

Returns the running program's command line, with arguments separated by NUL bytes.

Responses
200
OK
get
GET /v1/sys/pprof/cmdline HTTP/1.1
Host: localhost:8200
Accept: */*
200

OK

No content

Returns stack traces of all current goroutines.

get

Returns stack traces of all current goroutines.

Responses
200
OK
get
GET /v1/sys/pprof/goroutine HTTP/1.1
Host: localhost:8200
Accept: */*
200

OK

No content

Returns a sampling of memory allocations of live object.

get

Returns a sampling of memory allocations of live object.

Responses
200
OK
get
GET /v1/sys/pprof/heap HTTP/1.1
Host: localhost:8200
Accept: */*
200

OK

No content

Returns stack traces of holders of contended mutexes

get

Returns stack traces of holders of contended mutexes

Responses
200
OK
get
GET /v1/sys/pprof/mutex HTTP/1.1
Host: localhost:8200
Accept: */*
200

OK

No content

Returns a pprof-formatted cpu profile payload.

get

Returns a pprof-formatted cpu profile payload. Profiling lasts for duration specified in seconds GET parameter, or for 30 seconds if not specified.

Responses
200
OK
get
GET /v1/sys/pprof/profile HTTP/1.1
Host: localhost:8200
Accept: */*
200

OK

No content

Returns the program counters listed in the request.

get

Returns the program counters listed in the request.

Responses
200
OK
get
GET /v1/sys/pprof/symbol HTTP/1.1
Host: localhost:8200
Accept: */*
200

OK

No content

Returns stack traces that led to the creation of new OS threads

get

Returns stack traces that led to the creation of new OS threads

Responses
200
OK
get
GET /v1/sys/pprof/threadcreate HTTP/1.1
Host: localhost:8200
Accept: */*
200

OK

No content

Returns the execution trace in binary form.

get

Returns the execution trace in binary form. Tracing lasts for duration specified in seconds GET parameter, or for 1 second if not specified.

Responses
200
OK
get
GET /v1/sys/pprof/trace HTTP/1.1
Host: localhost:8200
Accept: */*
200

OK

No content

Read the current quota configuration.

get
Responses
200
OK
application/json
404
Quota configuration not found
application/json
500
Internal server error
application/json
get
GET /v1/sys/quotas/config HTTP/1.1
Host: localhost:8200
Accept: */*
{
  "data": {
    "enabled": true,
    "interval": "1s",
    "rate": 100
  }
}

List all configured lease count quotas.

get
Query parameters
liststring · enumRequired

Must be set to true

Possible values:
Responses
200
A list of lease count quotas
application/json
Responseany
400
Invalid request
application/json
500
Internal server error
application/json
get
GET /v1/sys/quotas/lease-count HTTP/1.1
Host: localhost:8200
Accept: */*
{
  "data": {
    "keys": [
      "quota1",
      "quota2"
    ]
  }
}

Read the specified lease count quota configuration.

get
Path parameters
namestringRequired
Responses
200
Lease count quota configuration
application/json
Responseany
404
Quota not found
application/json
get
GET /v1/sys/quotas/lease-count/{name} HTTP/1.1
Host: localhost:8200
Accept: */*
{
  "data": {
    "name": "quota1",
    "max_leases": 500,
    "namespace": "root"
  }
}

Delete a lease count quota.

delete
Path parameters
namestringRequired
Responses
204
Quota deleted successfully (no content)
404
Quota not found
application/json
delete
DELETE /v1/sys/quotas/lease-count/{name} HTTP/1.1
Host: localhost:8200
Accept: */*

No content

List rate limit quota names

get
Query parameters
liststring · enumRequired

Must be set to true

Possible values:
Responses
200
A list of rate limit quota names
application/json
400
Invalid request
application/json
500
Internal server error
application/json
get
GET /v1/sys/quotas/rate-limit HTTP/1.1
Host: localhost:8200
Accept: */*
{
  "data": {
    "keys": [
      "global-read-quota",
      "admin-api-quota"
    ]
  }
}

Read a specific rate limit quota configuration

get
Path parameters
namestringRequired

Name of the quota rule.

Responses
200
Rate limit quota configuration
application/json
404
Quota not found
application/json
get
GET /v1/sys/quotas/rate-limit/{name} HTTP/1.1
Host: localhost:8200
Accept: */*
{
  "data": {
    "name": "global-read-quota",
    "rate": 10,
    "interval": "1s",
    "path": "*"
  }
}

Delete a rate limit quota

delete
Path parameters
namestringRequired

Name of the quota rule.

Responses
204
Quota deleted successfully (no content)
404
Quota not found
application/json
delete
DELETE /v1/sys/quotas/rate-limit/{name} HTTP/1.1
Host: localhost:8200
Accept: */*

No content

Return the backup copy of PGP-encrypted unseal keys.

get
Responses
200
OK
application/json
get
GET /v1/sys/rekey/backup HTTP/1.1
Host: localhost:8200
Accept: */*
200

OK

{
  "keys": {},
  "keys_base64": {},
  "nonce": "text"
}

Delete the backup copy of PGP-encrypted unseal keys.

delete
Responses
204
OK
delete
DELETE /v1/sys/rekey/backup HTTP/1.1
Host: localhost:8200
Accept: */*
204

OK

No content

Reads the configuration and progress of the current rekey attempt.

get
Responses
200
OK
application/json
get
GET /v1/sys/rekey/init HTTP/1.1
Host: localhost:8200
Accept: */*
200

OK

{
  "backup": true,
  "n": 1,
  "nounce": "text",
  "pgp_fingerprints": [
    "text"
  ],
  "progress": 1,
  "required": 1,
  "started": "text",
  "t": 1,
  "verification_nonce": "text",
  "verification_required": true
}

Cancels any in-progress rekey.

delete

This clears the rekey settings as well as any progress made. This must be called to change the parameters of the rekey. Note: verification is still a part of a rekey. If rekeying is canceled during the verification flow, the current unseal keys remain valid.

Responses
200
OK
delete
DELETE /v1/sys/rekey/init HTTP/1.1
Host: localhost:8200
Accept: */*
200

OK

No content

Read the backup of the recovery keys

get
Responses
200
Successfully retrieved the recovery key backup
application/json
404
No recovery key backup found
application/json
500
Internal server error
application/json
get
GET /v1/sys/rekey/recovery-key-backup HTTP/1.1
Host: localhost:8200
Accept: */*
{
  "data": {
    "keys_base64": [
      "Q2FzZV9Bbm90aGVyX0tleQ==",
      "U29tZV9CYXNlNjRfRW5jb2RlZF9LZXk="
    ]
  }
}

Delete the recovery key backup

delete
Responses
204
Successfully deleted the recovery key backup
404
No recovery key backup to delete
application/json
500
Internal server error
application/json
delete
DELETE /v1/sys/rekey/recovery-key-backup HTTP/1.1
Host: localhost:8200
Accept: */*

No content

Read the configuration and progress of the current rekey verification attempt.

get
Responses
200
OK
application/json
get
GET /v1/sys/rekey/verify HTTP/1.1
Host: localhost:8200
Accept: */*
200

OK

{
  "n": 1,
  "nounce": "text",
  "progress": 1,
  "started": "text",
  "t": 1
}

Cancel any in-progress rekey verification operation.

delete

This clears any progress made and resets the nonce. Unlike a DELETE against sys/rekey/init, this only resets the current verification operation, not the entire rekey atttempt.

Responses
200
OK
application/json
delete
DELETE /v1/sys/rekey/verify HTTP/1.1
Host: localhost:8200
Accept: */*
200

OK

{
  "n": 1,
  "nounce": "text",
  "progress": 1,
  "started": "text",
  "t": 1
}

Check status of a mount migration

get
Path parameters
migration_idstringRequired

The ID of the migration operation

Responses
200
OK
application/json
get
GET /v1/sys/remount/status/{migration_id} HTTP/1.1
Host: localhost:8200
Accept: */*
200

OK

{
  "migration_id": "text",
  "migration_info": {}
}

Demotes the DR primary node

post
Responses
200
DR primary successfully demoted
application/json
Responseany
500
Internal server error
application/json
post
POST /v1/sys/replication/dr/primary/demote HTTP/1.1
Host: localhost:8200
Accept: */*
{
  "data": {
    "message": "Demotion initiated"
  }
}

Disables the DR primary replication

post
Responses
200
DR replication successfully disabled
application/json
Responseany
500
Internal server error
application/json
post
POST /v1/sys/replication/dr/primary/disable HTTP/1.1
Host: localhost:8200
Accept: */*
{
  "data": {
    "message": "DR primary disabled"
  }
}

Reload a specific DR secondary subsystem configuration.

post
Path parameters
subsystemstringRequired
Responses
200
Configuration reloaded successfully.
application/json
Responseany
post
POST /v1/sys/replication/dr/secondary/config/reload/{subsystem} HTTP/1.1
Host: localhost:8200
Accept: */*
200

Configuration reloaded successfully.

{
  "data": {
    "message": "Reload triggered for 'storage' subsystem."
  }
}

Disable DR secondary replication.

post
Responses
200
DR secondary replication disabled.
application/json
Responseany
post
POST /v1/sys/replication/dr/secondary/disable HTTP/1.1
Host: localhost:8200
Accept: */*
200

DR secondary replication disabled.

{
  "data": {
    "message": "Secondary disabled."
  }
}

Generate a new DR secondary public key.

post
Responses
200
Public key generated.
application/json
Responseany
post
POST /v1/sys/replication/dr/secondary/generate-public-key HTTP/1.1
Host: localhost:8200
Accept: */*
200

Public key generated.

{
  "data": {
    "public_key": "-----BEGIN PUBLIC KEY-----\nABC123...\n-----END PUBLIC KEY-----"
  }
}

Check license status on the DR secondary.

get
Responses
200
License status retrieved.
application/json
Responseany
get
GET /v1/sys/replication/dr/secondary/license/status HTTP/1.1
Host: localhost:8200
Accept: */*
200

License status retrieved.

{
  "data": {
    "valid": true,
    "expiry": "2025-12-31T23:59:59Z"
  }
}

Delete the DR secondary operation token.

post
Responses
200
Operation token deleted.
application/json
Responseany
post
POST /v1/sys/replication/dr/secondary/operation-token/delete HTTP/1.1
Host: localhost:8200
Accept: */*
200

Operation token deleted.

{
  "data": {
    "message": "Operation token deleted."
  }
}

Promote the DR secondary to primary.

post
Responses
200
Secondary promoted to primary.
application/json
Responseany
post
POST /v1/sys/replication/dr/secondary/promote HTTP/1.1
Host: localhost:8200
Accept: */*
200

Secondary promoted to primary.

{
  "data": {
    "message": "Secondary promoted to primary."
  }
}

Recover a DR secondary.

post
Responses
200
Secondary recovery started.
application/json
Responseany
post
POST /v1/sys/replication/dr/secondary/recover HTTP/1.1
Host: localhost:8200
Accept: */*
200

Secondary recovery started.

{
  "data": {
    "message": "Recovery initiated."
  }
}

Trigger reindexing on the DR secondary.

post
Responses
200
Reindexing triggered.
application/json
Responseany
post
POST /v1/sys/replication/dr/secondary/reindex HTTP/1.1
Host: localhost:8200
Accept: */*
200

Reindexing triggered.

{
  "data": {
    "message": "Reindex started."
  }
}

Read DR replication status.

get
Responses
200
DR status retrieved.
application/json
Responseany
get
GET /v1/sys/replication/dr/status HTTP/1.1
Host: localhost:8200
Accept: */*
200

DR status retrieved.

{
  "data": {
    "mode": "secondary",
    "cluster_id": "abc123"
  }
}

Demote the performance primary cluster.

post
Responses
200
Demotion successful.
application/json
Responseany
post
POST /v1/sys/replication/performance/primary/demote HTTP/1.1
Host: localhost:8200
Accept: */*
200

Demotion successful.

{
  "data": {
    "message": "Primary demoted."
  }
}

Disable performance primary replication.

post
Responses
200
Replication disabled.
application/json
Responseany
post
POST /v1/sys/replication/performance/primary/disable HTTP/1.1
Host: localhost:8200
Accept: */*
200

Replication disabled.

{
  "data": {
    "message": "Primary replication disabled."
  }
}

Read a dynamic filter by ID.

get
Path parameters
idstringRequired
Responses
200
Filter details retrieved.
application/json
Responseany
get
GET /v1/sys/replication/performance/primary/dynamic-filter/{id} HTTP/1.1
Host: localhost:8200
Accept: */*
200

Filter details retrieved.

{
  "data": {
    "id": "filter-abc",
    "paths": [
      "auth/*"
    ]
  }
}

Get a paths filter by ID.

get
Path parameters
idstringRequired
Responses
200
Filter details.
application/json
Responseany
get
GET /v1/sys/replication/performance/primary/paths-filter/{id} HTTP/1.1
Host: localhost:8200
Accept: */*
200

Filter details.

