System
Successfully retrieved enabled audit devices.
Bad request due to client error.
Unauthorized. Vault token is invalid or missing.
Forbidden. Caller lacks sufficient permission.
Internal server error.
GET /v1/sys/audit HTTP/1.1
Host: localhost:8200
Content-Type: application/json
Accept: */*
Content-Length: 2
{}{
"file/": {
"type": "file",
"description": "Logs to a file",
"options": {
"file_path": "/var/log/vault_audit.log"
},
"local": true,
"seal_wrap": false,
"state": "enabled"
}
}The name of the audit backend. Cannot be delimited. Example: 'mysql'
Successfully calculated the hash of the input.
Bad request due to malformed or missing data.
Unauthorized. Vault token is invalid or missing.
Forbidden. Insufficient permissions.
Internal server error.
POST /v1/sys/audit-hash/{path} HTTP/1.1
Host: localhost:8200
Content-Type: application/json
Accept: */*
Content-Length: 34
{
"input": "sensitive-secret-value"
}{
"hash": "af4fd66bc72a1a1dc6c9c3bfa20c4ee7b7fda77a824..."
}The name of the backend. Cannot be delimited. Example: 'mysql'
User-friendly description for this audit backend.
Mark the mount as a local mount, which is not replicated and is unaffected by replication.
falseConfiguration options for the audit backend.
The type of the backend. Example: "mysql"
Audit device successfully enabled. No content is returned.
Bad Request - The provided request body is invalid.
POST /v1/sys/audit/{path} HTTP/1.1
Host: localhost:8200
Content-Type: application/json
Accept: */*
Content-Length: 58
{
"path": "mysql",
"config": {
"host": "localhost",
"port": 3306
}
}{}The name of the backend. Cannot be delimited. Example: 'mysql'
Audit device successfully disabled. No content is returned.
Bad Request - The provided path is invalid or the device cannot be disabled.
Unauthorized - Authentication failed or no access rights.
Not Found - The specified audit device path was not found.
DELETE /v1/sys/audit/{path} HTTP/1.1
Host: localhost:8200
Accept: */*
{}The path to mount to. Cannot be delimited. Example: 'user'
Successfully read the auth configuration.
Bad Request - Invalid path or request format.
Unauthorized - Authentication failure.
Not Found - No auth engine found at this path.
GET /v1/sys/auth/{path} HTTP/1.1
Host: localhost:8200
Accept: */*
{
"type": "userpass",
"description": "User/password based authentication",
"config": {
"default_lease_ttl": "768h",
"max_lease_ttl": "768h"
}
}After enabling, the auth method can be accessed and configured via the auth path specified as part of the URL. For example, enabling the "userpass" auth method at "user" will make it accessible at /auth/user.
The path to mount to. Cannot be delimited. Example: 'user'
Configuration for this mount, such as plugin_name.
User-friendly description for this credential backend.
Whether to give the mount access to Vault's external entropy.
falseMark the mount as a local mount, which is not replicated and is unaffected by replication.
falseThe options to pass into the backend. Should be a json object with string keys and values.
Name of the auth plugin to use based from the name in the plugin catalog.
The semantic version of the plugin to use.
Whether to turn on seal wrapping for the mount.
falseThe type of the backend. Example: "userpass"
Auth method successfully enabled. No content is returned.
Bad Request - Validation error or malformed input.
Unauthorized - Permission denied or token missing.
POST /v1/sys/auth/{path} HTTP/1.1
Host: localhost:8200
Content-Type: application/json
Accept: */*
Content-Length: 132
{
"type": "userpass",
"description": "Enable user/password authentication",
"config": {
"default_lease_ttl": "768h",
"max_lease_ttl": "768h"
}
}{}The path to mount to. Cannot be delimited. Example: 'user'
Auth method successfully disabled. No content is returned.
Bad Request - Invalid path or request format.
Unauthorized - Authentication or permission failure.
Not Found - The specified auth method path was not found.
DELETE /v1/sys/auth/{path} HTTP/1.1
Host: localhost:8200
Accept: */*
{}This endpoint requires sudo capability on the final path, but the same functionality can be achieved without sudo via sys/mounts/auth/[auth-path]/tune.
Tune the configuration parameters for an auth path.
Successfully read tuning information.
Bad Request - Invalid request or path.
Unauthorized - Token missing or access denied.
GET /v1/sys/auth/{path}/tune HTTP/1.1
Host: localhost:8200
Accept: */*
{
"default_lease_ttl": "768h",
"max_lease_ttl": "768h",
"audit_non_hmac_request_keys": [
"user"
],
"audit_non_hmac_response_keys": [
"metadata"
],
"listing_visibility": "unauth",
"passthrough_request_headers": [
"X-My-Header"
]
}This endpoint requires sudo capability on the final path, but the same functionality can be achieved without sudo via sys/mounts/auth/[auth-path]/tune.
Tune the configuration parameters for an auth path.
A list of headers to whitelist and allow a plugin to set on responses.
The list of keys in the request data object that will not be HMAC'ed by audit devices.
The list of keys in the response data object that will not be HMAC'ed by audit devices.
The default lease TTL for this mount.
User-friendly description for this credential backend.
Determines the visibility of the mount in the UI-specific listing endpoint. Accepted value are 'unauth' and 'hidden', with the empty default ('') behaving like 'hidden'.
The max lease TTL for this mount.
The options to pass into the backend. Should be a json object with string keys and values.
A list of headers to whitelist and pass from the request to the plugin.
The semantic version of the plugin to use.
The type of token to issue (service or batch).
The user lockout configuration to pass into the backend. Should be a json object with string keys and values.
Successfully updated tuning parameters. No content is returned.
Bad Request - Validation error in request.
Unauthorized - Missing or invalid token.
POST /v1/sys/auth/{path}/tune HTTP/1.1
Host: localhost:8200
Content-Type: application/json
Accept: */*
Content-Length: 165
{
"default_lease_ttl": "500h",
"max_lease_ttl": "900h",
"listing_visibility": "unauth",
"audit_non_hmac_request_keys": [
"username"
],
"audit_non_hmac_response_keys": [
"token"
]
}{}Use 'paths' instead.
Paths on which capabilities are being queried.
Token for which capabilities are being queried.
Successfully retrieved capabilities for the given paths.
Bad Request - Invalid request or missing fields.
Unauthorized - The token is invalid or expired.
POST /v1/sys/capabilities HTTP/1.1
Host: localhost:8200
Content-Type: application/json
Accept: */*
Content-Length: 58
{
"paths": [
"secret/data/finance",
"auth/token/lookup-self"
]
}{
"capabilities": [
"create",
"read",
"update"
]
}Accessor of the token for which capabilities are being queried.
Use 'paths' instead.
Paths on which capabilities are being queried.
Successfully retrieved capabilities for the given paths.
Bad Request - Missing or invalid accessor or paths.
Unauthorized - Invalid credentials or insufficient permissions.
POST /v1/sys/capabilities-accessor HTTP/1.1
Host: localhost:8200
Content-Type: application/json
Accept: */*
Content-Length: 91
{
"accessor": "dcb1dd7d-4bfc-3957-4b5d-b1595b0c099c",
"paths": [
"secret/data/hr",
"sys/policy"
]
}{
"capabilities": [
"read",
"list"
]
}Use 'paths' instead.
Paths on which capabilities are being queried.
Token for which capabilities are being queried.
Successfully retrieved capabilities for the specified paths.
Bad Request - Missing or invalid paths field.
Unauthorized - Token is missing, invalid, or lacks necessary permissions.
POST /v1/sys/capabilities-self HTTP/1.1
Host: localhost:8200
Content-Type: application/json
Accept: */*
Content-Length: 43
{
"paths": [
"secret/data/team",
"sys/policy"
]
}{
"capabilities": [
"read",
"list"
]
}Successfully listed the configured audited request headers.
Bad Request - Server failed to process the request.
Unauthorized - Token is missing or does not have sufficient privileges.
GET /v1/sys/config/auditing/request-headers HTTP/1.1
Host: localhost:8200
Accept: */*
{
"headers": [
{
"name": "X-Request-ID",
"hmac": true
},
{
"name": "Authorization",
"hmac": false
}
]
}The name of the request header to audit.
X-Request-IDSuccessfully retrieved the request header auditing information.
Bad Request - Invalid header format.
Unauthorized - Insufficient permissions.
GET /v1/sys/config/auditing/request-headers/{header} HTTP/1.1
Host: localhost:8200
Accept: */*
{
"name": "X-Request-ID",
"hmac": true
}The name of the request header to audit.
X-Request-IDAuditing for the header enabled successfully.
Bad Request - Could not enable auditing for header.
Unauthorized - Insufficient permissions.
POST /v1/sys/config/auditing/request-headers/{header} HTTP/1.1
Host: localhost:8200
Content-Type: application/json
Accept: */*
Content-Length: 13
{
"hmac": true
}No content
The name of the request header to audit.
X-Request-IDAuditing for the header disabled successfully.
Bad Request - Header not found.
Unauthorized - Insufficient permissions.
DELETE /v1/sys/config/auditing/request-headers/{header} HTTP/1.1
Host: localhost:8200
Accept: */*
No content
Successfully retrieved the control group configuration.
Bad Request - Invalid request.
Unauthorized - Missing or invalid credentials.
GET /v1/sys/config/control-group HTTP/1.1
Host: localhost:8200
Accept: */*
{
"control_group": {
"enforcement_level": "soft-mandatory",
"thresholds": {
"approvals": 2,
"reviewers": [
"team-leads",
"security-admins"
]
}
}
}Control group configuration updated successfully.
Bad Request - Invalid config.
Unauthorized - Access denied.
POST /v1/sys/config/control-group HTTP/1.1
Host: localhost:8200
Content-Type: application/json
Accept: */*
Content-Length: 130
{
"control_group": {
"enforcement_level": "soft-mandatory",
"thresholds": {
"approvals": 2,
"reviewers": [
"team-leads",
"security-admins"
]
}
}
}{
"control_group": {
"enforcement_level": "soft-mandatory",
"thresholds": {
"approvals": 2,
"reviewers": [
"team-leads",
"security-admins"
]
}
}
}Control group configuration deleted successfully.