{
  "data": {
    "id": "paths-filter-xyz",
    "paths": [
      "secret/data/*"
    ]
  }
}

Delete a paths filter by ID.

delete
Path parameters
idstringRequired
Responses
204
Filter deleted successfully.
delete
DELETE /v1/sys/replication/performance/primary/paths-filter/{id} HTTP/1.1
Host: localhost:8200
Accept: */*
204

Filter deleted successfully.

No content

Revoke a secondary from the performance primary.

post
Responses
200
Secondary revoked successfully.
application/json
Responseany
post
POST /v1/sys/replication/performance/primary/revoke-secondary HTTP/1.1
Host: localhost:8200
Accept: */*
200

Secondary revoked successfully.

{
  "data": {
    "message": "Secondary revoked."
  }
}

Disable a performance secondary.

post
Responses
200
Secondary disabled.
application/json
Responseany
post
POST /v1/sys/replication/performance/secondary/disable HTTP/1.1
Host: localhost:8200
Accept: */*
200

Secondary disabled.

{
  "data": {
    "message": "Secondary disabled."
  }
}

Get a secondary dynamic filter by ID.

get
Path parameters
idstringRequired
Responses
200
Filter information retrieved.
application/json
Responseany
get
GET /v1/sys/replication/performance/secondary/dynamic-filter/{id} HTTP/1.1
Host: localhost:8200
Accept: */*
200

Filter information retrieved.

{
  "data": {
    "id": "filter-123",
    "paths": [
      "auth/token/*"
    ]
  }
}

Generate public key for performance secondary.

post
Responses
200
Public key generated.
application/json
Responseany
post
POST /v1/sys/replication/performance/secondary/generate-public-key HTTP/1.1
Host: localhost:8200
Accept: */*
200

Public key generated.

{
  "data": {
    "public_key": "-----BEGIN PUBLIC KEY-----\n...\n-----END PUBLIC KEY-----"
  }
}

Promote performance secondary to primary.

post
Responses
200
Secondary promoted to primary.
application/json
Responseany
post
POST /v1/sys/replication/performance/secondary/promote HTTP/1.1
Host: localhost:8200
Accept: */*
200

Secondary promoted to primary.

{
  "data": {
    "message": "Secondary promoted to primary."
  }
}

Get the status of performance replication.

get
Responses
200
Replication status returned.
application/json
Responseany
get
GET /v1/sys/replication/performance/status HTTP/1.1
Host: localhost:8200
Accept: */*
200

Replication status returned.

{
  "data": {
    "mode": "primary",
    "cluster_id": "cluster-xyz"
  }
}

Demote the current primary cluster.

post
Responses
200
Primary successfully demoted.
application/json
Responseany
403
Forbidden - insufficient permissions.
application/json
post
POST /v1/sys/replication/primary/demote HTTP/1.1
Host: localhost:8200
Accept: */*
{
  "data": {
    "message": "Primary cluster demoted."
  }
}

Disable the replication feature on the primary.

post
Responses
200
Replication disabled on primary.
application/json
Responseany
403
Forbidden - operation not permitted.
application/json
post
POST /v1/sys/replication/primary/disable HTTP/1.1
Host: localhost:8200
Accept: */*
{
  "data": {
    "message": "Replication disabled on primary."
  }
}

Revoke the replication relationship with a secondary.

post
Responses
200
Secondary successfully revoked.
application/json
Responseany
403
Forbidden
application/json
post
POST /v1/sys/replication/primary/revoke-secondary HTTP/1.1
Host: localhost:8200
Accept: */*
{
  "data": {
    "message": "Secondary replication revoked."
  }
}

Trigger internal recovery of the replication state.

post
Responses
200
Recovery initiated.
application/json
Responseany
500
Server error during recovery.
application/json
post
POST /v1/sys/replication/recover HTTP/1.1
Host: localhost:8200
Accept: */*
{
  "data": {
    "message": "Recovery initiated successfully."
  }
}

Trigger a reindex of all replication state data.

post
Responses
200
Reindexing triggered.
application/json
Responseany
403
Sudo required
application/json
post
POST /v1/sys/replication/reindex HTTP/1.1
Host: localhost:8200
Accept: */*
{
  "data": {
    "message": "Reindex triggered successfully."
  }
}

Disable replication on a secondary cluster.

post
Responses
200
Secondary replication disabled.
application/json
Responseany
403
Not allowed
application/json
post
POST /v1/sys/replication/secondary/disable HTTP/1.1
Host: localhost:8200
Accept: */*
{
  "data": {
    "message": "Secondary disabled."
  }
}

Promote a performance or DR secondary to become the primary.

post
Responses
200
Secondary successfully promoted.
application/json
Responseany
409
Conflict - replication state prevents promotion.
application/json
post
POST /v1/sys/replication/secondary/promote HTTP/1.1
Host: localhost:8200
Accept: */*
{
  "data": {
    "message": "Secondary promoted to primary."
  }
}

Get the current status of replication for this Vault node.

get
Responses
200
Current replication status returned.
application/json
Responseany
500
Error retrieving replication status.
application/json
get
GET /v1/sys/replication/status HTTP/1.1
Host: localhost:8200
Accept: */*
{
  "data": {
    "mode": "performance",
    "state": "secondary",
    "primary_cluster_addr": "https://vault-primary.example.com:8200",
    "known_secondaries": [
      {
        "cluster_id": "us-west-secondary",
        "api_address": "https://vault-us-west.example.com:8200"
      }
    ]
  }
}

Revokes all secrets or tokens generated under a given prefix immediately

post

Unlike /sys/leases/revoke-prefix, this path ignores backend errors encountered during revocation. This is potentially very dangerous and should only be used in specific emergency situations where errors in the backend or the connected backend service prevent normal revocation.

By ignoring these errors, Vault abdicates responsibility for ensuring that the issued credentials or secrets are properly revoked and/or cleaned up. Access to this endpoint should be tightly controlled.

Path parameters
prefixstringRequired

The path to revoke keys under. Example: "prod/aws/ops"

Responses
204
OK
post
POST /v1/sys/revoke-force/{prefix} HTTP/1.1
Host: localhost:8200
Accept: */*
204

OK

No content

Rotate the backend encryption key.

post

Rotates the backend encryption key used to persist Vault data. This operation is a no-op if key rotation is disabled.

Responses
204
Key rotation successful. No content returned.
403
Forbidden. Sudo permissions required.
application/json
500
Internal server error during key rotation.
application/json
post
POST /v1/sys/rotate HTTP/1.1
Host: localhost:8200
Accept: */*

No content

Read encryption key rotation configuration.

get
Responses
200
Current encryption key rotation configuration.
application/json
500
Internal error fetching configuration.
application/json
get
GET /v1/sys/rotate/config HTTP/1.1
Host: localhost:8200
Accept: */*
{
  "data": {
    "auto_rotate_period": "24h",
    "last_rotation_time": "2025-05-01T00:00:00Z"
  }
}

Seal the Vault.

post
Responses
204
OK
post
POST /v1/sys/seal HTTP/1.1
Host: localhost:8200
Accept: */*
204

OK

No content

Check the seal status of a Vault.

get
Responses
200Success
application/json
get
GET /v1/sys/seal-status HTTP/1.1
Host: localhost:8200
Accept: */*
200Success
{
  "build_date": "text",
  "cluster_id": "text",
  "cluster_name": "text",
  "hcp_link_resource_ID": "text",
  "hcp_link_status": "text",
  "initialized": true,
  "migration": true,
  "n": 1,
  "nonce": "text",
  "progress": 1,
  "recovery_seal": true,
  "sealed": true,
  "storage_type": "text",
  "t": 1,
  "type": "text",
  "version": "text"
}

Check sealwrap rewrap status

get

Returns information about keys or values that require rewrap due to changes in the underlying seal configuration.

Responses
200
Sealwrap rewrap status retrieved successfully.
application/json
Responseany
500
Internal error while fetching rewrap status.
application/json
get
GET /v1/sys/sealwrap/rewrap HTTP/1.1
Host: localhost:8200
Accept: */*
{
  "data": {
    "keys_to_rewrap": [
      "sys/policy/foo",
      "auth/token/accessor/bar"
    ],
    "total": 2
  }
}

Cause the node to give up active status.

post

This endpoint forces the node to give up active status. If the node does not have active status, this endpoint does nothing. Note that the node will sleep for ten seconds before attempting to grab the active lock again, but if no standby nodes grab the active lock in the interim, the same node may become the active node again.

Responses
204
empty body
post
POST /v1/sys/step-down HTTP/1.1
Host: localhost:8200
Accept: */*
204

empty body

No content

List all configured automatic snapshot jobs

get
Query parameters
liststring · enumRequired

Must be set to true

Possible values:
Responses
200
Successfully listed configured snapshot jobs.
application/json
Responseany
400
Missing or incorrect `list=true` query parameter.
application/json
get
GET /v1/sys/storage/raft/snapshot-auto/config/ HTTP/1.1
Host: localhost:8200
Accept: */*
{
  "data": {
    "keys": [
      "daily",
      "hourly"
    ]
  }
}

Read configuration for a specific snapshot job

get
Path parameters
namestringRequired

The name of the snapshot job configuration.

Responses
200
Snapshot job configuration retrieved.
application/json
Responseany
404
Snapshot configuration not found.
application/json
get
GET /v1/sys/storage/raft/snapshot-auto/config/{name} HTTP/1.1
Host: localhost:8200
Accept: */*
{
  "data": {
    "interval": "1h",
    "retain": 5,
    "storage_path_prefix": "snapshots/hourly"
  }
}

Delete the specified snapshot job configuration

delete
Path parameters
namestringRequired

The name of the snapshot job configuration.

Responses
204
Snapshot configuration deleted. Empty response body.
404
Configuration not found.
application/json
delete
DELETE /v1/sys/storage/raft/snapshot-auto/config/{name} HTTP/1.1
Host: localhost:8200
Accept: */*

No content

Read status of a named snapshot job

get
Path parameters
namestringRequired

The name of the snapshot job

Responses
200
Status of the snapshot job retrieved successfully.
application/json
Responseany
404
No such snapshot job exists.
application/json
get
GET /v1/sys/storage/raft/snapshot-auto/status/{name} HTTP/1.1
Host: localhost:8200
Accept: */*
{
  "data": {
    "last_snapshot": "2025-05-01T10:00:00Z",
    "next_snapshot_due": "2025-05-01T11:00:00Z",
    "state": "active"
  }
}

Returns map of historical version change entries

get
Query parameters
liststring · enumRequired

Must be set to true

Possible values:
Responses
200
OK
application/json
get
GET /v1/sys/version-history HTTP/1.1
Host: localhost:8200
Accept: */*
200

OK

{
  "key_info": {},
  "keys": [
    "text"
  ]
}

Look up wrapping properties for the requester's token.

get
Responses
200
OK
application/json
get
GET /v1/sys/wrapping/lookup HTTP/1.1
Host: localhost:8200
Accept: */*
200