Bad Request - Cannot delete configuration.
Unauthorized - Access denied.
DELETE /v1/sys/config/control-group HTTP/1.1
Host: localhost:8200
Accept: */*
No content
Current CORS settings returned successfully.
Invalid request.
Forbidden. Not authorized.
GET /v1/sys/config/cors HTTP/1.1
Host: localhost:8200
Accept: */*
{
"enabled": true,
"allowed_origins": [
"https://example.com"
],
"allowed_headers": [
"X-Custom-Header"
],
"allowed_methods": [
"GET",
"POST"
],
"allow_credentials": true,
"expose_headers": [
"X-Expose-This"
]
}A comma-separated string or array of strings indicating headers that are allowed on cross-origin requests.
A comma-separated string or array of strings indicating origins that may make cross-origin requests.
Enables or disables CORS headers on requests.
CORS settings successfully updated.
Invalid CORS configuration.
Not authorized.
POST /v1/sys/config/cors HTTP/1.1
Host: localhost:8200
Content-Type: application/json
Accept: */*
Content-Length: 205
{
"enabled": true,
"allowed_origins": [
"https://example.com"
],
"allowed_headers": [
"Authorization",
"X-Custom-Header"
],
"allowed_methods": [
"GET",
"POST"
],
"allow_credentials": true,
"expose_headers": [
"X-Expose-This"
]
}No content
Group policy application configuration retrieved successfully.
Invalid request.
Forbidden. The client does not have permission.
Internal server error.
GET /v1/sys/config/group-policy-application HTTP/1.1
Host: localhost:8200
Accept: */*
{
"enabled": true,
"default_policy": "default",
"override_allowed": false
}Group policy application configuration updated successfully.
POST /v1/sys/config/group-policy-application HTTP/1.1
Host: localhost:8200
Content-Type: application/json
Accept: */*
Content-Length: 68
{
"enabled": true,
"default_policy": "default",
"override_allowed": false
}Group policy application configuration updated successfully.
No content
The name of the subsystem to reload.
plugin-catalogSubsystem reloaded successfully.
Invalid request.
Forbidden. The client does not have permission to reload the subsystem.
Subsystem not found.
Internal server error while reloading subsystem.
POST /v1/sys/config/reload/{subsystem} HTTP/1.1
Host: localhost:8200
Content-Type: application/json
Accept: */*
Content-Length: 2
{}No content
The sanitized output strips configuration values in the storage, HA storage, and seals stanzas, which may contain sensitive values such as API tokens. It also removes any token or secret fields in other stanzas, such as the circonus_api_token from telemetry.
Sanitized configuration retrieved successfully.
Forbidden. The client does not have sufficient privileges.
Internal server error.
GET /v1/sys/config/state/sanitized HTTP/1.1
Host: localhost:8200
Accept: */*
{
"listener": [
{
"tcp": {
"address": "127.0.0.1:8200",
"tls_disable": true
}
}
],
"storage": {
"file": {
"path": "<stripped>"
}
},
"seal": {
"type": "<stripped>"
},
"telemetry": {
"dogstatsd_addr": "localhost:8125",
"circonus_api_token": "<stripped>"
}
}Must be set to true
Must be set to true
Returns a list of configured UI headers.
Bad request. The request is malformed or missing required parameters.
Unauthorized. The request lacks valid authentication credentials.
Forbidden. The client does not have permission to access the requested resource.
Not Found. The requested resource does not exist.
Internal Server Error. A server-side error occurred.
GET /v1/sys/config/ui/headers HTTP/1.1
Host: localhost:8200
Content-Type: application/json
Accept: */*
Content-Length: 15
{
"list": "true"
}{
"keys": [
"text"
]
}The name of the header.
Returns the configuration of the specified UI header.
Not Found. The requested header does not exist.
Internal Server Error. A server-side error occurred.
GET /v1/sys/config/ui/headers/{header} HTTP/1.1
Host: localhost:8200
Accept: */*
{
"value": "text",
"values": [
"text"
]
}The name of the header.
Returns multiple values if true
The values to set the header.
Header value successfully configured.
Bad request. The request is malformed or missing required parameters.
Not Found. The requested header does not exist.
Internal Server Error. A server-side error occurred.
POST /v1/sys/config/ui/headers/{header} HTTP/1.1
Host: localhost:8200
Content-Type: application/json
Accept: */*
Content-Length: 32
{
"value": "example-header-value"
}No content
The name of the header.
Header successfully removed.
Bad request. The request is malformed or missing required parameters.
Not Found. The requested header does not exist.
Internal Server Error. A server-side error occurred.
DELETE /v1/sys/config/ui/headers/{header} HTTP/1.1
Host: localhost:8200
Accept: */*
No content
The control group ID to authorize.
Authorization successful.
Bad request. The request is malformed or missing required parameters.
Unauthorized. The request lacks valid authentication credentials.
Forbidden. The client does not have permission to perform this action.
Internal Server Error. A server-side error occurred.
POST /v1/sys/control-group/authorize HTTP/1.1
Host: localhost:8200
Content-Type: application/json
Accept: */*
Content-Length: 63
{
"group_id": "control-group-123",
"permissions": [
"read",
"write"
]
}No content
Unique identifier for the control group request.
Request processed successfully.
Bad Request - The request is malformed or missing required parameters.
Unauthorized - Authentication credentials were missing or invalid.
Forbidden - You do not have permission to perform this action.
Not Found - The control group or requested resource does not exist.
Internal Server Error - An unexpected error occurred on the server.
POST /v1/sys/control-group/request HTTP/1.1
Host: localhost:8200
Content-Type: application/json
Accept: */*
Content-Length: 88
{
"request_id": "request-456",
"data": {
"operation": "access-database",
"resource": "db-prod"
}
}{
"status": "success",
"message": "Control group request submitted successfully."
}This endpoint decodes an encoded token using the provided one-time password (OTP). It can be used in unauthenticated contexts.
Specifies the encoded token (result from generate-root).
Specifies the otp code for decode.
Successfully decoded the token.
Bad Request - The request is malformed or missing required parameters.
Unauthorized - Authentication credentials are missing or invalid.
Forbidden - The provided credentials are valid but insufficient.
Not Found - The token or associated resources could not be found.
Internal Server Error - An unexpected server-side error occurred.
POST /v1/sys/decode-token HTTP/1.1
Host: localhost:8200
Content-Type: application/json
Accept: */*
Content-Length: 46
{
"token": "encoded-token-value",
"otp": "123456"
}{
"decoded_token": "decoded-value"
}Successfully returned the list of experimental features.
Bad Request - The request is malformed or missing required parameters.
Unauthorized - Authentication credentials are missing or invalid.
Forbidden - You do not have permission to access experimental features.
Not Found - The resource for experimental features could not be located.
Internal Server Error - An unexpected error occurred on the server.
GET /v1/sys/experiments HTTP/1.1
Host: localhost:8200
Content-Type: application/json
Accept: */*
Content-Length: 2
{}{
"features": [
{
"name": "new-auth-method",
"enabled": true
},
{
"name": "faster-raft-replication",
"enabled": false
}
]
}Returns the configuration and progress details of the ongoing root token generation process.
Successfully retrieved the root generation progress.
Bad Request - The request is malformed or invalid.
Unauthorized - Authentication credentials are missing or invalid.
Forbidden - Insufficient permissions to read root generation progress.
Not Found - No active root generation attempt found.
Internal Server Error - Unexpected server-side error.
GET /v1/sys/generate-root HTTP/1.1
Host: localhost:8200
Accept: */*
{
"complete": true,
"encoded_root_token": "text",
"encoded_token": "text",
"nonce": "text",
"otp": "text",
"otp_length": 1,
"pgp_fingerprint": "text",
"progress": 1,
"required": 1,
"started": true
}Starts a new root generation attempt. Only one attempt can be active at a time. Either otp or pgp_key must be provided.
Specifies a base64-encoded PGP public key.
Successfully initialized the root generation attempt.
Bad Request - Missing required parameters or invalid input.
Unauthorized - Authentication credentials are missing or invalid.
Forbidden - Insufficient permissions to initialize root generation.
Conflict - A root generation attempt is already in progress.
Internal Server Error - Unexpected server-side error.
POST /v1/sys/generate-root HTTP/1.1
Host: localhost:8200
Content-Type: application/json
Accept: */*
Content-Length: 81
{
"otp": "otp-secret-string",
"pgp_key": "-----BEGIN PGP PUBLIC KEY BLOCK-----\n..."
}{
"complete": true,
"encoded_root_token": "text",
"encoded_token": "text",
"nonce": "text",
"otp": "text",
"otp_length": 1,
"pgp_fingerprint": "text",
"progress": 1,
"required": 1,
"started": true
}Cancels any in-progress root token generation attempt, allowing a new attempt to be started.
Successfully canceled the root generation attempt.
Bad Request - The request is malformed or invalid.
Unauthorized - Authentication credentials are missing or invalid.
Forbidden - Insufficient permissions to cancel the root generation.
Internal Server Error - Unexpected server-side error.
DELETE /v1/sys/generate-root HTTP/1.1
Host: localhost:8200
Accept: */*
No content
Returns configuration and current progress details for an active root token generation attempt.
Successfully retrieved root generation progress.
Bad Request - The request is malformed or invalid.
Unauthorized - Missing or invalid authentication credentials.
Forbidden - You do not have permission to read the root generation progress.
Not Found - No active root generation attempt found.
Internal Server Error - An unexpected server-side error occurred.
GET /v1/sys/generate-root/attempt HTTP/1.1
Host: localhost:8200
Accept: */*
{
"complete": true,
"encoded_root_token": "text",
"encoded_token": "text",
"nonce": "text",
"otp": "text",
"otp_length": 1,
"pgp_fingerprint": "text",
"progress": 1,
"required": 1,
"started": true
}Starts a new root generation attempt. Only one attempt can be active at a time. Either otp or pgp_key must be provided.
Specifies a base64-encoded PGP public key.
Successfully initialized the root generation attempt.
Bad Request - Missing required parameters or invalid input.
Unauthorized - Missing or invalid authentication credentials.
Forbidden - You do not have permission to initiate root generation.
Conflict - A root generation attempt is already in progress.
Internal Server Error - An unexpected server-side error occurred.