OK

{
  "creation_path": "text",
  "creation_time": "2025-05-09T09:42:38.637Z",
  "creation_ttl": 1
}
  • GETList the enabled audit devices
  • POSTCalculate hash via audit backend.
  • POSTEnable a new audit device at the supplied path.
  • DELETEDisable the audit device at the given path.
  • GETRead the configuration of the auth engine at the given path.
  • POSTEnables a new auth method.
  • DELETEDisable the auth method at the given auth path.
  • GETReads the given auth path's configuration.
  • POSTTune configuration parameters for a given auth path.
  • POSTReturns the capabilities of the calling token on the specified paths.
  • POSTReturns the capabilities of the token identified by the accessor on the specified paths.
  • POSTReturns the capabilities of the calling token on the given paths.
  • GETList the request headers that are configured to be audited.
  • GETList the information for the given request header.
  • POSTEnable auditing of a header.
  • DELETEDisable auditing of the given request header.
  • GETRead the current control group configuration.
  • POSTConfigure control group parameters.
  • DELETEDelete the control group configuration.
  • GETReturn the current CORS settings.
  • POSTConfigure the CORS settings.
  • DELETERemove any CORS settings.
  • GETRead the group policy application configuration.
  • POSTConfigure the group policy application settings.
  • POSTReload the given subsystem
  • GETReturn a sanitized version of the Vault server configuration.
  • GETReturn a list of configured UI headers.
  • GETReturn the given UI header's configuration.
  • POSTConfigure the values to be returned for the UI header.
  • DELETERemove a UI header.
  • POSTAuthorizes a control group by assigning permissions
  • POSTSubmit a request for control group authorization
  • POSTDecode an encoded token using a one-time password (OTP)
  • GETList available and enabled experimental features in Vault.
  • GETRead the current root token generation progress.
  • POSTInitialize a new root token generation attempt.
  • DELETECancel an ongoing root token generation attempt.
  • GETRead the progress of the current root generation attempt.
  • POSTInitialize a new root token generation attempt.
  • DELETECancel an ongoing root token generation attempt.
  • POSTSubmit a key share to progress the root token generation attempt.
  • GETRetrieve the HA status of a Vault cluster.
  • GETRetrieve the health status of the Vault server.
  • GETRetrieve host instance information for the Vault server.
  • GETList in-flight requests being processed by Vault.
  • GETReturns the initialization status of Vault.
  • POSTInitialize a new Vault.
  • GETReport the historical client count metrics.
  • GETExport the historical client count data.
  • GETReport the client count for the current month.
  • GETRead the client count tracking configuration.
  • POSTConfigure the client count collection settings.
  • GETReport the number of active identity entities in the Vault cluster.
  • GETDeprecated - Count of requests seen by the Vault cluster.
  • GETReport the number of active tokens in the Vault cluster.
  • GETExposes the route entry and mount entry tables present in the router.
  • GETGenerate OpenAPI document for mounted paths
  • POSTGenerate OpenAPI document with request parameters
  • GETLists enabled feature flags
  • GETLists all enabled and visible auth and secrets mounts
  • GETLists visible child namespaces
  • GETReturns the resultant ACL for a client token
  • GETReports backend encryption key status
  • GETReturns HA status and the current leader of Vault
  • GETLists active leases
  • GETReturns the count of active leases
  • POSTRetrieves metadata for a specific lease
  • GETLists all lease paths
  • GETLists leases under the specified prefix
  • POSTRenews a lease by extending its TTL.
  • POSTRenews a lease using a lease ID in the path.
  • POSTImmediately revokes a lease.
  • POSTRevokes all secrets or tokens generated under a given prefix immediately
  • POSTRevokes all secrets (via a lease ID prefix) or tokens (via the tokens' path property) generated under a given prefix immediately.
  • POSTRevokes a lease immediately.
  • POSTTrigger a background lease tidy operation.
  • GETRetrieve the status of the currently installed license.
  • GETList the locked user count metrics for the current namespace and all child namespaces.
  • POSTUnlock a locked user by mount accessor and alias identifier.
  • GETRead the verbosity level for all existing loggers.
  • POSTModify verbosity levels for all loggers.
  • DELETERevert all loggers to the configured log level.
  • GETRead verbosity level of a specific logger.
  • POSTModify the log level of a specific logger.
  • DELETERevert a specific logger to the configured log level.
  • GETManage lists of managed keys by type.
  • GETGet a specific managed key by type and name.
  • POSTUpdate a specific managed key by type and name.
  • DELETEDelete a specific managed key by type and name.
  • POSTTest signing functionality for a managed key.
  • GETExport system metrics in Prometheus format.
  • GETList configured Multi-Factor Authentication (MFA) methods.
  • GETRead the configuration of a specific Okta MFA method.
  • POSTCreate or update an Okta MFA method configuration.
  • DELETEDelete the specified Okta MFA method configuration.
  • GETRetrieve a PingID MFA method configuration.
  • POSTCreate or update a PingID MFA method configuration.
  • DELETEDelete a PingID MFA method configuration by name.
  • GETRead a TOTP MFA method configuration.
  • POSTCreate or update a TOTP MFA method configuration.
  • DELETEDelete a TOTP MFA method configuration by name.
  • POSTAdmin-level destroy operation for a TOTP MFA method configuration.
  • POSTAdmin-level operation to generate a new TOTP key for a user.
  • GETGenerate a TOTP key and OTP URL for a specific TOTP MFA method configuration.
  • POSTValidates the login for the given MFA methods.
  • GETRetrieve system logs with specified log format and log level.
  • GETRetrieve a list of currently mounted backends.
  • GETRead the configuration of the secret engine at the given path.
  • POSTEnable a new secrets engine at the given path.
  • DELETEDisable the mount point specified at the given path.
  • GETRead the tuning configuration of a mounted backend.
  • POSTUpdate the tuning configuration parameters for a mounted backend.
  • GETList namespaces
  • POSTLock the API for all namespaces to prevent changes.
  • POSTUnlock the API for all namespaces.
  • POSTUnlock the API at a specific namespace path.
  • GETRead namespace information
  • POSTCreate a new namespace
  • DELETEDelete a namespace
  • GETList all the plugins registered with Vault.
  • GETReturn the configuration data for the plugin with the given name.
  • POSTRegister a new plugin, or updates an existing one with the supplied name.
  • DELETERemove the plugin with the given name.
  • GETList the plugins in the catalog.
  • GETReturn the configuration data for the plugin with the given name.
  • POSTRegister a new plugin, or updates an existing one with the supplied name.
  • DELETERemove the plugin with the given name.
  • POSTReload mounted plugin backends.
  • GETCheck the status of any pending plugin reloads for secret backends.
  • GETRetrieve a list of all configured ACL policies.
  • GETRetrieve information about the named ACL policy.
  • POSTAdd a new or update an existing ACL policy.
  • DELETEDelete the ACL policy with the given name.
  • GETList all externally managed group policies (EGPs).
  • GETRead an EGP policy by name.
  • POSTCreate or update an EGP policy by name.
  • DELETEDelete an EGP policy by name.
  • GETList the existing password policies.
  • GETRetrieve an existing password policy.
  • POSTAdd a new or update an existing password policy.
  • DELETEDelete a password policy.
  • GETGenerate a password from an existing password policy.
  • GETList all role-based group policies (RGPs).
  • GETRead a specific RGP policy by name.
  • POSTCreate or update an RGP policy by name.
  • DELETEDelete a specific RGP policy by name.
  • GETList all access control policies.
  • GETRetrieve the policy body for the named policy.
  • POSTAdd a new or update an existing policy.
  • DELETEDelete the policy with the given name.
  • GETReturns an HTML page listing the available profiles.
  • GETReturns a sampling of all past memory allocations.
  • GETReturns stack traces that led to blocking on synchronization primitives
  • GETReturns the running program's command line.
  • GETReturns stack traces of all current goroutines.
  • GETReturns a sampling of memory allocations of live object.
  • GETReturns stack traces of holders of contended mutexes
  • GETReturns a pprof-formatted cpu profile payload.
  • GETReturns the program counters listed in the request.
  • GETReturns stack traces that led to the creation of new OS threads
  • GETReturns the execution trace in binary form.
  • GETRead the current quota configuration.
  • POSTCreate or update the quota configuration.
  • GETList all configured lease count quotas.
  • GETRead the specified lease count quota configuration.
  • POSTCreate or update a lease count quota.
  • DELETEDelete a lease count quota.
  • GETList rate limit quota names
  • GETRead a specific rate limit quota configuration
  • POSTCreate or update a rate limit quota
  • DELETEDelete a rate limit quota
  • GETReturn the backup copy of PGP-encrypted unseal keys.
  • DELETEDelete the backup copy of PGP-encrypted unseal keys.
  • GETReads the configuration and progress of the current rekey attempt.
  • POSTInitializes a new rekey attempt.
  • DELETECancels any in-progress rekey.
  • GETRead the backup of the recovery keys
  • DELETEDelete the recovery key backup
  • POSTEnter a single unseal key share to progress the rekey of the Vault.
  • GETRead the configuration and progress of the current rekey verification attempt.
  • POSTEnter a single new key share to progress the rekey verification operation.
  • DELETECancel any in-progress rekey verification operation.
  • POSTInitiate a mount migration
  • GETCheck status of a mount migration
  • POSTRenews a lease, requesting to extend the lease.
  • POSTRenews a lease, requesting to extend the lease.
  • POSTDemotes the DR primary node
  • POSTDisables the DR primary replication
  • POSTEnables the DR primary replication
  • POSTRevokes a DR secondary cluster
  • POSTCreates a token for a DR secondary to join the primary
  • POSTReload a specific DR secondary subsystem configuration.
  • POSTDisable DR secondary replication.
  • POSTEnable DR secondary replication.
  • POSTGenerate a new DR secondary public key.
  • GETCheck license status on the DR secondary.
  • POSTDelete the DR secondary operation token.
  • POSTPromote the DR secondary to primary.
  • POSTRecover a DR secondary.
  • POSTTrigger reindexing on the DR secondary.
  • POSTUpdate the DR primary cluster configuration.
  • GETRead DR replication status.
  • POSTDemote the performance primary cluster.
  • POSTDisable performance primary replication.
  • GETRead a dynamic filter by ID.
  • POSTEnable performance primary replication.
  • GETGet a paths filter by ID.
  • POSTCreate or update a paths filter.
  • DELETEDelete a paths filter by ID.
  • POSTRevoke a secondary from the performance primary.
  • POSTGenerate a secondary token.
  • POSTDisable a performance secondary.
  • GETGet a secondary dynamic filter by ID.
  • POSTEnable performance secondary replication.
  • POSTGenerate public key for performance secondary.
  • POSTPromote performance secondary to primary.
  • POSTUpdate primary information for the secondary.
  • GETGet the status of performance replication.
  • POSTDemote the current primary cluster.
  • POSTDisable the replication feature on the primary.
  • POSTEnable the primary cluster for replication.
  • POSTRevoke the replication relationship with a secondary.
  • POSTGenerate a token to be used by a secondary to join the primary.
  • POSTTrigger internal recovery of the replication state.
  • POSTTrigger a reindex of all replication state data.
  • POSTDisable replication on a secondary cluster.
  • POSTEnable replication on a secondary cluster.
  • POSTPromote a performance or DR secondary to become the primary.
  • POSTProvide a new connection configuration to a primary from a secondary.
  • GETGet the current status of replication for this Vault node.
  • POSTRevokes a lease immediately.
  • POSTRevokes all secrets or tokens generated under a given prefix immediately
  • POSTRevokes all secrets (via a lease ID prefix) or tokens (via the tokens' path property) generated under a given prefix immediately.
  • POSTRevokes a lease immediately.
  • POSTRotate the backend encryption key.
  • GETRead encryption key rotation configuration.
  • POSTConfigure encryption key rotation settings.
  • POSTSeal the Vault.
  • GETCheck the seal status of a Vault.
  • GETCheck sealwrap rewrap status
  • POSTPerform sealwrap rewrap
  • POSTCause the node to give up active status.
  • GETList all configured automatic snapshot jobs
  • GETRead configuration for a specific snapshot job
  • POSTCreate or update a snapshot job configuration
  • DELETEDelete the specified snapshot job configuration
  • GETRead status of a named snapshot job
  • POSTGenerate a hash sum for input data using a configured default algorithm
  • POSTGenerate a hash sum for input data using a specific algorithm
  • POSTGenerate random bytes using the default platform source
  • POSTGenerate random bytes using a specified source
  • POSTGenerate a specific number of random bytes
  • POSTGenerate a specific number of random bytes from a given source
  • POSTUnseal the Vault.
  • GETReturns map of historical version change entries
  • GETLook up wrapping properties for the requester's token.
  • POSTLook up wrapping properties for the given token.
  • POSTRotates a response-wrapped token
  • POSTUnwraps a response-wrapped token
  • POSTResponse-wraps an arbitrary JSON object

List the enabled audit devices

get
Body
objectOptional
Responses
200
Successfully retrieved enabled audit devices.
application/json
Responseany
400
Bad request due to client error.
application/json
401
Unauthorized. Vault token is invalid or missing.
application/json
403
Forbidden. Caller lacks sufficient permission.
application/json
500
Internal server error.
application/json
get
GET /v1/sys/audit HTTP/1.1
Host: localhost:8200
Content-Type: application/json
Accept: */*
Content-Length: 2

{}
{
  "file/": {
    "type": "file",
    "description": "Logs to a file",
    "options": {
      "file_path": "/var/log/vault_audit.log"
    },
    "local": true,
    "seal_wrap": false,
    "state": "enabled"
  }
}

Calculate hash via audit backend.

post
Path parameters
pathstringRequired

The name of the audit backend. Cannot be delimited. Example: 'mysql'

Body
inputstringOptional
Responses
200
Successfully calculated the hash of the input.
application/json
400
Bad request due to malformed or missing data.
application/json
401
Unauthorized. Vault token is invalid or missing.
application/json
403
Forbidden. Insufficient permissions.
application/json
500
Internal server error.
application/json
post
POST /v1/sys/audit-hash/{path} HTTP/1.1
Host: localhost:8200
Content-Type: application/json
Accept: */*
Content-Length: 34

{
  "input": "sensitive-secret-value"
}
{
  "hash": "af4fd66bc72a1a1dc6c9c3bfa20c4ee7b7fda77a824..."
}

Enable a new audit device at the supplied path.

post
Path parameters
pathstringRequired

The name of the backend. Cannot be delimited. Example: 'mysql'

Body
descriptionstringOptional

User-friendly description for this audit backend.

localbooleanOptional

Mark the mount as a local mount, which is not replicated and is unaffected by replication.

Default: false
optionsobject · kvpairsOptional

Configuration options for the audit backend.

typestringOptional

The type of the backend. Example: "mysql"

Responses
204
Audit device successfully enabled. No content is returned.
application/json
400
Bad Request - The provided request body is invalid.
post
POST /v1/sys/audit/{path} HTTP/1.1
Host: localhost:8200
Content-Type: application/json
Accept: */*
Content-Length: 58

{
  "path": "mysql",
  "config": {
    "host": "localhost",
    "port": 3306
  }
}
{}

Enables a new auth method.

post

After enabling, the auth method can be accessed and configured via the auth path specified as part of the URL. For example, enabling the "userpass" auth method at "user" will make it accessible at /auth/user.

Path parameters
pathstringRequired

The path to mount to. Cannot be delimited. Example: 'user'

Body
configobject · mapOptional

Configuration for this mount, such as plugin_name.

descriptionstringOptional

User-friendly description for this credential backend.

external_entropy_accessbooleanOptional

Whether to give the mount access to Vault's external entropy.

Default: false
localbooleanOptional

Mark the mount as a local mount, which is not replicated and is unaffected by replication.

Default: false
optionsobject · kvpairsOptional

The options to pass into the backend. Should be a json object with string keys and values.

plugin_namestringOptional

Name of the auth plugin to use based from the name in the plugin catalog.

plugin_versionstringOptional

The semantic version of the plugin to use.

seal_wrapbooleanOptional

Whether to turn on seal wrapping for the mount.

Default: false
typestringOptional

The type of the backend. Example: "userpass"

Responses
204
Auth method successfully enabled. No content is returned.
application/json
400
Bad Request - Validation error or malformed input.
application/json
401
Unauthorized - Permission denied or token missing.
application/json
post
POST /v1/sys/auth/{path} HTTP/1.1
Host: localhost:8200
Content-Type: application/json
Accept: */*
Content-Length: 132

{
  "type": "userpass",
  "description": "Enable user/password authentication",
  "config": {
    "default_lease_ttl": "768h",
    "max_lease_ttl": "768h"
  }
}
{}

Tune configuration parameters for a given auth path.

post

This endpoint requires sudo capability on the final path, but the same functionality can be achieved without sudo via sys/mounts/auth/[auth-path]/tune.

Path parameters
pathstringRequired

Tune the configuration parameters for an auth path.

Body
allowed_response_headersstring[]Optional

A list of headers to whitelist and allow a plugin to set on responses.

audit_non_hmac_request_keysstring[]Optional

The list of keys in the request data object that will not be HMAC'ed by audit devices.

audit_non_hmac_response_keysstring[]Optional

The list of keys in the response data object that will not be HMAC'ed by audit devices.

default_lease_ttlstringOptional

The default lease TTL for this mount.

descriptionstringOptional

User-friendly description for this credential backend.

listing_visibilitystringOptional

Determines the visibility of the mount in the UI-specific listing endpoint. Accepted value are 'unauth' and 'hidden', with the empty default ('') behaving like 'hidden'.

max_lease_ttlstringOptional

The max lease TTL for this mount.

optionsobject · kvpairsOptional

The options to pass into the backend. Should be a json object with string keys and values.

passthrough_request_headersstring[]Optional

A list of headers to whitelist and pass from the request to the plugin.

plugin_versionstringOptional

The semantic version of the plugin to use.

token_typestringOptional

The type of token to issue (service or batch).

user_lockout_configobject · mapOptional

The user lockout configuration to pass into the backend. Should be a json object with string keys and values.

Responses
204
Successfully updated tuning parameters. No content is returned.
application/json
400
Bad Request - Validation error in request.
application/json
401
Unauthorized - Missing or invalid token.
application/json
post
POST /v1/sys/auth/{path}/tune HTTP/1.1
Host: localhost:8200
Content-Type: application/json
Accept: */*
Content-Length: 165

{
  "default_lease_ttl": "500h",
  "max_lease_ttl": "900h",
  "listing_visibility": "unauth",
  "audit_non_hmac_request_keys": [
    "username"
  ],
  "audit_non_hmac_response_keys": [
    "token"
  ]
}
{}

Returns the capabilities of the calling token on the specified paths.

post
Body
pathstring[]OptionalDeprecated

Use 'paths' instead.

pathsstring[]Optional

Paths on which capabilities are being queried.

tokenstringOptional

Token for which capabilities are being queried.

Responses
200
Successfully retrieved capabilities for the given paths.
application/json
Responseany
400
Bad Request - Invalid request or missing fields.
application/json
401
Unauthorized - The token is invalid or expired.
application/json
post
POST /v1/sys/capabilities HTTP/1.1
Host: localhost:8200
Content-Type: application/json
Accept: */*
Content-Length: 58

{
  "paths": [
    "secret/data/finance",
    "auth/token/lookup-self"
  ]
}
{
  "capabilities": [
    "create",
    "read",
    "update"
  ]
}

Returns the capabilities of the token identified by the accessor on the specified paths.

post
Body
accessorstringOptional

Accessor of the token for which capabilities are being queried.

pathstring[]OptionalDeprecated

Use 'paths' instead.

pathsstring[]Optional

Paths on which capabilities are being queried.

Responses
200
Successfully retrieved capabilities for the given paths.
application/json
Responseany
400
Bad Request - Missing or invalid accessor or paths.
application/json
401
Unauthorized - Invalid credentials or insufficient permissions.
application/json
post
POST /v1/sys/capabilities-accessor HTTP/1.1
Host: localhost:8200
Content-Type: application/json
Accept: */*
Content-Length: 91

{
  "accessor": "dcb1dd7d-4bfc-3957-4b5d-b1595b0c099c",
  "paths": [
    "secret/data/hr",
    "sys/policy"
  ]
}
{
  "capabilities": [
    "read",
    "list"
  ]
}

Returns the capabilities of the calling token on the given paths.

post
Body
pathstring[]OptionalDeprecated

Use 'paths' instead.

pathsstring[]Optional

Paths on which capabilities are being queried.

tokenstringOptional

Token for which capabilities are being queried.

Responses
200
Successfully retrieved capabilities for the specified paths.
application/json
Responseany
400
Bad Request - Missing or invalid paths field.
application/json
401
Unauthorized - Token is missing, invalid, or lacks necessary permissions.
application/json
post
POST /v1/sys/capabilities-self HTTP/1.1
Host: localhost:8200
Content-Type: application/json
Accept: */*
Content-Length: 43

{
  "paths": [
    "secret/data/team",
    "sys/policy"
  ]
}
{
  "capabilities": [
    "read",
    "list"
  ]
}

Enable auditing of a header.

post
Path parameters
headerstringRequired

The name of the request header to audit.

Example: X-Request-ID
Body
hmacbooleanOptional
Responses
204
Auditing for the header enabled successfully.
400
Bad Request - Could not enable auditing for header.
application/json
401
Unauthorized - Insufficient permissions.
application/json
post
POST /v1/sys/config/auditing/request-headers/{header} HTTP/1.1
Host: localhost:8200
Content-Type: application/json
Accept: */*
Content-Length: 13

{
  "hmac": true
}

No content

Configure control group parameters.

post
Body
anyOptional
Responses
200
Control group configuration updated successfully.
application/json
Responseany
400
Bad Request - Invalid config.
application/json
401
Unauthorized - Access denied.
application/json
post
POST /v1/sys/config/control-group HTTP/1.1
Host: localhost:8200
Content-Type: application/json
Accept: */*
Content-Length: 130

{
  "control_group": {
    "enforcement_level": "soft-mandatory",
    "thresholds": {
      "approvals": 2,
      "reviewers": [
        "team-leads",
        "security-admins"
      ]
    }
  }
}
{
  "control_group": {
    "enforcement_level": "soft-mandatory",
    "thresholds": {
      "approvals": 2,
      "reviewers": [
        "team-leads",
        "security-admins"
      ]
    }
  }
}

Configure the CORS settings.

post
Body
allowed_headersstring[]Optional

A comma-separated string or array of strings indicating headers that are allowed on cross-origin requests.

allowed_originsstring[]Optional

A comma-separated string or array of strings indicating origins that may make cross-origin requests.

enablebooleanOptional

Enables or disables CORS headers on requests.

Responses
204
CORS settings successfully updated.
400
Invalid CORS configuration.
application/json
403
Not authorized.
application/json
post
POST /v1/sys/config/cors HTTP/1.1
Host: localhost:8200
Content-Type: application/json
Accept: */*
Content-Length: 205

{
  "enabled": true,
  "allowed_origins": [
    "https://example.com"
  ],
  "allowed_headers": [
    "Authorization",
    "X-Custom-Header"
  ],
  "allowed_methods": [
    "GET",
    "POST"
  ],
  "allow_credentials": true,
  "expose_headers": [
    "X-Expose-This"
  ]
}

No content

Configure the group policy application settings.

post
Body
anyOptional
Responses
200
Group policy application configuration updated successfully.
application/json
Responseany
post
POST /v1/sys/config/group-policy-application HTTP/1.1
Host: localhost:8200
Content-Type: application/json
Accept: */*
Content-Length: 68

{
  "enabled": true,
  "default_policy": "default",
  "override_allowed": false
}
200

Group policy application configuration updated successfully.

No content

Reload the given subsystem

post
Path parameters
subsystemstringRequired

The name of the subsystem to reload.

Example: plugin-catalog
Body
anyOptional
Responses
204
Subsystem reloaded successfully.
400
Invalid request.
application/json
403
Forbidden. The client does not have permission to reload the subsystem.
application/json
404
Subsystem not found.
application/json
500
Internal server error while reloading subsystem.
application/json
post
POST /v1/sys/config/reload/{subsystem} HTTP/1.1
Host: localhost:8200
Content-Type: application/json
Accept: */*
Content-Length: 2

{}

No content

Return a list of configured UI headers.

get
Query parameters
liststring · enumRequired

Must be set to true

Possible values:
Body
liststring · enumRequired

Must be set to true

Possible values:
Responses
200
Returns a list of configured UI headers.
application/json
400
Bad request. The request is malformed or missing required parameters.
application/json
401
Unauthorized. The request lacks valid authentication credentials.
application/json
403
Forbidden. The client does not have permission to access the requested resource.
application/json
404
Not Found. The requested resource does not exist.
application/json
500
Internal Server Error. A server-side error occurred.
application/json
get
GET /v1/sys/config/ui/headers HTTP/1.1
Host: localhost:8200
Content-Type: application/json
Accept: */*
Content-Length: 15

{
  "list": "true"
}
{
  "keys": [
    "text"
  ]
}

Configure the values to be returned for the UI header.

post
Path parameters
headerstringRequired

The name of the header.

Body
multivaluebooleanOptional

Returns multiple values if true

valuesstring[]Optional

The values to set the header.

Responses
200
Header value successfully configured.
400
Bad request. The request is malformed or missing required parameters.
application/json
404
Not Found. The requested header does not exist.
application/json
500
Internal Server Error. A server-side error occurred.
application/json
post
POST /v1/sys/config/ui/headers/{header} HTTP/1.1
Host: localhost:8200
Content-Type: application/json
Accept: */*
Content-Length: 32

{
  "value": "example-header-value"
}

No content

Authorizes a control group by assigning permissions

post
Body
group_idstringRequired

The control group ID to authorize.

Responses
200
Authorization successful.
400
Bad request. The request is malformed or missing required parameters.
application/json
401
Unauthorized. The request lacks valid authentication credentials.
application/json
403
Forbidden. The client does not have permission to perform this action.
application/json
500
Internal Server Error. A server-side error occurred.
application/json
post
POST /v1/sys/control-group/authorize HTTP/1.1
Host: localhost:8200
Content-Type: application/json
Accept: */*
Content-Length: 63

{
  "group_id": "control-group-123",
  "permissions": [
    "read",
    "write"
  ]
}

No content

Submit a request for control group authorization

post
Body
request_idstringRequired

Unique identifier for the control group request.

Responses
200
Request processed successfully.
application/json
400
Bad Request - The request is malformed or missing required parameters.
application/json
401
Unauthorized - Authentication credentials were missing or invalid.
application/json
403
Forbidden - You do not have permission to perform this action.
application/json
404
Not Found - The control group or requested resource does not exist.
application/json
500
Internal Server Error - An unexpected error occurred on the server.
application/json
post
POST /v1/sys/control-group/request HTTP/1.1
Host: localhost:8200
Content-Type: application/json
Accept: */*
Content-Length: 88

{
  "request_id": "request-456",
  "data": {
    "operation": "access-database",
    "resource": "db-prod"
  }
}
{
  "status": "success",
  "message": "Control group request submitted successfully."
}

Decode an encoded token using a one-time password (OTP)

post

This endpoint decodes an encoded token using the provided one-time password (OTP). It can be used in unauthenticated contexts.

Body
encoded_tokenstringOptional

Specifies the encoded token (result from generate-root).

otpstringOptional

Specifies the otp code for decode.

Responses
200
Successfully decoded the token.
application/json
400
Bad Request - The request is malformed or missing required parameters.
application/json
401
Unauthorized - Authentication credentials are missing or invalid.
application/json
403
Forbidden - The provided credentials are valid but insufficient.
application/json
404
Not Found - The token or associated resources could not be found.
application/json
500
Internal Server Error - An unexpected server-side error occurred.
application/json
post
POST /v1/sys/decode-token HTTP/1.1
Host: localhost:8200
Content-Type: application/json
Accept: */*
Content-Length: 46

{
  "token": "encoded-token-value",
  "otp": "123456"
}
{
  "decoded_token": "decoded-value"
}

List available and enabled experimental features in Vault.

get
Body
objectOptional
Responses
200
Successfully returned the list of experimental features.
application/json
400
Bad Request - The request is malformed or missing required parameters.
application/json
401
Unauthorized - Authentication credentials are missing or invalid.
application/json
403
Forbidden - You do not have permission to access experimental features.
application/json
404
Not Found - The resource for experimental features could not be located.
application/json
500
Internal Server Error - An unexpected error occurred on the server.
application/json
get
GET /v1/sys/experiments HTTP/1.1
Host: localhost:8200
Content-Type: application/json
Accept: */*
Content-Length: 2

{}
{
  "features": [
    {
      "name": "new-auth-method",
      "enabled": true
    },
    {
      "name": "faster-raft-replication",
      "enabled": false
    }
  ]
}

Initialize a new root token generation attempt.

post

Starts a new root generation attempt. Only one attempt can be active at a time. Either otp or pgp_key must be provided.