POST /v1/sys/generate-root/attempt HTTP/1.1
Host: localhost:8200
Content-Type: application/json
Accept: */*
Content-Length: 81
{
"otp": "otp-secret-string",
"pgp_key": "-----BEGIN PGP PUBLIC KEY BLOCK-----\n..."
}{
"complete": true,
"encoded_root_token": "text",
"encoded_token": "text",
"nonce": "text",
"otp": "text",
"otp_length": 1,
"pgp_fingerprint": "text",
"progress": 1,
"required": 1,
"started": true
}Cancels any in-progress root token generation attempt to allow a new one to begin.
Successfully canceled the root generation attempt.
Bad Request - The request is malformed or invalid.
Unauthorized - Missing or invalid authentication credentials.
Forbidden - You do not have permission to cancel the root generation.
Internal Server Error - An unexpected server-side error occurred.
DELETE /v1/sys/generate-root/attempt HTTP/1.1
Host: localhost:8200
Accept: */*
No content
Submits a single unseal key share for the active root generation attempt. If the required threshold of key shares is reached, Vault completes the root token generation and issues the new token. The attempt nonce must be provided with each call.
Specifies a single unseal key share.
Specifies the nonce of the attempt.
Successfully submitted the key share. Progress updated.
Bad Request - The request is malformed or missing required parameters.
Unauthorized - Missing or invalid authentication credentials.
Forbidden - You do not have permission to submit key shares.
Not Found - No active root generation attempt was found.
Conflict - The root generation attempt is already completed or invalid.
Internal Server Error - A server-side error occurred.
POST /v1/sys/generate-root/update HTTP/1.1
Host: localhost:8200
Content-Type: application/json
Accept: */*
Content-Length: 64
{
"key": "unseal-key-share-string",
"nonce": "attempt-nonce-string"
}{
"complete": true,
"encoded_root_token": "text",
"encoded_token": "text",
"nonce": "text",
"otp": "text",
"otp_length": 1,
"pgp_fingerprint": "text",
"progress": 1,
"required": 1,
"started": true
}Retrieves detailed information regarding the HA cluster setup, including whether the node is active, standby, and information about the leader.
Successfully retrieved the HA status.
Internal Server Error - Failed to retrieve HA status due to server-side issues.
GET /v1/sys/ha-status HTTP/1.1
Host: localhost:8200
Accept: */*
{
"nodes": [
{}
]
}Returns different HTTP status codes depending on Vault's current state: - 200: Vault is initialized, unsealed, and active. - 429: Vault is unsealed and in standby mode. - 472: Vault is in data recovery mode, acting as replication secondary and active. - 501: Vault is not initialized. - 503: Vault is sealed and unavailable.
Initialized, unsealed, and active.
Bad Request - Invalid request parameters or format.
Unauthorized - Missing or invalid authentication credentials.
Unsealed and standby.
Data recovery mode replication secondary and active.
Internal Server Error - An unexpected error occurred.
Not initialized.
Sealed.
GET /v1/sys/health HTTP/1.1
Host: localhost:8200
Accept: */*
No content
Collects and returns host-level system information including hardware details, CPU utilization, disk usage, and memory statistics. Useful for monitoring the resource consumption of the Vault instance.
Successfully retrieved host information.
Bad Request - Malformed request or invalid parameters.
Unauthorized - Authentication credentials missing or invalid.
Internal Server Error - Failed to retrieve host information.
GET /v1/sys/host-info HTTP/1.1
Host: localhost:8200
Accept: */*
{
"cpu": [
{}
],
"cpu_times": [
{}
],
"disk": [
{}
],
"host": {},
"memory": {},
"timestamp": "2025-08-12T10:55:36.699Z"
}Returns a map of ongoing API requests ("in-flight requests") to assist with debugging and load monitoring. Each entry provides information such as client details, request path, and duration.
Successfully retrieved in-flight request information.
Bad Request - Malformed request or invalid parameters.
Unauthorized - Authentication credentials missing or invalid.
Internal Server Error - Failed to retrieve in-flight request information.
GET /v1/sys/in-flight-req HTTP/1.1
Host: localhost:8200
Accept: */*
No content
Checks whether Vault has already been initialized. This endpoint returns the initialization status without making any modifications to the Vault state.
Successfully retrieved initialization status.
Bad Request - Malformed request.
Internal Server Error - Failed to retrieve initialization status.
GET /v1/sys/init HTTP/1.1
Host: localhost:8200
Accept: */*
No content
Initializes the Vault server. Initialization is a one-time operation. After successful initialization, Vault will generate a set of unseal keys and an initial root token. If using HSM, recovery and stored shares options can be configured during this process.
Specifies an array of PGP public keys used to encrypt the output unseal keys. Ordering is preserved. The keys must be base64-encoded from their original binary representation. The size of this array must be the same as secret_shares.
Specifies an array of PGP public keys used to encrypt the output recovery keys. Ordering is preserved. The keys must be base64-encoded from their original binary representation. The size of this array must be the same as recovery_shares.
Specifies the number of shares to split the recovery key into.
Specifies the number of shares required to reconstruct the recovery key. This must be less than or equal to recovery_shares.
Specifies a PGP public key used to encrypt the initial root token. The key must be base64-encoded from its original binary representation.
Specifies the number of shares to split the unseal key into.
Specifies the number of shares required to reconstruct the unseal key. This must be less than or equal secret_shares. If using Vault HSM with auto-unsealing, this value must be the same as secret_shares.
Specifies the number of shares that should be encrypted by the HSM and stored for auto-unsealing. Currently must be the same as secret_shares.
Successfully initialized Vault.
Bad Request - Vault is already initialized or request parameters are invalid.
Conflict - Vault is already initialized.
Internal Server Error - Failed to initialize Vault.
POST /v1/sys/init HTTP/1.1
Host: localhost:8200
Content-Type: application/json
Accept: */*
Content-Length: 101
{
"secret_shares": 5,
"secret_threshold": 3,
"recovery_shares": 1,
"recovery_threshold": 1,
"stored_shares": 0
}No content
Retrieves historical counts of unique clients that interacted with Vault, covering the current namespace and all child namespaces.
Successfully retrieved client activity counts.
Bad Request - Malformed request.
Internal Server Error - Failed to retrieve counts.
GET /v1/sys/internal/counters/activity HTTP/1.1
Host: localhost:8200
Accept: */*
No content
Exports detailed raw historical client activity data for analysis and reporting outside of Vault.
Successfully exported client activity data.
Bad Request - Malformed request.
Internal Server Error - Failed to export activity data.
GET /v1/sys/internal/counters/activity/export HTTP/1.1
Host: localhost:8200
Accept: */*
No content
Returns the number of unique clients that have interacted with Vault during the current month for this namespace and all child namespaces.
Successfully retrieved monthly client counts.
Bad Request - Malformed request.
Internal Server Error - Failed to retrieve monthly counts.
GET /v1/sys/internal/counters/activity/monthly HTTP/1.1
Host: localhost:8200
Accept: */*
No content
Returns the current configuration settings for client count collection, including status, retention period, and default reporting period.
Successfully retrieved client count configuration.
Bad Request - Malformed request.
Internal Server Error - Failed to retrieve configuration.
GET /v1/sys/internal/counters/config HTTP/1.1
Host: localhost:8200
Accept: */*
No content
Enables or disables the collection of client counts and configures the retention period and default reporting period for client activity data.
Number of months to report if no start date specified.
12Enable or disable collection of client count: enable, disable, or default.
defaultNumber of months of client data to retain. Setting to 0 will clear all existing data.
24Successfully updated client count tracking configuration.
Bad Request - Invalid configuration settings provided.
Internal Server Error - Failed to update configuration.
POST /v1/sys/internal/counters/config HTTP/1.1
Host: localhost:8200
Content-Type: application/json
Accept: */*
Content-Length: 70
{
"default_report_months": 12,
"enabled": "default",
"retention_months": 24
}No content
Retrieves the current number of active identity entities managed by the Vault server. Note: Backward compatibility is not guaranteed for this endpoint.
Successfully retrieved entity count.
Bad Request - Malformed or invalid request.
Internal Server Error - Failed to retrieve entity count.
GET /v1/sys/internal/counters/entities HTTP/1.1
Host: localhost:8200
Accept: */*
{
"counters": {}
}This endpoint is currently unsupported and deprecated. Previously, it provided a count of requests handled by the Vault cluster. Note: Backward compatibility is not guaranteed.
Deprecated API call successful (no useful output).
Bad Request - Invalid call to deprecated API.
Internal Server Error - Deprecated API failure.
GET /v1/sys/internal/counters/requests HTTP/1.1
Host: localhost:8200
Accept: */*
No content
Retrieves the current number of active authentication tokens managed by Vault. Note: Backward compatibility is not guaranteed for this endpoint.
Successfully retrieved token count.
Bad Request - Malformed or invalid request.
Internal Server Error - Failed to retrieve token count.
GET /v1/sys/internal/counters/tokens HTTP/1.1
Host: localhost:8200
Accept: */*
{
"counters": {}
}Retrieves the entries in the router for the specified subtree (uuid, accessor, storage, root). The tag path parameter must be one of the inspectable subtrees. This endpoint provides information about the structure and entries in the router trees.
Name of the subtree being observed (e.g., uuid, accessor, storage, root).
Successfully retrieved the entries in the router for the specified tag.
Bad Request - Invalid or malformed tag or missing required parameters.
Not Found - The specified tag does not exist in the router.
Internal Server Error - Failed to retrieve router entries.