Body
pgp_keystringOptional

Specifies a base64-encoded PGP public key.

Responses
200
Successfully initialized the root generation attempt.
application/json
400
Bad Request - Missing required parameters or invalid input.
application/json
401
Unauthorized - Authentication credentials are missing or invalid.
application/json
403
Forbidden - Insufficient permissions to initialize root generation.
application/json
409
Conflict - A root generation attempt is already in progress.
application/json
500
Internal Server Error - Unexpected server-side error.
application/json
post
POST /v1/sys/generate-root HTTP/1.1
Host: localhost:8200
Content-Type: application/json
Accept: */*
Content-Length: 81

{
  "otp": "otp-secret-string",
  "pgp_key": "-----BEGIN PGP PUBLIC KEY BLOCK-----\n..."
}
{
  "complete": true,
  "encoded_root_token": "text",
  "encoded_token": "text",
  "nonce": "text",
  "otp": "text",
  "otp_length": 1,
  "pgp_fingerprint": "text",
  "progress": 1,
  "required": 1,
  "started": true
}

Initialize a new root token generation attempt.

post

Starts a new root generation attempt. Only one attempt can be active at a time. Either otp or pgp_key must be provided.

Body
pgp_keystringOptional

Specifies a base64-encoded PGP public key.

Responses
200
Successfully initialized the root generation attempt.
application/json
400
Bad Request - Missing required parameters or invalid input.
application/json
401
Unauthorized - Missing or invalid authentication credentials.
application/json
403
Forbidden - You do not have permission to initiate root generation.
application/json
409
Conflict - A root generation attempt is already in progress.
application/json
500
Internal Server Error - An unexpected server-side error occurred.
application/json
post
POST /v1/sys/generate-root/attempt HTTP/1.1
Host: localhost:8200
Content-Type: application/json
Accept: */*
Content-Length: 81

{
  "otp": "otp-secret-string",
  "pgp_key": "-----BEGIN PGP PUBLIC KEY BLOCK-----\n..."
}
{
  "complete": true,
  "encoded_root_token": "text",
  "encoded_token": "text",
  "nonce": "text",
  "otp": "text",
  "otp_length": 1,
  "pgp_fingerprint": "text",
  "progress": 1,
  "required": 1,
  "started": true
}

Submit a key share to progress the root token generation attempt.

post

Submits a single unseal key share for the active root generation attempt. If the required threshold of key shares is reached, Vault completes the root token generation and issues the new token. The attempt nonce must be provided with each call.

Body
keystringOptional

Specifies a single unseal key share.

noncestringOptional

Specifies the nonce of the attempt.

Responses
200
Successfully submitted the key share. Progress updated.
application/json
400
Bad Request - The request is malformed or missing required parameters.
application/json
401
Unauthorized - Missing or invalid authentication credentials.
application/json
403
Forbidden - You do not have permission to submit key shares.
application/json
404
Not Found - No active root generation attempt was found.
application/json
409
Conflict - The root generation attempt is already completed or invalid.
application/json
500
Internal Server Error - A server-side error occurred.
application/json
post
POST /v1/sys/generate-root/update HTTP/1.1
Host: localhost:8200
Content-Type: application/json
Accept: */*
Content-Length: 64

{
  "key": "unseal-key-share-string",
  "nonce": "attempt-nonce-string"
}
{
  "complete": true,
  "encoded_root_token": "text",
  "encoded_token": "text",
  "nonce": "text",
  "otp": "text",
  "otp_length": 1,
  "pgp_fingerprint": "text",
  "progress": 1,
  "required": 1,
  "started": true
}

Initialize a new Vault.

post

Initializes the Vault server. Initialization is a one-time operation. After successful initialization, Vault will generate a set of unseal keys and an initial root token. If using HSM, recovery and stored shares options can be configured during this process.

Body
pgp_keysstring[]Optional

Specifies an array of PGP public keys used to encrypt the output unseal keys. Ordering is preserved. The keys must be base64-encoded from their original binary representation. The size of this array must be the same as secret_shares.

recovery_pgp_keysstring[]Optional

Specifies an array of PGP public keys used to encrypt the output recovery keys. Ordering is preserved. The keys must be base64-encoded from their original binary representation. The size of this array must be the same as recovery_shares.

recovery_sharesintegerOptional

Specifies the number of shares to split the recovery key into.

recovery_thresholdintegerOptional

Specifies the number of shares required to reconstruct the recovery key. This must be less than or equal to recovery_shares.

root_token_pgp_keystringOptional

Specifies a PGP public key used to encrypt the initial root token. The key must be base64-encoded from its original binary representation.

secret_sharesintegerOptional

Specifies the number of shares to split the unseal key into.

secret_thresholdintegerOptional

Specifies the number of shares required to reconstruct the unseal key. This must be less than or equal secret_shares. If using Vault HSM with auto-unsealing, this value must be the same as secret_shares.

stored_sharesintegerOptional

Specifies the number of shares that should be encrypted by the HSM and stored for auto-unsealing. Currently must be the same as secret_shares.

Responses
200
Successfully initialized Vault.
application/json
Responseany
400
Bad Request - Vault is already initialized or request parameters are invalid.
application/json
409
Conflict - Vault is already initialized.
application/json
500
Internal Server Error - Failed to initialize Vault.
application/json
post
POST /v1/sys/init HTTP/1.1
Host: localhost:8200
Content-Type: application/json
Accept: */*
Content-Length: 101

{
  "secret_shares": 5,
  "secret_threshold": 3,
  "recovery_shares": 1,
  "recovery_threshold": 1,
  "stored_shares": 0
}

No content

Configure the client count collection settings.

post

Enables or disables the collection of client counts and configures the retention period and default reporting period for client activity data.

Body
default_report_monthsintegerOptional

Number of months to report if no start date specified.

Default: 12
enabledstringOptional

Enable or disable collection of client count: enable, disable, or default.

Default: default
retention_monthsintegerOptional

Number of months of client data to retain. Setting to 0 will clear all existing data.

Default: 24
Responses
200
Successfully updated client count tracking configuration.
application/json
Responseany
400
Bad Request - Invalid configuration settings provided.
application/json
500
Internal Server Error - Failed to update configuration.
application/json
post
POST /v1/sys/internal/counters/config HTTP/1.1
Host: localhost:8200
Content-Type: application/json
Accept: */*
Content-Length: 65

{
  "default_report_months": 1,
  "enabled": "text",
  "retention_months": 1
}

No content

Generate OpenAPI document with request parameters

post
Body
contextstringOptional

Context string appended to every operationId

Responses
200
Successfully generated OpenAPI document
application/json
Responseany
400
Invalid request
application/json
500
Internal server error
application/json
post
POST /v1/sys/internal/specs/openapi HTTP/1.1
Host: localhost:8200
Content-Type: application/json
Accept: */*
Content-Length: 27

{
  "mounts": [
    "auth/",
    "sys/"
  ]
}
{
  "openapi": "3.0.0",
  "info": {
    "title": "Filtered Vault API",
    "version": "v1"
  },
  "paths": {}
}

Retrieves metadata for a specific lease

post
Body
lease_idstringOptional

The lease identifier to renew. This is included with a lease.

Responses
200
Successfully retrieved lease metadata
application/json
400
Bad request
application/json
404
Lease not found
application/json
500
Internal server error
application/json
post
POST /v1/sys/leases/lookup HTTP/1.1
Host: localhost:8200
Content-Type: application/json
Accept: */*
Content-Length: 39

{
  "lease_id": "auth/token/create/a1b2c3"
}
{
  "lease_id": "auth/token/create/a1b2c3",
  "renewable": true,
  "ttl": 3600
}

Renews a lease by extending its TTL.

post
Body
incrementinteger · secondsOptional

The desired increment in seconds to the lease

lease_idstringOptional

The lease identifier to renew. This is included with a lease.

url_lease_idstringOptional

The lease identifier to renew. This is included with a lease.

Responses
204
Lease renewed successfully (no content)
400
Bad request
application/json
404
Lease not found
application/json
500
Internal server error
application/json
post
POST /v1/sys/leases/renew HTTP/1.1
Host: localhost:8200
Content-Type: application/json
Accept: */*
Content-Length: 63

{
  "lease_id": "database/creds/my-role/Y7sGbfd9",
  "increment": 3600
}

No content

Renews a lease using a lease ID in the path.

post
Path parameters
url_lease_idstringRequired

The lease ID to renew. Example: "database/creds/my-role/Y7sGbfd9"

Body
incrementinteger · secondsOptional

The desired increment in seconds to the lease

lease_idstringOptional

The lease identifier to renew. This is included with a lease.

Responses
204
Lease renewed successfully (no content)
400
Bad request
application/json
404
Lease not found
application/json
500
Internal server error
application/json
post
POST /v1/sys/leases/renew/{url_lease_id} HTTP/1.1
Host: localhost:8200
Content-Type: application/json
Accept: */*
Content-Length: 18

{
  "increment": 1800
}

No content

Immediately revokes a lease.

post
Body
lease_idstringOptional

The lease identifier to renew. This is included with a lease.

syncbooleanOptional

Whether or not to perform the revocation synchronously

Default: true
url_lease_idstringOptional

The lease identifier to renew. This is included with a lease.

Responses
204
Lease revoked successfully (no content)
400
Bad request
application/json
404
Lease not found
application/json
500
Internal server error
application/json
post
POST /v1/sys/leases/revoke HTTP/1.1
Host: localhost:8200
Content-Type: application/json
Accept: */*
Content-Length: 46

{
  "lease_id": "database/creds/my-role/Y7sGbfd9"
}

No content

Revokes all secrets (via a lease ID prefix) or tokens (via the tokens' path property) generated under a given prefix immediately.

post
Path parameters
prefixstringRequired

The path to revoke keys under. Example: "prod/aws/ops"

Body
syncbooleanOptional

Whether or not to perform the revocation synchronously

Default: true
Responses
204
OK
post
POST /v1/sys/leases/revoke-prefix/{prefix} HTTP/1.1
Host: localhost:8200
Content-Type: application/json
Accept: */*
Content-Length: 13

{
  "sync": true
}
204

OK

No content

Revokes a lease immediately.

post
Path parameters
url_lease_idstringRequired

The lease identifier to renew. This is included with a lease.

Body
lease_idstringOptional

The lease identifier to renew. This is included with a lease.

syncbooleanOptional

Whether or not to perform the revocation synchronously

Default: true
Responses
204
OK
post
POST /v1/sys/leases/revoke/{url_lease_id} HTTP/1.1
Host: localhost:8200
Content-Type: application/json
Accept: */*
Content-Length: 31

{
  "lease_id": "text",
  "sync": true
}
204

OK

No content

Trigger a background lease tidy operation.

post
Body
anyOptional
Responses
204
Lease tidy completed successfully; no content returned.
400
Invalid input or parameters.
application/json
500
Internal server error during lease tidy.
application/json
post
POST /v1/sys/leases/tidy HTTP/1.1
Host: localhost:8200
Content-Type: application/json
Accept: */*
Content-Length: 52

{
  "safety_buffer": "1h",
  "safety_buffer_percentage": 10
}

No content

Modify verbosity levels for all loggers.

post
Body
levelstringOptional

Log verbosity level. Supported values (in order of detail) are "trace", "debug", "info", "warn", and "error".

Responses
204
Logger levels updated.
400
Invalid log level provided.
application/json
post
POST /v1/sys/loggers HTTP/1.1
Host: localhost:8200
Content-Type: application/json
Accept: */*
Content-Length: 46

{
  "default": "info",
  "loggers": {
    "audit": "error"
  }
}

No content

Modify the log level of a specific logger.

post
Path parameters
namestringRequired

Name of the logger to modify.

Body
levelstringOptional

Log verbosity level. Supported values (in order of detail) are "trace", "debug", "info", "warn", and "error".

Responses
204
Logger level updated.
400
Invalid log level.
application/json
post
POST /v1/sys/loggers/{name} HTTP/1.1
Host: localhost:8200
Content-Type: application/json
Accept: */*
Content-Length: 17

{
  "level": "debug"
}

No content

Test signing functionality for a managed key.

post
Path parameters
typestringRequired

The type of the managed key (e.g., "transit", "pkcs11").

namestringRequired

The name of the managed key to use for the test signing operation.

Body
anyOptional
Responses
200
Test signing successful.
application/json
Responseany
400
Invalid input data for signing.
application/json
404
Managed key not found.
application/json
500
Internal server error during test sign.
application/json
post
POST /v1/sys/managed-keys/{type}/{name}/test/sign HTTP/1.1
Host: localhost:8200
Content-Type: application/json
Accept: */*
Content-Length: 69

{
  "input": "aGVsbG8gd29ybGQ=",
  "algorithm": "sha2-256",
  "prehashed": false
}
{
  "signature": "vault:v1:abc123signaturedata"
}

Export system metrics in Prometheus format.

get
Query parameters
formatstring · enumOptional

The output format for the metrics. Currently, only prometheus is supported.