GET /v1/sys/internal/inspect/router/{tag} HTTP/1.1
Host: localhost:8200
Accept: */*
No content
Use generic mount paths
falseSuccessfully generated OpenAPI document
Internal server error
GET /v1/sys/internal/specs/openapi HTTP/1.1
Host: localhost:8200
Accept: */*
{
"openapi": "3.0.0",
"info": {
"title": "Vault API",
"version": "v1"
},
"paths": {}
}Context string appended to every operationId
Successfully generated OpenAPI document
Invalid request
Internal server error
POST /v1/sys/internal/specs/openapi HTTP/1.1
Host: localhost:8200
Content-Type: application/json
Accept: */*
Content-Length: 27
{
"mounts": [
"auth/",
"sys/"
]
}{
"openapi": "3.0.0",
"info": {
"title": "Filtered Vault API",
"version": "v1"
},
"paths": {}
}Successfully listed enabled feature flags
Invalid request
Internal server error
GET /v1/sys/internal/ui/feature-flags HTTP/1.1
Host: localhost:8200
Accept: */*
{
"flags": [
{
"name": "advanced_mode",
"enabled": true
},
{
"name": "beta_theme",
"enabled": false
}
]
}Successfully listed visible mounts
Invalid request
Internal server error
GET /v1/sys/internal/ui/mounts HTTP/1.1
Host: localhost:8200
Accept: */*
{
"mounts": {
"auth/": {
"type": "userpass",
"accessor": "auth_userpass_abcd",
"visible": true
},
"secret/": {
"type": "kv",
"options": {
"version": "2"
},
"visible": true
}
}
}Successfully listed namespaces
Invalid request
Internal server error
GET /v1/sys/internal/ui/namespaces HTTP/1.1
Host: localhost:8200
Accept: */*
{
"namespaces": [
{
"name": "finance/"
},
{
"name": "engineering/"
}
]
}Successfully returned ACL policy
No client token present; empty response
Invalid request
Internal server error
GET /v1/sys/internal/ui/resultant-acl HTTP/1.1
Host: localhost:8200
Accept: */*
{
"policies": [
"default",
"dev-policy"
],
"capabilities": [
"read",
"list"
]
}Successfully retrieved key status
Invalid request
Internal server error
GET /v1/sys/key-status HTTP/1.1
Host: localhost:8200
Accept: */*
{
"term": 5,
"install_time": "2024-11-05T12:00:00Z",
"last_rotation": "2025-01-10T08:45:00Z"
}Successfully returned leader status
Invalid request
Internal server error
GET /v1/sys/leader HTTP/1.1
Host: localhost:8200
Accept: */*
{
"ha_enabled": true,
"is_self": false,
"leader_address": "https://vault-1.example.com:8200"
}Successfully listed leases
Invalid request
Internal server error
GET /v1/sys/leases HTTP/1.1
Host: localhost:8200
Accept: */*
{
"leases": [
{
"path": "auth/token/create",
"id": "a1b2c3"
},
{
"path": "secret/myapp/config",
"id": "d4e5f6"
}
]
}The lease identifier to renew. This is included with a lease.
Successfully retrieved lease metadata
Bad request
Lease not found
Internal server error
POST /v1/sys/leases/lookup HTTP/1.1
Host: localhost:8200
Content-Type: application/json
Accept: */*
Content-Length: 39
{
"lease_id": "auth/token/create/a1b2c3"
}{
"lease_id": "auth/token/create/a1b2c3",
"renewable": true,
"ttl": 3600
}Must be set to 'true' to trigger a list response.
Successfully listed lease paths
Invalid query parameter
Internal server error
GET /v1/sys/leases/lookup/ HTTP/1.1
Host: localhost:8200
Accept: */*
{
"keys": [
"auth/token/create/",
"secret/data/db-creds/"
]
}The path to list leases under. Example: "aws/creds/deploy"
Must be set to 'true'
Successfully listed leases for the prefix
Invalid input
Prefix not found
Internal server error
GET /v1/sys/leases/lookup/{prefix} HTTP/1.1
Host: localhost:8200
Accept: */*
{
"keys": [
"aws/creds/deploy/app1",
"aws/creds/deploy/app2"
]
}The desired increment in seconds to the lease
The lease identifier to renew. This is included with a lease.
The lease identifier to renew. This is included with a lease.
Lease renewed successfully (no content)
Bad request
Lease not found
Internal server error
POST /v1/sys/leases/renew HTTP/1.1
Host: localhost:8200
Content-Type: application/json
Accept: */*
Content-Length: 63
{
"lease_id": "database/creds/my-role/Y7sGbfd9",
"increment": 3600
}No content
The lease ID to renew. Example: "database/creds/my-role/Y7sGbfd9"
The desired increment in seconds to the lease
The lease identifier to renew. This is included with a lease.
Lease renewed successfully (no content)
Bad request
Lease not found
Internal server error
POST /v1/sys/leases/renew/{url_lease_id} HTTP/1.1
Host: localhost:8200
Content-Type: application/json
Accept: */*
Content-Length: 18
{
"increment": 1800
}No content
The lease identifier to renew. This is included with a lease.
Whether or not to perform the revocation synchronously
trueThe lease identifier to renew. This is included with a lease.
Lease revoked successfully (no content)
Bad request
Lease not found
Internal server error
POST /v1/sys/leases/revoke HTTP/1.1
Host: localhost:8200
Content-Type: application/json
Accept: */*
Content-Length: 46
{
"lease_id": "database/creds/my-role/Y7sGbfd9"
}No content
Unlike /sys/leases/revoke-prefix, this path ignores backend errors encountered during revocation. This is potentially very dangerous and should only be used in specific emergency situations where errors in the backend or the connected backend service prevent normal revocation.
By ignoring these errors, Vault abdicates responsibility for ensuring that the issued credentials or secrets are properly revoked and/or cleaned up. Access to this endpoint should be tightly controlled.
The path to revoke keys under. Example: "prod/aws/ops"
OK
POST /v1/sys/leases/revoke-force/{prefix} HTTP/1.1
Host: localhost:8200
Accept: */*
OK
No content
Revokes all secrets (via a lease ID prefix) or tokens (via the tokens' path property) generated under a given prefix immediately.
The path to revoke keys under. Example: "prod/aws/ops"
Whether or not to perform the revocation synchronously
trueOK
POST /v1/sys/leases/revoke-prefix/{prefix} HTTP/1.1
Host: localhost:8200
Content-Type: application/json
Accept: */*
Content-Length: 13
{
"sync": true
}OK
No content
The lease identifier to renew. This is included with a lease.
The lease identifier to renew. This is included with a lease.
Whether or not to perform the revocation synchronously
trueOK
POST /v1/sys/leases/revoke/{url_lease_id} HTTP/1.1
Host: localhost:8200
Content-Type: application/json
Accept: */*
Content-Length: 31
{
"lease_id": "text",
"sync": true
}OK
No content
Lease tidy completed successfully; no content returned.
Invalid input or parameters.
Internal server error during lease tidy.
POST /v1/sys/leases/tidy HTTP/1.1
Host: localhost:8200
Content-Type: application/json
Accept: */*
Content-Length: 52
{
"safety_buffer": "1h",
"safety_buffer_percentage": 10
}No content
Successfully retrieved license status.
Error retrieving license status.
GET /v1/sys/license/status HTTP/1.1
Host: localhost:8200
Accept: */*
{
"license_type": "enterprise",
"expiration_time": "2025-12-31T23:59:59Z",
"status": "valid"
}Successfully retrieved locked user metrics.
Failed to retrieve locked user metrics.
GET /v1/sys/locked-users HTTP/1.1
Host: localhost:8200
Accept: */*
{
"total_locked_users": 3,
"namespaces": [
{
"name": "root",
"locked_users": 1
},
{
"name": "team-a",
"locked_users": 2
}
]
}Identifier of the alias (e.g., username or RoleID).
Identifier of the mount entry associated with the user.
User successfully unlocked.
User or mount not found.
Internal server error.
POST /v1/sys/locked-users/{mount_accessor}/unlock/{alias_identifier} HTTP/1.1
Host: localhost:8200
Accept: */*
{
"success": true,
"message": "User unlocked successfully"
}Current verbosity levels retrieved.
Internal error while reading logger settings.
GET /v1/sys/loggers HTTP/1.1
Host: localhost:8200
Accept: */*
{
"default": "info",
"loggers": {
"audit": "warn",
"core": "debug"
}
}Log verbosity level. Supported values (in order of detail) are "trace", "debug", "info", "warn", and "error".
Logger levels updated.
Invalid log level provided.
POST /v1/sys/loggers HTTP/1.1
Host: localhost:8200
Content-Type: application/json
Accept: */*
Content-Length: 46
{
"default": "info",
"loggers": {
"audit": "error"
}
}No content
Name of the logger to modify.
Logger verbosity level retrieved.
Logger not found.
GET /v1/sys/loggers/{name} HTTP/1.1
Host: localhost:8200
Accept: */*
{
"name": "audit",
"level": "warn"
}Name of the logger to modify.
Log verbosity level. Supported values (in order of detail) are "trace", "debug", "info", "warn", and "error".
Logger level updated.
Invalid log level.
POST /v1/sys/loggers/{name} HTTP/1.1
Host: localhost:8200
Content-Type: application/json
Accept: */*
Content-Length: 17
{
"level": "debug"
}No content
Must be set to "true" to list keys.
Managed keys listed.
Missing or incorrect query parameter.
GET /v1/sys/managed-keys/{type} HTTP/1.1
Host: localhost:8200
Accept: */*
{
"keys": [
"key1",
"key2"
]
}Managed key details.
Managed key not found.
GET /v1/sys/managed-keys/{type}/{name} HTTP/1.1
Host: localhost:8200
Accept: */*
{
"name": "key1",
"type": "encryption",
"status": "active"
}The type of the managed key (e.g., "transit", "pkcs11").
The name of the managed key to use for the test signing operation.
Test signing successful.
Invalid input data for signing.
Managed key not found.
Internal server error during test sign.
POST /v1/sys/managed-keys/{type}/{name}/test/sign HTTP/1.1
Host: localhost:8200
Content-Type: application/json
Accept: */*
Content-Length: 69
{
"input": "aGVsbG8gd29ybGQ=",
"algorithm": "sha2-256",
"prehashed": false
}{
"signature": "vault:v1:abc123signaturedata"
}The output format for the metrics. Currently, only prometheus is supported.
Metrics exported successfully.
Bad request. The format parameter is invalid or missing.
Internal server error while exporting metrics.
GET /v1/sys/metrics HTTP/1.1
Host: localhost:8200
Content-Type: application/json
Accept: */*
Content-Length: 23
{
"format": "prometheus"
}# HELP vault_core_handle_request_count Total number of handled requests
# TYPE vault_core_handle_request_count counter
vault_core_handle_request_count{code="200",method="GET",path="/v1/sys/metrics"} 42
A required parameter that must be set to true to retrieve the list of MFA methods.