Possible values:
Body
anyOptional
Responses
200
Metrics exported successfully.
text/plain
Responseany
400
Bad request. The `format` parameter is invalid or missing.
application/json
500
Internal server error while exporting metrics.
application/json
get
GET /v1/sys/metrics HTTP/1.1
Host: localhost:8200
Content-Type: application/json
Accept: */*
Content-Length: 23

{
  "format": "prometheus"
}
# HELP vault_core_handle_request_count Total number of handled requests
# TYPE vault_core_handle_request_count counter
vault_core_handle_request_count{code="200",method="GET",path="/v1/sys/metrics"} 42

List configured Multi-Factor Authentication (MFA) methods.

get
Query parameters
liststring · enumRequired

A required parameter that must be set to true to retrieve the list of MFA methods.

Possible values:
Body
anyOptional
Responses
200
Successfully retrieved the list of configured MFA methods.
application/json
Responseany
400
Bad request. The `list` parameter was missing or invalid.
application/json
500
Internal server error while retrieving MFA methods.
application/json
get
GET /v1/sys/mfa/method HTTP/1.1
Host: localhost:8200
Content-Type: application/json
Accept: */*
Content-Length: 15

{
  "list": "true"
}
{
  "data": {
    "methods": [
      {
        "name": "duo",
        "type": "duo"
      },
      {
        "name": "okta",
        "type": "okta"
      },
      {
        "name": "totp",
        "type": "totp"
      }
    ]
  }
}

Create or update an Okta MFA method configuration.

post
Path parameters
namestringRequired

The unique name of the Okta MFA method.

Body
anyOptional
Responses
200
Successfully created or updated the Okta MFA method.
application/json
Responseany
400
Bad request – invalid payload or missing fields.
application/json
403
Forbidden – access denied.
application/json
500
Internal server error.
application/json
post
POST /v1/sys/mfa/method/okta/{name} HTTP/1.1
Host: localhost:8200
Content-Type: application/json
Accept: */*
Content-Length: 51

{
  "org_name": "example-org",
  "token": "s.exampletoken"
}
{
  "data": {
    "success": true
  }
}

Create or update a PingID MFA method configuration.

post
Path parameters
namestringRequired

The name of the PingID MFA method configuration.

Body
anyOptional
Responses
200
PingID method created or updated successfully.
application/json
Responseany
400
Bad request.
application/json
403
Forbidden.
application/json
500
Internal server error.
application/json
post
POST /v1/sys/mfa/method/pingid/{name} HTTP/1.1
Host: localhost:8200
Content-Type: application/json
Accept: */*
Content-Length: 60

{
  "apikey": "abc123",
  "org_alias": "my-org",
  "token": "s.mytoken"
}
{
  "data": {
    "success": true
  }
}

Create or update a TOTP MFA method configuration.

post
Path parameters
namestringRequired

The name of the TOTP MFA method configuration.

Body
anyOptional
Responses
200
TOTP method created or updated successfully.
application/json
Responseany
400
Bad request or validation error.
application/json
403
Forbidden.
application/json
500
Internal server error.
application/json
post
POST /v1/sys/mfa/method/totp/{name} HTTP/1.1
Host: localhost:8200
Content-Type: application/json
Accept: */*
Content-Length: 39

{
  "issuer": "vault",
  "period": 30,
  "skew": 1
}
{
  "data": {
    "success": true
  }
}

Admin-level operation to generate a new TOTP key for a user.

post
Path parameters
namestringRequired

The name of the TOTP MFA method configuration.

Body
anyOptional
Responses
200
TOTP key successfully generated.
application/json
Responseany
400
Bad request. Invalid input data.
application/json
403
Forbidden. Insufficient permissions to perform this operation.
application/json
404
The specified TOTP configuration was not found.
application/json
500
Internal server error.
application/json
post
POST /v1/sys/mfa/method/totp/{name}/admin-generate HTTP/1.1
Host: localhost:8200
Content-Type: application/json
Accept: */*
Content-Length: 52

{
  "account_name": "user@example.com",
  "issuer": "vault"
}
{
  "data": {
    "url": "otpauth://totp/vault:user@example.com?secret=ABCDEFG12345678&issuer=vault",
    "barcode": "<base64-barcode-image>"
  }
}

Validates the login for the given MFA methods.

post

Validates MFA credentials submitted by the user. Upon successful validation, it returns an authentication response that includes a client token. This endpoint is typically called after initial credentials are provided and MFA is required.

Body
mfa_payloadobject · mapRequired

A map from MFA method ID to a slice of passcodes or an empty slice if the method does not use passcodes

mfa_request_idstringRequired

ID for this MFA request

Responses
200
Successful MFA validation and authentication.
application/json
Responseany
400
Bad request — missing or invalid fields in the request.
application/json
403
Forbidden — MFA validation failed or unauthorized access.
application/json
404
Not found — specified MFA method or user not found.
application/json
500
Internal server error — unexpected failure during validation.
application/json
post
POST /v1/sys/mfa/validate HTTP/1.1
Host: localhost:8200
Content-Type: application/json
Accept: */*
Content-Length: 40

{
  "method_id": "totp-d3f1",
  "otp": "123456"
}
{
  "auth": {
    "client_token": "s.QKJ123abcXYZ",
    "accessor": "vS2iRzHyXweKzwo0tUR",
    "policies": [
      "default"
    ],
    "lease_duration": 2764800,
    "renewable": true
  }
}

Enable a new secrets engine at the given path.

post
Path parameters
pathstringRequired

The path to mount to. Example: "aws/east"

Body
configobject · mapOptional

Configuration for this mount, such as default_lease_ttl and max_lease_ttl.

descriptionstringOptional

User-friendly description for this mount.

external_entropy_accessbooleanOptional

Whether to give the mount access to Vault's external entropy.

Default: false
localbooleanOptional

Mark the mount as a local mount, which is not replicated and is unaffected by replication.

Default: false
optionsobject · kvpairsOptional

The options to pass into the backend. Should be a json object with string keys and values.

plugin_namestringOptional

Name of the plugin to mount based from the name registered in the plugin catalog.

plugin_versionstringOptional

The semantic version of the plugin to use.

seal_wrapbooleanOptional

Whether to turn on seal wrapping for the mount.

Default: false
typestringOptional

The type of the backend. Example: "passthrough"

Responses
204
OK
post
POST /v1/sys/mounts/{path} HTTP/1.1
Host: localhost:8200
Content-Type: application/json
Accept: */*
Content-Length: 167

{
  "config": {},
  "description": "text",
  "external_entropy_access": true,
  "local": true,
  "options": {},
  "plugin_name": "text",
  "plugin_version": "text",
  "seal_wrap": true,
  "type": "text"
}
204

OK

No content

Update the tuning configuration parameters for a mounted backend.

post
Path parameters
pathstringRequired

The path to mount to. Example: "aws/east"

Body
default_lease_ttlstringOptional
max_lease_ttlstringOptional
descriptionstringOptional
audit_non_hmac_request_keysstring[]Optional
Responses
200
OK
application/json
400
Bad Request
application/json
500
Internal Server Error
application/json
post
POST /v1/sys/mounts/{path}/tune HTTP/1.1
Host: localhost:8200
Content-Type: application/json
Accept: */*
Content-Length: 135

{
  "default_lease_ttl": "500h",
  "max_lease_ttl": "1000h",
  "description": "Updated AWS config",
  "audit_non_hmac_request_keys": [
    "role",
    "region"
  ]
}
{
  "success": true
}

Lock the API for all namespaces to prevent changes.

post
Body
reasonstringOptional
Responses
200
OK
application/json
400
Bad Request
application/json
500
Internal Server Error
application/json
post
POST /v1/sys/namespaces/api-lock/lock HTTP/1.1
Host: localhost:8200
Content-Type: application/json
Accept: */*
Content-Length: 39

{
  "reason": "Planned maintenance window"
}
{
  "success": true
}

Unlock the API for all namespaces.

post
Body
reasonstringOptional
Responses
200
OK
application/json
400
Bad Request
application/json
500
Internal Server Error
application/json
post
POST /v1/sys/namespaces/api-lock/unlock HTTP/1.1
Host: localhost:8200
Content-Type: application/json
Accept: */*
Content-Length: 33

{
  "reason": "Maintenance complete"
}
{
  "success": true
}

Create a new namespace

post
Path parameters
pathstringRequired

The path of the namespace

Body
custom_metadataobject · mapOptional

A map of arbitrary string to string valued user-provided metadata meant to describe the namespace

Responses
200
OK
application/json
post
POST /v1/sys/namespaces/{path} HTTP/1.1
Host: localhost:8200
Content-Type: application/json
Accept: */*
Content-Length: 22

{
  "custom_metadata": {}
}
200

OK

{
  "custom_metadata": {},
  "id": "text",
  "path": "text"
}

Register a new plugin, or updates an existing one with the supplied name.

post
Path parameters
namestringRequired

The name of the plugin

Body
argsstring[]Optional

The args passed to plugin command.

commandstringOptional

The command used to start the plugin. The executable defined in this command must exist in vault's plugin directory.

envstring[]Optional

The environment variables passed to plugin command. Each entry is of the form "key=value".

sha256stringOptional

The SHA256 sum of the executable used in the command field. This should be HEX encoded.

typestringOptional

The type of the plugin, may be auth, secret, or database

versionstringOptional

The semantic version of the plugin to use.

Responses
200
OK
post
POST /v1/sys/plugins/catalog/{name} HTTP/1.1
Host: localhost:8200
Content-Type: application/json
Accept: */*
Content-Length: 96

{
  "args": [
    "text"
  ],
  "command": "text",
  "env": [
    "text"
  ],
  "sha256": "text",
  "type": "text",
  "version": "text"
}
200

OK

No content

Register a new plugin, or updates an existing one with the supplied name.

post
Path parameters
namestringRequired

The name of the plugin

typestringRequired

The type of the plugin, may be auth, secret, or database

Body
argsstring[]Optional

The args passed to plugin command.

commandstringOptional

The command used to start the plugin. The executable defined in this command must exist in vault's plugin directory.

envstring[]Optional

The environment variables passed to plugin command. Each entry is of the form "key=value".

sha256stringOptional

The SHA256 sum of the executable used in the command field. This should be HEX encoded.

versionstringOptional

The semantic version of the plugin to use.

Responses
200
OK
post
POST /v1/sys/plugins/catalog/{type}/{name} HTTP/1.1
Host: localhost:8200
Content-Type: application/json
Accept: */*
Content-Length: 82

{
  "args": [
    "text"
  ],
  "command": "text",
  "env": [
    "text"
  ],
  "sha256": "text",
  "version": "text"
}
200

OK

No content

Reload mounted plugin backends.

post

Either the plugin name (plugin) or the desired plugin backend mounts (mounts) must be provided, but not both. In the case that the plugin name is provided, all mounted paths that use that plugin backend will be reloaded. If (scope) is provided and is (global), the plugin(s) are reloaded globally.

Body
mountsstring[]Optional

The mount paths of the plugin backends to reload.

pluginstringOptional

The name of the plugin to reload, as registered in the plugin catalog.

scopestringOptional
Responses
200
OK
application/json
202
OK
application/json
post
POST /v1/sys/plugins/reload/backend HTTP/1.1
Host: localhost:8200
Content-Type: application/json
Accept: */*
Content-Length: 50

{
  "mounts": [
    "text"
  ],
  "plugin": "text",
  "scope": "text"
}
{
  "reload_id": "text"
}

Add a new or update an existing ACL policy.

post
Path parameters
namestringRequired

The name of the policy. Example: "ops"

Body
policystringOptional

The rules of the policy.

Responses
204
OK
post
POST /v1/sys/policies/acl/{name} HTTP/1.1
Host: localhost:8200
Content-Type: application/json
Accept: */*
Content-Length: 17

{
  "policy": "text"
}
204

OK

No content

Create or update an EGP policy by name.

post
Path parameters
namestringRequired

The name of the EGP policy.

Body
policystringRequired
Responses
200
Policy created or updated successfully
400
Invalid policy definition
application/json
500
Internal Server Error
application/json
post
POST /v1/sys/policies/egp/{name} HTTP/1.1
Host: localhost:8200
Content-Type: application/json
Accept: */*
Content-Length: 101

{
  "policy": "path \"secret/data/finance\" {\n  capabilities = [\"create\", \"read\", \"update\"]\n}\n"
}

No content

Add a new or update an existing password policy.

post
Path parameters
namestringRequired

The name of the password policy.

Body
policystringOptional

The password policy

Responses
204
OK
post
POST /v1/sys/policies/password/{name} HTTP/1.1
Host: localhost:8200
Content-Type: application/json
Accept: */*
Content-Length: 17

{
  "policy": "text"
}
204

OK

No content

Create or update an RGP policy by name.

post
Path parameters
namestringRequired

The name of the RGP policy.