Successfully retrieved the list of configured MFA methods.
Bad request. The list parameter was missing or invalid.
Internal server error while retrieving MFA methods.
GET /v1/sys/mfa/method HTTP/1.1
Host: localhost:8200
Content-Type: application/json
Accept: */*
Content-Length: 15
{
"list": "true"
}{
"data": {
"methods": [
{
"name": "duo",
"type": "duo"
},
{
"name": "okta",
"type": "okta"
},
{
"name": "totp",
"type": "totp"
}
]
}
}The unique name of the Okta MFA method.
Successfully retrieved the Okta MFA configuration.
Invalid request syntax or parameters.
Forbidden – insufficient access rights.
The specified MFA method was not found.
Unexpected internal server error.
GET /v1/sys/mfa/method/okta/{name} HTTP/1.1
Host: localhost:8200
Accept: */*
{
"data": {
"name": "okta-main",
"type": "okta",
"org_name": "example-org",
"token": "s.exampletoken"
}
}The unique name of the Okta MFA method.
Successfully created or updated the Okta MFA method.
Bad request – invalid payload or missing fields.
Forbidden – access denied.
Internal server error.
POST /v1/sys/mfa/method/okta/{name} HTTP/1.1
Host: localhost:8200
Content-Type: application/json
Accept: */*
Content-Length: 51
{
"org_name": "example-org",
"token": "s.exampletoken"
}{
"data": {
"success": true
}
}The unique name of the Okta MFA method.
The method was successfully deleted; no content returned.
Invalid request syntax or missing required fields.
Forbidden – client lacks necessary permissions.
The requested MFA method was not found.
Internal server error.
DELETE /v1/sys/mfa/method/okta/{name} HTTP/1.1
Host: localhost:8200
Accept: */*
No content
The name of the PingID MFA method configuration.
Successfully retrieved the PingID configuration.
Invalid input.
Forbidden.
Method not found.
Server error.
GET /v1/sys/mfa/method/pingid/{name} HTTP/1.1
Host: localhost:8200
Accept: */*
{
"data": {
"name": "pingid-main",
"type": "pingid",
"apikey": "abc123",
"org_alias": "my-org",
"token": "s.mytoken"
}
}The name of the PingID MFA method configuration.
PingID method created or updated successfully.
Bad request.
Forbidden.
Internal server error.
POST /v1/sys/mfa/method/pingid/{name} HTTP/1.1
Host: localhost:8200
Content-Type: application/json
Accept: */*
Content-Length: 60
{
"apikey": "abc123",
"org_alias": "my-org",
"token": "s.mytoken"
}{
"data": {
"success": true
}
}The name of the PingID MFA method configuration.
PingID method configuration deleted successfully. No content returned.
Invalid request or parameters.
Forbidden. Client lacks necessary permissions.
PingID method configuration not found.
Internal server error.
DELETE /v1/sys/mfa/method/pingid/{name} HTTP/1.1
Host: localhost:8200
Accept: */*
No content
The name of the TOTP MFA method configuration.
Successfully retrieved the TOTP method configuration.
Invalid input or missing parameters.
Forbidden.
Method not found.
Server error.
GET /v1/sys/mfa/method/totp/{name} HTTP/1.1
Host: localhost:8200
Accept: */*
{
"data": {
"name": "totp-auth",
"type": "totp",
"issuer": "vault",
"period": 30,
"skew": 1
}
}The name of the TOTP MFA method configuration.
TOTP method created or updated successfully.
Bad request or validation error.
Forbidden.
Internal server error.
POST /v1/sys/mfa/method/totp/{name} HTTP/1.1
Host: localhost:8200
Content-Type: application/json
Accept: */*
Content-Length: 39
{
"issuer": "vault",
"period": 30,
"skew": 1
}{
"data": {
"success": true
}
}The name of the TOTP MFA method configuration.
TOTP method deleted successfully. No content returned.
Bad request or invalid input.
Forbidden. Insufficient permissions.
The specified TOTP method configuration was not found.
Internal server error.
DELETE /v1/sys/mfa/method/totp/{name} HTTP/1.1
Host: localhost:8200
Accept: */*
No content
The name of the TOTP MFA method configuration to destroy.
The TOTP method was successfully destroyed.
Invalid request format or parameters.
Forbidden. The user does not have the required permissions.
The specified TOTP method configuration was not found.
Internal server error.
POST /v1/sys/mfa/method/totp/{name}/admin-destroy HTTP/1.1
Host: localhost:8200
Accept: */*
{
"data": {
"destroyed": true
}
}The name of the TOTP MFA method configuration.
TOTP key successfully generated.
Bad request. Invalid input data.
Forbidden. Insufficient permissions to perform this operation.
The specified TOTP configuration was not found.
Internal server error.
POST /v1/sys/mfa/method/totp/{name}/admin-generate HTTP/1.1
Host: localhost:8200
Content-Type: application/json
Accept: */*
Content-Length: 52
{
"account_name": "[email protected]",
"issuer": "vault"
}{
"data": {
"url": "otpauth://totp/vault:[email protected]?secret=ABCDEFG12345678&issuer=vault",
"barcode": "<base64-barcode-image>"
}
}Name of the TOTP MFA method configuration to generate a key for.
Successfully retrieved the TOTP key and OTP URL.
Bad request — invalid request parameters.
Forbidden — insufficient permissions to generate TOTP key.
Not found — specified TOTP method does not exist.
Internal server error — unexpected error occurred.
GET /v1/sys/mfa/method/totp/{name}/generate HTTP/1.1
Host: localhost:8200
Accept: */*
{
"data": {
"url": "otpauth://totp/vault:[email protected]?secret=XYZABC123456&issuer=vault",
"barcode": "iVBORw0KGgoAAAANSUhEUgAA..."
}
}Validates MFA credentials submitted by the user. Upon successful validation, it returns an authentication response that includes a client token. This endpoint is typically called after initial credentials are provided and MFA is required.
A map from MFA method ID to a slice of passcodes or an empty slice if the method does not use passcodes
ID for this MFA request
Successful MFA validation and authentication.
Bad request — missing or invalid fields in the request.
Forbidden — MFA validation failed or unauthorized access.
Not found — specified MFA method or user not found.
Internal server error — unexpected failure during validation.
POST /v1/sys/mfa/validate HTTP/1.1
Host: localhost:8200
Content-Type: application/json
Accept: */*
Content-Length: 40
{
"method_id": "totp-d3f1",
"otp": "123456"
}{
"auth": {
"client_token": "s.QKJ123abcXYZ",
"accessor": "vS2iRzHyXweKzwo0tUR",
"policies": [
"default"
],
"lease_duration": 2764800,
"renewable": true
}
}Fetch system logs based on the selected output format and log level.
Output format of logs. Supported values are "standard" and "json". The default is "standard".
standardPossible values: Log level to view system logs at. Currently supported values are "trace", "debug", "info", "warn", "error".
OK
GET /v1/sys/monitor HTTP/1.1
Host: localhost:8200
Accept: */*
OK
{
"log_format": "standard",
"log_level": "info",
"logs": [
"System initialized",
"Connection successful",
"Error at 10:23 AM"
]
}OK
Bad Request
Internal Server Error
GET /v1/sys/mounts HTTP/1.1
Host: localhost:8200
Accept: */*
{
"mounts": [
{
"path": "secret/",
"type": "kv",
"description": "Key-Value secrets engine"
},
{
"path": "pki/",
"type": "cert",
"description": "PKI secrets engine"
}
]
}The path to mount to. Example: "aws/east"
OK
GET /v1/sys/mounts/{path} HTTP/1.1
Host: localhost:8200
Accept: */*
OK
{
"accessor": "text",
"config": {},
"deprecation_status": "text",
"description": "text",
"external_entropy_access": true,
"local": false,
"options": {},
"plugin_version": "text",
"running_plugin_version": "text",
"running_sha256": "text",
"seal_wrap": false,
"type": "text",
"uuid": "text"
}The path to mount to. Example: "aws/east"
Configuration for this mount, such as default_lease_ttl and max_lease_ttl.
User-friendly description for this mount.
Whether to give the mount access to Vault's external entropy.
falseMark the mount as a local mount, which is not replicated and is unaffected by replication.
falseThe options to pass into the backend. Should be a json object with string keys and values.
Name of the plugin to mount based from the name registered in the plugin catalog.
The semantic version of the plugin to use.
Whether to turn on seal wrapping for the mount.
falseThe type of the backend. Example: "passthrough"
OK
POST /v1/sys/mounts/{path} HTTP/1.1
Host: localhost:8200
Content-Type: application/json
Accept: */*
Content-Length: 170
{
"config": {},
"description": "text",
"external_entropy_access": false,
"local": false,
"options": {},
"plugin_name": "text",
"plugin_version": "text",
"seal_wrap": false,
"type": "text"
}OK
No content
The path to mount to. Example: "aws/east"
OK
Bad Request
Internal Server Error
GET /v1/sys/mounts/{path}/tune HTTP/1.1
Host: localhost:8200
Accept: */*
{
"default_lease_ttl": "768h",
"max_lease_ttl": "768h",
"description": "AWS Secrets Engine",
"audit_non_hmac_request_keys": [
"role"
]
}The path to mount to. Example: "aws/east"
OK
Bad Request
Internal Server Error
POST /v1/sys/mounts/{path}/tune HTTP/1.1
Host: localhost:8200
Content-Type: application/json
Accept: */*
Content-Length: 135
{
"default_lease_ttl": "500h",
"max_lease_ttl": "1000h",
"description": "Updated AWS config",
"audit_non_hmac_request_keys": [
"role",
"region"
]
}{
"success": true
}OK
Bad Request
Internal Server Error
POST /v1/sys/namespaces/api-lock/lock HTTP/1.1
Host: localhost:8200
Content-Type: application/json
Accept: */*
Content-Length: 39
{
"reason": "Planned maintenance window"
}{
"success": true
}OK
Bad Request
Internal Server Error
POST /v1/sys/namespaces/api-lock/unlock HTTP/1.1
Host: localhost:8200
Content-Type: application/json
Accept: */*
Content-Length: 33
{
"reason": "Maintenance complete"
}{
"success": true
}The path of the namespace
A map of arbitrary string to string valued user-provided metadata meant to describe the namespace
OK
POST /v1/sys/namespaces/{path} HTTP/1.1
Host: localhost:8200
Content-Type: application/json
Accept: */*
Content-Length: 22
{
"custom_metadata": {}
}OK
{
"custom_metadata": {},
"id": "text",
"path": "text"
}OK
Bad Request
Internal Server Error
GET /v1/sys/plugins/catalog HTTP/1.1
Host: localhost:8200
Accept: */*
{
"data": {
"example-plugin": {
"type": "auth",
"sha256": "abc123...",
"command": "vault-plugin-example",
"args": []
}
}
}The name of the plugin
OK
GET /v1/sys/plugins/catalog/{name} HTTP/1.1
Host: localhost:8200
Accept: */*
OK
{
"args": [
"text"
],
"builtin": true,
"command": "text",
"deprecation_status": "text",
"name": "text",
"sha256": "text",
"version": "text"
}The name of the plugin
The args passed to plugin command.
The command used to start the plugin. The executable defined in this command must exist in vault's plugin directory.
The environment variables passed to plugin command. Each entry is of the form "key=value".
The SHA256 sum of the executable used in the command field. This should be HEX encoded.
The type of the plugin, may be auth, secret, or database
The semantic version of the plugin to use.
OK
POST /v1/sys/plugins/catalog/{name} HTTP/1.1
Host: localhost:8200
Content-Type: application/json
Accept: */*
Content-Length: 96
{
"args": [
"text"
],
"command": "text",
"env": [
"text"
],
"sha256": "text",
"type": "text",
"version": "text"
}OK
No content
The type of the plugin, may be auth, secret, or database
Must be set to true
OK
GET /v1/sys/plugins/catalog/{type} HTTP/1.1
Host: localhost:8200
Accept: */*
OK
{
"keys": [
"text"
]
}The name of the plugin
The type of the plugin, may be auth, secret, or database
OK
GET /v1/sys/plugins/catalog/{type}/{name} HTTP/1.1
Host: localhost:8200
Accept: */*
OK
{
"args": [
"text"
],
"builtin": true,
"command": "text",
"deprecation_status": "text",
"name": "text",
"sha256": "text",
"version": "text"
}The name of the plugin
The type of the plugin, may be auth, secret, or database
The args passed to plugin command.
The command used to start the plugin. The executable defined in this command must exist in vault's plugin directory.
The environment variables passed to plugin command. Each entry is of the form "key=value".
The SHA256 sum of the executable used in the command field. This should be HEX encoded.
The semantic version of the plugin to use.
OK
POST /v1/sys/plugins/catalog/{type}/{name} HTTP/1.1
Host: localhost:8200
Content-Type: application/json
Accept: */*
Content-Length: 82
{
"args": [
"text"
],
"command": "text",
"env": [
"text"
],
"sha256": "text",
"version": "text"
}OK
No content
Either the plugin name (plugin) or the desired plugin backend mounts (mounts) must be provided, but not both. In the case that the plugin name is provided, all mounted paths that use that plugin backend will be reloaded. If (scope) is provided and is (global), the plugin(s) are reloaded globally.
The mount paths of the plugin backends to reload.
The name of the plugin to reload, as registered in the plugin catalog.
OK
OK
POST /v1/sys/plugins/reload/backend HTTP/1.1
Host: localhost:8200
Content-Type: application/json
Accept: */*
Content-Length: 50
{
"mounts": [
"text"
],
"plugin": "text",
"scope": "text"
}{
"reload_id": "text"
}OK
Bad Request
Internal Server Error
GET /v1/sys/plugins/reload/backend/status HTTP/1.1
Host: localhost:8200
Accept: */*
{
"reload_required": true,
"plugins": [
"example-plugin",
"database-plugin"
]
}Must be set to true to list ACL policies.
truePossible values: OK
Bad Request
Internal Server Error
GET /v1/sys/policies/acl HTTP/1.1
Host: localhost:8200
Accept: */*
{
"data": {
"keys": [
"default",
"admin",
"readonly"
]
}
}The name of the policy. Example: "ops"
The rules of the policy.
OK
POST /v1/sys/policies/acl/{name} HTTP/1.1
Host: localhost:8200
Content-Type: application/json
Accept: */*
Content-Length: 17
{
"policy": "text"
}OK
No content
Must be set to true to retrieve EGPs.
truePossible values: OK
Bad Request
Internal Server Error
GET /v1/sys/policies/egp HTTP/1.1
Host: localhost:8200
Accept: */*
{
"data": {
"keys": [
"egp-policy-admin",
"egp-policy-ops"
]
}
}The name of the EGP policy.
OK
EGP policy not found
GET /v1/sys/policies/egp/{name} HTTP/1.1
Host: localhost:8200
Accept: */*
{
"data": {
"name": "egp-policy-admin",
"policy": "path \"secret/*\" {\n capabilities = [\"read\"]\n}\n"
}
}The name of the EGP policy.
Policy created or updated successfully
Invalid policy definition
Internal Server Error
POST /v1/sys/policies/egp/{name} HTTP/1.1
Host: localhost:8200
Content-Type: application/json
Accept: */*
Content-Length: 101
{
"policy": "path \"secret/data/finance\" {\n capabilities = [\"create\", \"read\", \"update\"]\n}\n"
}No content
The name of the EGP policy.
Policy deleted successfully (empty body)
EGP policy not found
Internal Server Error
DELETE /v1/sys/policies/egp/{name} HTTP/1.1
Host: localhost:8200
Accept: */*
No content
The name of the password policy.
The password policy
OK
POST /v1/sys/policies/password/{name} HTTP/1.1
Host: localhost:8200
Content-Type: application/json
Accept: */*
Content-Length: 17
{
"policy": "text"
}OK
No content
Must be set to true to list RGPs.
truePossible values: OK
Bad request
Internal server error
GET /v1/sys/policies/rgp HTTP/1.1
Host: localhost:8200
Accept: */*
{
"data": {
"keys": [
"rgp-policy-admin",
"rgp-policy-audit"
]
}
}The name of the RGP policy.
OK
RGP policy not found
GET /v1/sys/policies/rgp/{name} HTTP/1.1
Host: localhost:8200
Accept: */*
{
"data": {
"name": "rgp-policy-admin",
"policy": "path \"sys/*\" {\n capabilities = [\"create\", \"read\", \"update\"]\n}\n"
}
}The name of the RGP policy.
Policy written successfully
Invalid policy definition
Internal server error
POST /v1/sys/policies/rgp/{name} HTTP/1.1
Host: localhost:8200
Content-Type: application/json
Accept: */*
Content-Length: 82
{
"policy": "path \"sys/config/*\" {\n capabilities = [\"read\", \"update\"]\n}\n"
}No content
The name of the RGP policy.
Policy deleted successfully (empty body)
RGP policy not found
Internal server error
DELETE /v1/sys/policies/rgp/{name} HTTP/1.1
Host: localhost:8200
Accept: */*
No content
The name of the policy. Example: "ops"
The rules of the policy.
The rules of the policy.
OK
POST /v1/sys/policy/{name} HTTP/1.1
Host: localhost:8200
Content-Type: application/json
Accept: */*
Content-Length: 17
{
"policy": "text"
}OK
No content
If set, starts audit logging of requests that get rejected due to rate limit quota rule violations.
If set, additional rate limit quota HTTP headers will be added to responses.
Specifies the list of exempt paths from all rate limit quotas. If empty no paths will be exempt.
Quota configuration updated successfully (empty body)
Invalid configuration request
Internal server error
POST /v1/sys/quotas/config HTTP/1.1
Host: localhost:8200
Content-Type: application/json
Accept: */*
Content-Length: 42
{
"enabled": true,
"interval": "1s",
"rate": 50
}No content
Must be set to true
A list of lease count quotas
Invalid request
Internal server error
GET /v1/sys/quotas/lease-count HTTP/1.1
Host: localhost:8200
Accept: */*
{
"data": {
"keys": [
"quota1",
"quota2"
]
}
}Lease count quota configuration
Quota not found
GET /v1/sys/quotas/lease-count/{name} HTTP/1.1
Host: localhost:8200
Accept: */*
{
"data": {
"name": "quota1",
"max_leases": 500,
"namespace": "root"
}
}Quota created or updated successfully
POST /v1/sys/quotas/lease-count/{name} HTTP/1.1
Host: localhost:8200
Content-Type: application/json
Accept: */*
Content-Length: 19
{
"max_leases": 1000
}Quota created or updated successfully
{
"data": {
"success": true
}
}Must be set to true
A list of rate limit quota names
Invalid request
Internal server error
GET /v1/sys/quotas/rate-limit HTTP/1.1
Host: localhost:8200
Accept: */*
{
"data": {
"keys": [
"global-read-quota",
"admin-api-quota"
]
}
}Name of the quota rule.
Rate limit quota configuration
Quota not found
GET /v1/sys/quotas/rate-limit/{name} HTTP/1.1
Host: localhost:8200
Accept: */*
{
"data": {
"name": "global-read-quota",
"rate": 10,
"interval": "1s",
"path": "*"
}
}Name of the quota rule.
If set, when a client reaches a rate limit threshold, the client will be prohibited from any further requests until after the 'block_interval' has elapsed.
The duration to enforce rate limiting for (default '1s').
Path of the mount or namespace to apply the quota. A blank path configures a global quota. For example namespace1/ adds a quota to a full namespace, namespace1/auth/userpass adds a quota to userpass in namespace1.
The maximum number of requests in a given interval to be allowed by the quota rule. The 'rate' must be positive.
Login role to apply this quota to. Note that when set, path must be configured to a valid auth method with a concept of roles.
Type of the quota rule.
Quota created or updated successfully (no content)
Invalid quota configuration
POST /v1/sys/quotas/rate-limit/{name} HTTP/1.1
Host: localhost:8200
Content-Type: application/json
Accept: */*
Content-Length: 42
{
"rate": 5,
"interval": "1s",
"path": "auth/*"
}No content
OK
GET /v1/sys/rekey/init HTTP/1.1
Host: localhost:8200
Accept: */*
OK
{
"backup": true,
"n": 1,
"nounce": "text",
"pgp_fingerprints": [
"text"
],
"progress": 1,
"required": 1,
"started": "text",
"t": 1,
"verification_nonce": "text",
"verification_required": true
}Only a single rekey attempt can take place at a time, and changing the parameters of a rekey requires canceling and starting a new rekey, which will also provide a new nonce.