Body
anyOptional
Responses
200
Policy written successfully
400
Invalid policy definition
application/json
500
Internal server error
application/json
post
POST /v1/sys/policies/rgp/{name} HTTP/1.1
Host: localhost:8200
Content-Type: application/json
Accept: */*
Content-Length: 82

{
  "policy": "path \"sys/config/*\" {\n  capabilities = [\"read\", \"update\"]\n}\n"
}

No content

Add a new or update an existing policy.

post
Path parameters
namestringRequired

The name of the policy. Example: "ops"

Body
policystringOptional

The rules of the policy.

rulesstringOptionalDeprecated

The rules of the policy.

Responses
204
OK
post
POST /v1/sys/policy/{name} HTTP/1.1
Host: localhost:8200
Content-Type: application/json
Accept: */*
Content-Length: 17

{
  "policy": "text"
}
204

OK

No content

Create or update the quota configuration.

post
Body
enable_rate_limit_audit_loggingbooleanOptional

If set, starts audit logging of requests that get rejected due to rate limit quota rule violations.

enable_rate_limit_response_headersbooleanOptional

If set, additional rate limit quota HTTP headers will be added to responses.

rate_limit_exempt_pathsstring[]Optional

Specifies the list of exempt paths from all rate limit quotas. If empty no paths will be exempt.

Responses
204
Quota configuration updated successfully (empty body)
400
Invalid configuration request
application/json
500
Internal server error
application/json
post
POST /v1/sys/quotas/config HTTP/1.1
Host: localhost:8200
Content-Type: application/json
Accept: */*
Content-Length: 42

{
  "enabled": true,
  "interval": "1s",
  "rate": 50
}

No content

Create or update a lease count quota.

post
Path parameters
namestringRequired
Body
anyOptional
Responses
200
Quota created or updated successfully
application/json
Responseany
post
POST /v1/sys/quotas/lease-count/{name} HTTP/1.1
Host: localhost:8200
Content-Type: application/json
Accept: */*
Content-Length: 19

{
  "max_leases": 1000
}
200

Quota created or updated successfully

{
  "data": {
    "success": true
  }
}

Create or update a rate limit quota

post
Path parameters
namestringRequired

Name of the quota rule.

Body
block_intervalinteger · secondsOptional

If set, when a client reaches a rate limit threshold, the client will be prohibited from any further requests until after the 'block_interval' has elapsed.

intervalinteger · secondsOptional

The duration to enforce rate limiting for (default '1s').

pathstringOptional

Path of the mount or namespace to apply the quota. A blank path configures a global quota. For example namespace1/ adds a quota to a full namespace, namespace1/auth/userpass adds a quota to userpass in namespace1.

ratenumber · floatOptional

The maximum number of requests in a given interval to be allowed by the quota rule. The 'rate' must be positive.

rolestringOptional

Login role to apply this quota to. Note that when set, path must be configured to a valid auth method with a concept of roles.

typestringOptional

Type of the quota rule.

Responses
204
Quota created or updated successfully (no content)
400
Invalid quota configuration
application/json
post
POST /v1/sys/quotas/rate-limit/{name} HTTP/1.1
Host: localhost:8200
Content-Type: application/json
Accept: */*
Content-Length: 42

{
  "rate": 5,
  "interval": "1s",
  "path": "auth/*"
}

No content

Initializes a new rekey attempt.

post

Only a single rekey attempt can take place at a time, and changing the parameters of a rekey requires canceling and starting a new rekey, which will also provide a new nonce.

Body
backupbooleanOptional

Specifies if using PGP-encrypted keys, whether Vault should also store a plaintext backup of the PGP-encrypted keys.

pgp_keysstring[]Optional

Specifies an array of PGP public keys used to encrypt the output unseal keys. Ordering is preserved. The keys must be base64-encoded from their original binary representation. The size of this array must be the same as secret_shares.

require_verificationbooleanOptional

Turns on verification functionality

secret_sharesintegerOptional

Specifies the number of shares to split the unseal key into.

secret_thresholdintegerOptional

Specifies the number of shares required to reconstruct the unseal key. This must be less than or equal secret_shares. If using Vault HSM with auto-unsealing, this value must be the same as secret_shares.

Responses
200
OK
application/json
post
POST /v1/sys/rekey/init HTTP/1.1
Host: localhost:8200
Content-Type: application/json
Accept: */*
Content-Length: 102

{
  "backup": true,
  "pgp_keys": [
    "text"
  ],
  "require_verification": true,
  "secret_shares": 1,
  "secret_threshold": 1
}
200

OK

{
  "backup": true,
  "n": 1,
  "nounce": "text",
  "pgp_fingerprints": [
    "text"
  ],
  "progress": 1,
  "required": 1,
  "started": "text",
  "t": 1,
  "verification_nonce": "text",
  "verification_required": true
}

Enter a single unseal key share to progress the rekey of the Vault.

post
Body
keystringOptional

Specifies a single unseal key share.

noncestringOptional

Specifies the nonce of the rekey attempt.

Responses
200
OK
application/json
post
POST /v1/sys/rekey/update HTTP/1.1
Host: localhost:8200
Content-Type: application/json
Accept: */*
Content-Length: 29

{
  "key": "text",
  "nonce": "text"
}
200

OK

{
  "backup": true,
  "complete": true,
  "keys": [
    "text"
  ],
  "keys_base64": [
    "text"
  ],
  "n": 1,
  "nounce": "text",
  "pgp_fingerprints": [
    "text"
  ],
  "progress": 1,
  "required": 1,
  "started": "text",
  "t": 1,
  "verification_nonce": "text",
  "verification_required": true
}

Enter a single new key share to progress the rekey verification operation.

post
Body
keystringOptional

Specifies a single unseal share key from the new set of shares.

noncestringOptional

Specifies the nonce of the rekey verification operation.

Responses
200
OK
application/json
post
POST /v1/sys/rekey/verify HTTP/1.1
Host: localhost:8200
Content-Type: application/json
Accept: */*
Content-Length: 29

{
  "key": "text",
  "nonce": "text"
}
200

OK

{
  "complete": true,
  "nounce": "text"
}

Initiate a mount migration

post
Body
fromstringOptional

The previous mount point.

tostringOptional

The new mount point.

Responses
200
OK
application/json
post
POST /v1/sys/remount HTTP/1.1
Host: localhost:8200
Content-Type: application/json
Accept: */*
Content-Length: 27

{
  "from": "text",
  "to": "text"
}
200

OK

{
  "migration_id": "text"
}

Renews a lease, requesting to extend the lease.

post
Body
incrementinteger · secondsOptional

The desired increment in seconds to the lease

lease_idstringOptional

The lease identifier to renew. This is included with a lease.

url_lease_idstringOptional

The lease identifier to renew. This is included with a lease.

Responses
204
OK
post
POST /v1/sys/renew HTTP/1.1
Host: localhost:8200
Content-Type: application/json
Accept: */*
Content-Length: 55

{
  "increment": 1,
  "lease_id": "text",
  "url_lease_id": "text"
}
204

OK

No content

Renews a lease, requesting to extend the lease.

post
Path parameters
url_lease_idstringRequired

The lease identifier to renew. This is included with a lease.

Body
incrementinteger · secondsOptional

The desired increment in seconds to the lease

lease_idstringOptional

The lease identifier to renew. This is included with a lease.

Responses
204
OK
post
POST /v1/sys/renew/{url_lease_id} HTTP/1.1
Host: localhost:8200
Content-Type: application/json
Accept: */*
Content-Length: 33

{
  "increment": 1,
  "lease_id": "text"
}
204

OK

No content

Enables the DR primary replication

post
Body
anyOptional
Responses
200
DR replication successfully enabled
application/json
Responseany
400
Invalid request payload
application/json
500
Internal server error
application/json
post
POST /v1/sys/replication/dr/primary/enable HTTP/1.1
Host: localhost:8200
Content-Type: application/json
Accept: */*
Content-Length: 77

{
  "mode": "primary",
  "primary_cluster_addr": "https://vault-primary.example.com"
}
{
  "data": {
    "message": "DR primary enabled"
  }
}

Revokes a DR secondary cluster

post
Body
anyOptional
Responses
200
DR secondary successfully revoked
application/json
Responseany
404
Secondary not found
application/json
500
Internal server error
application/json
post
POST /v1/sys/replication/dr/primary/revoke-secondary HTTP/1.1
Host: localhost:8200
Content-Type: application/json
Accept: */*
Content-Length: 34

{
  "secondary_cluster_id": "dc-east"
}
{
  "data": {
    "message": "Secondary revoked successfully"
  }
}

Creates a token for a DR secondary to join the primary

post
Body
anyOptional
Responses
200
Token successfully created
application/json
Responseany
400
Invalid input
application/json
500
Internal server error
application/json
post
POST /v1/sys/replication/dr/primary/secondary-token HTTP/1.1
Host: localhost:8200
Content-Type: application/json
Accept: */*
Content-Length: 35

{
  "id": "dc-west",
  "namespace": "root"
}
{
  "data": {
    "secondary_token": "s.SOME_LONG_TOKEN_STRING"
  }
}

Enable DR secondary replication.

post
Body
anyOptional
Responses
200
DR secondary enabled.
application/json
Responseany
post
POST /v1/sys/replication/dr/secondary/enable HTTP/1.1
Host: localhost:8200
Content-Type: application/json
Accept: */*
Content-Length: 36

{
  "token": "s.SECONDARY_TOKEN_STRING"
}
200

DR secondary enabled.

{
  "data": {
    "message": "Secondary enabled successfully."
  }
}

Update the DR primary cluster configuration.

post
Body
anyOptional
Responses
200
Primary configuration updated.
application/json
Responseany
post
POST /v1/sys/replication/dr/secondary/update-primary HTTP/1.1
Host: localhost:8200
Content-Type: application/json
Accept: */*
Content-Length: 60

{
  "primary_cluster_addr": "https://vault-primary.example.com"
}
200

Primary configuration updated.

{
  "data": {
    "message": "Primary address updated."
  }
}

Enable performance primary replication.

post
Body
anyOptional
Responses
200
Replication enabled.
application/json
Responseany
post
POST /v1/sys/replication/performance/primary/enable HTTP/1.1
Host: localhost:8200
Content-Type: application/json
Accept: */*
Content-Length: 39

{
  "token": "s.PERF_PRIMARY_TOKEN_STRING"
}
200

Replication enabled.

{
  "data": {
    "message": "Primary replication enabled."
  }
}

Create or update a paths filter.

post
Path parameters
idstringRequired
Body
anyOptional
Responses
200
Filter updated successfully.
application/json
Responseany
post
POST /v1/sys/replication/performance/primary/paths-filter/{id} HTTP/1.1
Host: localhost:8200
Content-Type: application/json
Accept: */*
Content-Length: 27

{
  "paths": [
    "secret/data/*"
  ]
}
200

Filter updated successfully.

{
  "data": {
    "message": "Paths filter updated."
  }
}

Generate a secondary token.

post
Body
anyOptional
Responses
200
Token generated.
application/json
Responseany
post
POST /v1/sys/replication/performance/primary/secondary-token HTTP/1.1
Host: localhost:8200
Content-Type: application/json
Accept: */*
Content-Length: 46

{
  "secondary_cluster_name": "us-west-secondary"
}
200

Token generated.

{
  "data": {
    "token": "s.TOKENSTRING"
  }
}

Enable performance secondary replication.

post
Body
anyOptional
Responses
200
Secondary enabled.
application/json
Responseany
post
POST /v1/sys/replication/performance/secondary/enable HTTP/1.1
Host: localhost:8200
Content-Type: application/json
Accept: */*
Content-Length: 29

{
  "token": "s.SECONDARY_TOKEN"
}
200

Secondary enabled.

{
  "data": {
    "message": "Secondary enabled."
  }
}

Update primary information for the secondary.

post
Body
anyOptional
Responses
200
Primary updated successfully.
application/json
Responseany
post
POST /v1/sys/replication/performance/secondary/update-primary HTTP/1.1
Host: localhost:8200
Content-Type: application/json
Accept: */*
Content-Length: 56

{
  "primary_api_addr": "https://vault-primary.example.com"
}
200

Primary updated successfully.

{
  "data": {
    "message": "Primary address updated."
  }
}

Enable the primary cluster for replication.

post
Body
anyOptional
Responses
200
Primary replication enabled.
application/json
Responseany
400
Invalid request.
application/json
403
Unauthorized to enable primary.
application/json
post
POST /v1/sys/replication/primary/enable HTTP/1.1
Host: localhost:8200
Content-Type: application/json
Accept: */*
Content-Length: 39

{
  "token": "s.PRIMARY_REPLICATION_TOKEN"
}
{
  "data": {
    "message": "Primary replication enabled."
  }
}

Generate a token to be used by a secondary to join the primary.

post
Body
anyOptional
Responses
200
Token successfully generated.
application/json
Responseany
403
Forbidden
application/json
post
POST /v1/sys/replication/primary/secondary-token HTTP/1.1
Host: localhost:8200
Content-Type: application/json
Accept: */*
Content-Length: 26

{
  "id": "secondary-us-east"
}
{
  "data": {
    "token": "s.abcdef123456"
  }
}

Enable replication on a secondary cluster.

post
Body
anyOptional
Responses
200
Secondary replication enabled.
application/json
Responseany
400
Invalid token.
application/json
post
POST /v1/sys/replication/secondary/enable HTTP/1.1
Host: localhost:8200
Content-Type: application/json
Accept: */*
Content-Length: 31

{
  "token": "s.replication-token"
}
{
  "data": {
    "message": "Secondary enabled."
  }
}

Provide a new connection configuration to a primary from a secondary.

post
Body
anyOptional
Responses
200
Primary address updated successfully.
application/json
Responseany
400
Invalid or missing primary configuration.
application/json
post
POST /v1/sys/replication/secondary/update-primary HTTP/1.1
Host: localhost:8200
Content-Type: application/json
Accept: */*
Content-Length: 133

{
  "primary_api_addr": "https://vault-primary.example.com:8200",
  "ca_file": "-----BEGIN CERTIFICATE-----\n...\n-----END CERTIFICATE-----"
}
{
  "data": {
    "message": "Primary connection info updated."
  }
}

Revokes a lease immediately.

post
Body
lease_idstringOptional

The lease identifier to renew. This is included with a lease.

syncbooleanOptional

Whether or not to perform the revocation synchronously

Default: true
url_lease_idstringOptional

The lease identifier to renew. This is included with a lease.

Responses
204
OK
post
POST /v1/sys/revoke HTTP/1.1
Host: localhost:8200
Content-Type: application/json
Accept: */*
Content-Length: 53

{
  "lease_id": "text",
  "sync": true,
  "url_lease_id": "text"
}
204

OK

No content

Revokes all secrets (via a lease ID prefix) or tokens (via the tokens' path property) generated under a given prefix immediately.

post
Path parameters
prefixstringRequired

The path to revoke keys under. Example: "prod/aws/ops"

Body
syncbooleanOptional

Whether or not to perform the revocation synchronously

Default: true
Responses
204
OK
post
POST /v1/sys/revoke-prefix/{prefix} HTTP/1.1
Host: localhost:8200
Content-Type: application/json
Accept: */*
Content-Length: 13

{
  "sync": true
}
204

OK

No content

Revokes a lease immediately.

post
Path parameters
url_lease_idstringRequired

The lease identifier to renew. This is included with a lease.

Body
lease_idstringOptional

The lease identifier to renew. This is included with a lease.

syncbooleanOptional

Whether or not to perform the revocation synchronously

Default: true
Responses
204
OK
post
POST /v1/sys/revoke/{url_lease_id} HTTP/1.1
Host: localhost:8200
Content-Type: application/json
Accept: */*
Content-Length: 31

{
  "lease_id": "text",
  "sync": true
}
204

OK

No content

Configure encryption key rotation settings.

post
Body
enabledbooleanOptional

Whether automatic rotation is enabled.

intervalinteger · secondsOptional

How long after installation of an active key term that the key will be automatically rotated.

max_operationsinteger · int64Optional

The number of encryption operations performed before the barrier key is automatically rotated.

Responses
204
Configuration updated successfully.
400
Invalid input configuration.
application/json
403
Forbidden. Sudo permissions required.
application/json
post
POST /v1/sys/rotate/config HTTP/1.1
Host: localhost:8200
Content-Type: application/json
Accept: */*
Content-Length: 28

{
  "auto_rotate_period": "24h"
}

No content

Perform sealwrap rewrap

post

Triggers rewrap for keys encrypted with an old seal configuration. This may take time depending on the size of the data.

Body
anyOptional
Responses
200
Rewrap operation completed successfully.
application/json
Responseany
400
Invalid request parameters.
application/json
500
Internal error during rewrap operation.
application/json
post
POST /v1/sys/sealwrap/rewrap HTTP/1.1
Host: localhost:8200
Content-Type: application/json
Accept: */*
Content-Length: 54

{
  "paths": [
    "sys/policy/foo",
    "auth/token/accessor/bar"
  ]
}
{
  "data": {
    "rewrapped_paths": [
      "sys/policy/foo",
      "auth/token/accessor/bar"
    ]
  }
}

Create or update a snapshot job configuration

post
Path parameters
namestringRequired

The name of the snapshot job configuration.

Body
anyOptional
Responses
200
Snapshot configuration saved successfully.
application/json
Responseany
400
Invalid configuration.
application/json
post
POST /v1/sys/storage/raft/snapshot-auto/config/{name} HTTP/1.1
Host: localhost:8200
Content-Type: application/json
Accept: */*
Content-Length: 69

{
  "interval": "1h",
  "retain": 5,
  "storage_path_prefix": "snapshots/hourly"
}
{
  "data": {
    "interval": "1h",
    "retain": 5,
    "storage_path_prefix": "snapshots/hourly"
  }
}

Generate a hash sum for input data using a configured default algorithm

post

Accepts raw input data and returns its hash digest using Vault's configured default hash algorithm.

Body
algorithmstringOptional

Algorithm to use (POST body parameter). Valid values are: * sha2-224 * sha2-256 * sha2-384 * sha2-512 Defaults to "sha2-256".

Default: sha2-256
formatstringOptional

Encoding format to use. Can be "hex" or "base64". Defaults to "hex".

Default: hex
inputstringOptional

The base64-encoded input data

urlalgorithmstringOptional

Algorithm to use (POST URL parameter)

Responses
200
Hash generated successfully.
application/json
400
Invalid input provided.
application/json
post
POST /v1/sys/tools/hash HTTP/1.1
Host: localhost:8200
Content-Type: application/json
Accept: */*
Content-Length: 24

{
  "input": "Hello, Vault"
}
{
  "data": {
    "sum": "a830d7beb04eb7549ce990fb7dc962e499a27230"
  }
}

Generate a hash sum for input data using a specific algorithm

post

Accepts raw input data and returns its hash digest using the algorithm specified in the URL.

Path parameters
urlalgorithmstringRequired

The hash algorithm to use (e.g., sha2-256, sha2-512)

Body
algorithmstringOptional

Algorithm to use (POST body parameter). Valid values are: * sha2-224 * sha2-256 * sha2-384 * sha2-512 Defaults to "sha2-256".

Default: sha2-256
formatstringOptional

Encoding format to use. Can be "hex" or "base64". Defaults to "hex".

Default: hex
inputstringOptional

The base64-encoded input data

Responses
200
Hash generated successfully using the specified algorithm.
application/json
400
Invalid algorithm or input provided.
application/json
post
POST /v1/sys/tools/hash/{urlalgorithm} HTTP/1.1
Host: localhost:8200
Content-Type: application/json
Accept: */*
Content-Length: 24

{
  "input": "Hello, Vault"
}
{
  "data": {
    "sum": "2cf24dba5fb0a030e..."
  }
}

Generate random bytes using the default platform source

post
Body
bytesintegerOptional

The number of bytes to generate (POST body parameter). Defaults to 32 (256 bits).

Default: 32
formatstringOptional

Encoding format to use. Can be "hex" or "base64". Defaults to "base64".

Default: base64
sourcestringOptional

Which system to source random data from, ether "platform", "seal", or "all".

Default: platform
urlbytesstringOptional

The number of bytes to generate (POST URL parameter)

Responses
200
Random bytes generated successfully.
application/json
400
Invalid request parameters.
application/json
post
POST /v1/sys/tools/random HTTP/1.1
Host: localhost:8200
Content-Type: application/json
Accept: */*
Content-Length: 27

{
  "bytes": 32,
  "format": "hex"
}
{
  "data": {
    "random_bytes": "a1b2c3d4e5f67890"
  }
}

Generate random bytes using a specified source

post
Path parameters
sourcestring · enumRequired

Source to generate randomness from

Default: platformPossible values:
Body
bytesintegerOptional

The number of bytes to generate (POST body parameter). Defaults to 32 (256 bits).

Default: 32
formatstringOptional

Encoding format to use. Can be "hex" or "base64". Defaults to "base64".

Default: base64
urlbytesstringOptional

The number of bytes to generate (POST URL parameter)

Responses
200
Random bytes generated successfully from specified source.
application/json
400
Invalid request or unknown source.
application/json
post
POST /v1/sys/tools/random/{source} HTTP/1.1
Host: localhost:8200
Content-Type: application/json
Accept: */*
Content-Length: 30

{
  "bytes": 16,
  "format": "base64"
}
{
  "data": {
    "random_bytes": "QWxhZGRpbjpvcGVuIHNlc2FtZQ=="
  }
}

Generate a specific number of random bytes

post
Path parameters
urlbytesstringRequired

Number of bytes to generate

Body
bytesintegerOptional

The number of bytes to generate (POST body parameter). Defaults to 32 (256 bits).

Default: 32
formatstringOptional

Encoding format to use. Can be "hex" or "base64". Defaults to "base64".

Default: base64
sourcestringOptional

Which system to source random data from, ether "platform", "seal", or "all".

Default: platform
Responses
200
Random bytes generated successfully.
application/json
400
Invalid byte count or input.
application/json
post
POST /v1/sys/tools/random/{urlbytes} HTTP/1.1
Host: localhost:8200
Content-Type: application/json
Accept: */*
Content-Length: 16

{
  "format": "hex"
}
{
  "data": {
    "random_bytes": "f4e9d..."
  }
}

Generate a specific number of random bytes from a given source

post
Path parameters
sourcestring · enumRequired

Source to generate randomness from

Possible values:
urlbytesstringRequired

Number of bytes to generate

Body
bytesintegerOptional

The number of bytes to generate (POST body parameter). Defaults to 32 (256 bits).

Default: 32
formatstringOptional

Encoding format to use. Can be "hex" or "base64". Defaults to "base64".

Default: base64
Responses
200
Random bytes generated successfully.
application/json
400
Invalid input or unsupported source.
application/json
post
POST /v1/sys/tools/random/{source}/{urlbytes} HTTP/1.1
Host: localhost:8200
Content-Type: application/json
Accept: */*
Content-Length: 19

{
  "format": "base64"
}
{
  "data": {
    "random_bytes": "bW9yZSByYW5kb20gYnl0ZXM="
  }
}

Unseal the Vault.

post
Body
keystringOptional

Specifies a single unseal key share. This is required unless reset is true.

resetbooleanOptional

Specifies if previously-provided unseal keys are discarded and the unseal process is reset.

Responses
200Success
application/json
post
POST /v1/sys/unseal HTTP/1.1
Host: localhost:8200
Content-Type: application/json
Accept: */*
Content-Length: 27

{
  "key": "text",
  "reset": true
}
200Success
{
  "build_date": "text",
  "cluster_id": "text",
  "cluster_name": "text",
  "hcp_link_resource_ID": "text",
  "hcp_link_status": "text",
  "initialized": true,
  "migration": true,
  "n": 1,
  "nonce": "text",
  "progress": 1,
  "recovery_seal": true,
  "sealed": true,
  "storage_type": "text",
  "t": 1,
  "type": "text",
  "version": "text"
}

Look up wrapping properties for the given token.

post
Body
tokenstringOptional
Responses
200
OK
application/json
post
POST /v1/sys/wrapping/lookup HTTP/1.1
Host: localhost:8200
Content-Type: application/json
Accept: */*
Content-Length: 16

{
  "token": "text"
}
200

OK

{
  "creation_path": "text",
  "creation_time": "2025-05-09T09:42:38.637Z",
  "creation_ttl": 1
}

Rotates a response-wrapped token

post

Accepts a response-wrapped token and returns a new wrapped token.

Body
tokenstringOptional
Responses
200
Successfully rewrapped token
application/json
Responseany
400
Invalid input or missing token
application/json
403
Forbidden - invalid or expired wrapping token
application/json
post
POST /v1/sys/wrapping/rewrap HTTP/1.1
Host: localhost:8200
Content-Type: application/json
Accept: */*
Content-Length: 34

{
  "token": "hvs.XYZwrappedtoken123"
}
{
  "wrap_info": {
    "token": "hvs.newwrappedtoken456",
    "ttl": 300
  }
}

Unwraps a response-wrapped token

post

Unwraps a token and returns the original payload.

Body
tokenstringOptional
Responses
200
Token unwrapped successfully
application/json
Responseany
204
Token unwrapped successfully but had no payload
400
Invalid request
application/json
403
Forbidden or token expired
application/json
post
POST /v1/sys/wrapping/unwrap HTTP/1.1
Host: localhost:8200
Content-Type: application/json
Accept: */*
Content-Length: 31

{
  "token": "hvs.wrappedtoken123"
}
{
  "data": {
    "foo": "bar",
    "secret": "vault"
  }
}

Response-wraps an arbitrary JSON object

post

Accepts a JSON object and returns it wrapped in a token.

Body
anyOptional
Responses
200
Object wrapped successfully
application/json
Responseany
400
Missing payload to wrap
application/json
post
POST /v1/sys/wrapping/wrap HTTP/1.1
Host: localhost:8200
Content-Type: application/json
Accept: */*
Content-Length: 29

{
  "foo": "bar",
  "user_id": "123"
}
{
  "wrap_info": {
    "token": "hvs.wrappedtoken789",
    "ttl": 300
  }
}