Specifies if using PGP-encrypted keys, whether Vault should also store a plaintext backup of the PGP-encrypted keys.
Specifies an array of PGP public keys used to encrypt the output unseal keys. Ordering is preserved. The keys must be base64-encoded from their original binary representation. The size of this array must be the same as secret_shares.
Turns on verification functionality
Specifies the number of shares to split the unseal key into.
Specifies the number of shares required to reconstruct the unseal key. This must be less than or equal secret_shares. If using Vault HSM with auto-unsealing, this value must be the same as secret_shares.
OK
POST /v1/sys/rekey/init HTTP/1.1
Host: localhost:8200
Content-Type: application/json
Accept: */*
Content-Length: 102
{
"backup": true,
"pgp_keys": [
"text"
],
"require_verification": true,
"secret_shares": 1,
"secret_threshold": 1
}OK
{
"backup": true,
"n": 1,
"nounce": "text",
"pgp_fingerprints": [
"text"
],
"progress": 1,
"required": 1,
"started": "text",
"t": 1,
"verification_nonce": "text",
"verification_required": true
}This clears the rekey settings as well as any progress made. This must be called to change the parameters of the rekey. Note: verification is still a part of a rekey. If rekeying is canceled during the verification flow, the current unseal keys remain valid.
OK
DELETE /v1/sys/rekey/init HTTP/1.1
Host: localhost:8200
Accept: */*
OK
No content
Successfully retrieved the recovery key backup
No recovery key backup found
Internal server error
GET /v1/sys/rekey/recovery-key-backup HTTP/1.1
Host: localhost:8200
Accept: */*
{
"data": {
"keys_base64": [
"Q2FzZV9Bbm90aGVyX0tleQ==",
"U29tZV9CYXNlNjRfRW5jb2RlZF9LZXk="
]
}
}Specifies a single unseal key share.
Specifies the nonce of the rekey attempt.
OK
POST /v1/sys/rekey/update HTTP/1.1
Host: localhost:8200
Content-Type: application/json
Accept: */*
Content-Length: 29
{
"key": "text",
"nonce": "text"
}OK
{
"backup": true,
"complete": true,
"keys": [
"text"
],
"keys_base64": [
"text"
],
"n": 1,
"nounce": "text",
"pgp_fingerprints": [
"text"
],
"progress": 1,
"required": 1,
"started": "text",
"t": 1,
"verification_nonce": "text",
"verification_required": true
}Specifies a single unseal share key from the new set of shares.
Specifies the nonce of the rekey verification operation.
OK
POST /v1/sys/rekey/verify HTTP/1.1
Host: localhost:8200
Content-Type: application/json
Accept: */*
Content-Length: 29
{
"key": "text",
"nonce": "text"
}OK
{
"complete": true,
"nounce": "text"
}This clears any progress made and resets the nonce. Unlike a DELETE against sys/rekey/init, this only resets the current verification operation, not the entire rekey atttempt.
OK
DELETE /v1/sys/rekey/verify HTTP/1.1
Host: localhost:8200
Accept: */*
OK
{
"n": 1,
"nounce": "text",
"progress": 1,
"started": "text",
"t": 1
}The previous mount point.
The new mount point.
OK
POST /v1/sys/remount HTTP/1.1
Host: localhost:8200
Content-Type: application/json
Accept: */*
Content-Length: 27
{
"from": "text",
"to": "text"
}OK
{
"migration_id": "text"
}The desired increment in seconds to the lease
The lease identifier to renew. This is included with a lease.
The lease identifier to renew. This is included with a lease.
OK
POST /v1/sys/renew HTTP/1.1
Host: localhost:8200
Content-Type: application/json
Accept: */*
Content-Length: 55
{
"increment": 1,
"lease_id": "text",
"url_lease_id": "text"
}OK
No content
The lease identifier to renew. This is included with a lease.
The desired increment in seconds to the lease
The lease identifier to renew. This is included with a lease.
OK
POST /v1/sys/renew/{url_lease_id} HTTP/1.1
Host: localhost:8200
Content-Type: application/json
Accept: */*
Content-Length: 33
{
"increment": 1,
"lease_id": "text"
}OK
No content
DR replication successfully enabled
Invalid request payload
Internal server error
POST /v1/sys/replication/dr/primary/enable HTTP/1.1
Host: localhost:8200
Content-Type: application/json
Accept: */*
Content-Length: 77
{
"mode": "primary",
"primary_cluster_addr": "https://vault-primary.example.com"
}{
"data": {
"message": "DR primary enabled"
}
}DR secondary successfully revoked
Secondary not found
Internal server error
POST /v1/sys/replication/dr/primary/revoke-secondary HTTP/1.1
Host: localhost:8200
Content-Type: application/json
Accept: */*
Content-Length: 34
{
"secondary_cluster_id": "dc-east"
}{
"data": {
"message": "Secondary revoked successfully"
}
}Token successfully created
Invalid input
Internal server error
POST /v1/sys/replication/dr/primary/secondary-token HTTP/1.1
Host: localhost:8200
Content-Type: application/json
Accept: */*
Content-Length: 35
{
"id": "dc-west",
"namespace": "root"
}{
"data": {
"secondary_token": "s.SOME_LONG_TOKEN_STRING"
}
}Configuration reloaded successfully.
POST /v1/sys/replication/dr/secondary/config/reload/{subsystem} HTTP/1.1
Host: localhost:8200
Accept: */*
Configuration reloaded successfully.
{
"data": {
"message": "Reload triggered for 'storage' subsystem."
}
}DR secondary enabled.
POST /v1/sys/replication/dr/secondary/enable HTTP/1.1
Host: localhost:8200
Content-Type: application/json
Accept: */*
Content-Length: 36
{
"token": "s.SECONDARY_TOKEN_STRING"
}DR secondary enabled.
{
"data": {
"message": "Secondary enabled successfully."
}
}Public key generated.
POST /v1/sys/replication/dr/secondary/generate-public-key HTTP/1.1
Host: localhost:8200
Accept: */*
Public key generated.
{
"data": {
"public_key": "-----BEGIN PUBLIC KEY-----\nABC123...\n-----END PUBLIC KEY-----"
}
}Primary configuration updated.
POST /v1/sys/replication/dr/secondary/update-primary HTTP/1.1
Host: localhost:8200
Content-Type: application/json
Accept: */*
Content-Length: 60
{
"primary_cluster_addr": "https://vault-primary.example.com"
}Primary configuration updated.
{
"data": {
"message": "Primary address updated."
}
}Filter details retrieved.
GET /v1/sys/replication/performance/primary/dynamic-filter/{id} HTTP/1.1
Host: localhost:8200
Accept: */*
Filter details retrieved.
{
"data": {
"id": "filter-abc",
"paths": [
"auth/*"
]
}
}Replication enabled.
POST /v1/sys/replication/performance/primary/enable HTTP/1.1
Host: localhost:8200
Content-Type: application/json
Accept: */*
Content-Length: 39
{
"token": "s.PERF_PRIMARY_TOKEN_STRING"
}Replication enabled.
{
"data": {
"message": "Primary replication enabled."
}
}Filter details.
GET /v1/sys/replication/performance/primary/paths-filter/{id} HTTP/1.1
Host: localhost:8200
Accept: */*
Filter details.
{
"data": {
"id": "paths-filter-xyz",
"paths": [
"secret/data/*"
]
}
}Filter updated successfully.
POST /v1/sys/replication/performance/primary/paths-filter/{id} HTTP/1.1
Host: localhost:8200
Content-Type: application/json
Accept: */*
Content-Length: 27
{
"paths": [
"secret/data/*"
]
}Filter updated successfully.
{
"data": {
"message": "Paths filter updated."
}
}Secondary revoked successfully.
POST /v1/sys/replication/performance/primary/revoke-secondary HTTP/1.1
Host: localhost:8200
Accept: */*
Secondary revoked successfully.
{
"data": {
"message": "Secondary revoked."
}
}Token generated.
POST /v1/sys/replication/performance/primary/secondary-token HTTP/1.1
Host: localhost:8200
Content-Type: application/json
Accept: */*
Content-Length: 46
{
"secondary_cluster_name": "us-west-secondary"
}Token generated.
{
"data": {
"token": "s.TOKENSTRING"
}
}Filter information retrieved.
GET /v1/sys/replication/performance/secondary/dynamic-filter/{id} HTTP/1.1
Host: localhost:8200
Accept: */*
Filter information retrieved.
{
"data": {
"id": "filter-123",
"paths": [
"auth/token/*"
]
}
}Secondary enabled.
POST /v1/sys/replication/performance/secondary/enable HTTP/1.1
Host: localhost:8200
Content-Type: application/json
Accept: */*
Content-Length: 29
{
"token": "s.SECONDARY_TOKEN"
}Secondary enabled.
{
"data": {
"message": "Secondary enabled."
}
}Public key generated.
POST /v1/sys/replication/performance/secondary/generate-public-key HTTP/1.1
Host: localhost:8200
Accept: */*
Public key generated.
{
"data": {
"public_key": "-----BEGIN PUBLIC KEY-----\n...\n-----END PUBLIC KEY-----"
}
}Secondary promoted to primary.
POST /v1/sys/replication/performance/secondary/promote HTTP/1.1
Host: localhost:8200
Accept: */*
Secondary promoted to primary.
{
"data": {
"message": "Secondary promoted to primary."
}
}Primary updated successfully.
POST /v1/sys/replication/performance/secondary/update-primary HTTP/1.1
Host: localhost:8200
Content-Type: application/json
Accept: */*
Content-Length: 56
{
"primary_api_addr": "https://vault-primary.example.com"
}Primary updated successfully.
{
"data": {
"message": "Primary address updated."
}
}Primary successfully demoted.
Forbidden - insufficient permissions.
POST /v1/sys/replication/primary/demote HTTP/1.1
Host: localhost:8200
Accept: */*
{
"data": {
"message": "Primary cluster demoted."
}
}Replication disabled on primary.
Forbidden - operation not permitted.
POST /v1/sys/replication/primary/disable HTTP/1.1
Host: localhost:8200
Accept: */*
{
"data": {
"message": "Replication disabled on primary."
}
}Primary replication enabled.
Invalid request.
Unauthorized to enable primary.
POST /v1/sys/replication/primary/enable HTTP/1.1
Host: localhost:8200
Content-Type: application/json
Accept: */*
Content-Length: 39
{
"token": "s.PRIMARY_REPLICATION_TOKEN"
}{
"data": {
"message": "Primary replication enabled."
}
}Secondary successfully revoked.
Forbidden
POST /v1/sys/replication/primary/revoke-secondary HTTP/1.1
Host: localhost:8200
Accept: */*
{
"data": {
"message": "Secondary replication revoked."
}
}Token successfully generated.
Forbidden
POST /v1/sys/replication/primary/secondary-token HTTP/1.1
Host: localhost:8200
Content-Type: application/json
Accept: */*
Content-Length: 26
{
"id": "secondary-us-east"
}{
"data": {
"token": "s.abcdef123456"
}
}Recovery initiated.
Server error during recovery.
POST /v1/sys/replication/recover HTTP/1.1
Host: localhost:8200
Accept: */*
{
"data": {
"message": "Recovery initiated successfully."
}
}Secondary replication enabled.
Invalid token.
POST /v1/sys/replication/secondary/enable HTTP/1.1
Host: localhost:8200
Content-Type: application/json
Accept: */*
Content-Length: 31
{
"token": "s.replication-token"
}{
"data": {
"message": "Secondary enabled."
}
}Secondary successfully promoted.
Conflict - replication state prevents promotion.
POST /v1/sys/replication/secondary/promote HTTP/1.1
Host: localhost:8200
Accept: */*
{
"data": {
"message": "Secondary promoted to primary."
}
}Primary address updated successfully.
Invalid or missing primary configuration.
POST /v1/sys/replication/secondary/update-primary HTTP/1.1
Host: localhost:8200
Content-Type: application/json
Accept: */*
Content-Length: 133
{
"primary_api_addr": "https://vault-primary.example.com:8200",
"ca_file": "-----BEGIN CERTIFICATE-----\n...\n-----END CERTIFICATE-----"
}{
"data": {
"message": "Primary connection info updated."
}
}Current replication status returned.
Error retrieving replication status.
GET /v1/sys/replication/status HTTP/1.1
Host: localhost:8200
Accept: */*
{
"data": {
"mode": "performance",
"state": "secondary",
"primary_cluster_addr": "https://vault-primary.example.com:8200",
"known_secondaries": [
{
"cluster_id": "us-west-secondary",
"api_address": "https://vault-us-west.example.com:8200"
}
]
}
}The lease identifier to renew. This is included with a lease.
Whether or not to perform the revocation synchronously
trueThe lease identifier to renew. This is included with a lease.
OK
POST /v1/sys/revoke HTTP/1.1
Host: localhost:8200
Content-Type: application/json
Accept: */*
Content-Length: 53
{
"lease_id": "text",
"sync": true,
"url_lease_id": "text"
}OK
No content
Unlike /sys/leases/revoke-prefix, this path ignores backend errors encountered during revocation. This is potentially very dangerous and should only be used in specific emergency situations where errors in the backend or the connected backend service prevent normal revocation.
By ignoring these errors, Vault abdicates responsibility for ensuring that the issued credentials or secrets are properly revoked and/or cleaned up. Access to this endpoint should be tightly controlled.
The path to revoke keys under. Example: "prod/aws/ops"
OK
POST /v1/sys/revoke-force/{prefix} HTTP/1.1
Host: localhost:8200
Accept: */*
OK
No content
Revokes all secrets (via a lease ID prefix) or tokens (via the tokens' path property) generated under a given prefix immediately.
The path to revoke keys under. Example: "prod/aws/ops"
Whether or not to perform the revocation synchronously
trueOK
POST /v1/sys/revoke-prefix/{prefix} HTTP/1.1
Host: localhost:8200
Content-Type: application/json
Accept: */*
Content-Length: 13
{
"sync": true
}OK
No content
The lease identifier to renew. This is included with a lease.
The lease identifier to renew. This is included with a lease.
Whether or not to perform the revocation synchronously
trueOK
POST /v1/sys/revoke/{url_lease_id} HTTP/1.1
Host: localhost:8200
Content-Type: application/json
Accept: */*
Content-Length: 31
{
"lease_id": "text",
"sync": true
}OK
No content
Rotates the backend encryption key used to persist Vault data. This operation is a no-op if key rotation is disabled.
Key rotation successful. No content returned.
Forbidden. Sudo permissions required.
Internal server error during key rotation.
POST /v1/sys/rotate HTTP/1.1
Host: localhost:8200
Accept: */*
No content
Current encryption key rotation configuration.
Internal error fetching configuration.
GET /v1/sys/rotate/config HTTP/1.1
Host: localhost:8200
Accept: */*
{
"data": {
"auto_rotate_period": "24h",
"last_rotation_time": "2025-05-01T00:00:00Z"
}
}Whether automatic rotation is enabled.
How long after installation of an active key term that the key will be automatically rotated.
The number of encryption operations performed before the barrier key is automatically rotated.
Configuration updated successfully.
Invalid input configuration.
Forbidden. Sudo permissions required.
POST /v1/sys/rotate/config HTTP/1.1
Host: localhost:8200
Content-Type: application/json
Accept: */*
Content-Length: 28
{
"auto_rotate_period": "24h"
}No content
GET /v1/sys/seal-status HTTP/1.1
Host: localhost:8200
Accept: */*
{
"build_date": "text",
"cluster_id": "text",
"cluster_name": "text",
"hcp_link_resource_ID": "text",
"hcp_link_status": "text",
"initialized": true,
"migration": true,
"n": 1,
"nonce": "text",
"progress": 1,
"recovery_seal": true,
"sealed": true,
"storage_type": "text",
"t": 1,
"type": "text",
"version": "text"
}Returns information about keys or values that require rewrap due to changes in the underlying seal configuration.
Sealwrap rewrap status retrieved successfully.
Internal error while fetching rewrap status.
GET /v1/sys/sealwrap/rewrap HTTP/1.1
Host: localhost:8200
Accept: */*
{
"data": {
"keys_to_rewrap": [
"sys/policy/foo",
"auth/token/accessor/bar"
],
"total": 2
}
}Triggers rewrap for keys encrypted with an old seal configuration. This may take time depending on the size of the data.
Rewrap operation completed successfully.
Invalid request parameters.
Internal error during rewrap operation.
POST /v1/sys/sealwrap/rewrap HTTP/1.1
Host: localhost:8200
Content-Type: application/json
Accept: */*
Content-Length: 54
{
"paths": [
"sys/policy/foo",
"auth/token/accessor/bar"
]
}{
"data": {
"rewrapped_paths": [
"sys/policy/foo",
"auth/token/accessor/bar"
]
}
}This endpoint forces the node to give up active status. If the node does not have active status, this endpoint does nothing. Note that the node will sleep for ten seconds before attempting to grab the active lock again, but if no standby nodes grab the active lock in the interim, the same node may become the active node again.
empty body
POST /v1/sys/step-down HTTP/1.1
Host: localhost:8200
Accept: */*
empty body
No content
Must be set to true
Successfully listed configured snapshot jobs.
Missing or incorrect list=true query parameter.
GET /v1/sys/storage/raft/snapshot-auto/config/ HTTP/1.1
Host: localhost:8200
Accept: */*
{
"data": {
"keys": [
"daily",
"hourly"
]
}
}The name of the snapshot job configuration.
Snapshot job configuration retrieved.
Snapshot configuration not found.
GET /v1/sys/storage/raft/snapshot-auto/config/{name} HTTP/1.1
Host: localhost:8200
Accept: */*
{
"data": {
"interval": "1h",
"retain": 5,
"storage_path_prefix": "snapshots/hourly"
}
}The name of the snapshot job configuration.
Snapshot configuration saved successfully.
Invalid configuration.
POST /v1/sys/storage/raft/snapshot-auto/config/{name} HTTP/1.1
Host: localhost:8200
Content-Type: application/json
Accept: */*
Content-Length: 69
{
"interval": "1h",
"retain": 5,
"storage_path_prefix": "snapshots/hourly"
}{
"data": {
"interval": "1h",
"retain": 5,
"storage_path_prefix": "snapshots/hourly"
}
}The name of the snapshot job configuration.
Snapshot configuration deleted. Empty response body.
Configuration not found.
DELETE /v1/sys/storage/raft/snapshot-auto/config/{name} HTTP/1.1
Host: localhost:8200
Accept: */*
No content
The name of the snapshot job
Status of the snapshot job retrieved successfully.
No such snapshot job exists.
GET /v1/sys/storage/raft/snapshot-auto/status/{name} HTTP/1.1
Host: localhost:8200
Accept: */*
{
"data": {
"last_snapshot": "2025-05-01T10:00:00Z",
"next_snapshot_due": "2025-05-01T11:00:00Z",
"state": "active"
}
}Accepts raw input data and returns its hash digest using Vault's configured default hash algorithm.
Algorithm to use (POST body parameter). Valid values are: * sha2-224 * sha2-256 * sha2-384 * sha2-512 Defaults to "sha2-256".
sha2-256Encoding format to use. Can be "hex" or "base64". Defaults to "hex".
hexThe base64-encoded input data
Algorithm to use (POST URL parameter)
Hash generated successfully.
Invalid input provided.
POST /v1/sys/tools/hash HTTP/1.1
Host: localhost:8200
Content-Type: application/json
Accept: */*
Content-Length: 24
{
"input": "Hello, Vault"
}{
"data": {
"sum": "a830d7beb04eb7549ce990fb7dc962e499a27230"
}
}Accepts raw input data and returns its hash digest using the algorithm specified in the URL.
The hash algorithm to use (e.g., sha2-256, sha2-512)
Algorithm to use (POST body parameter). Valid values are: * sha2-224 * sha2-256 * sha2-384 * sha2-512 Defaults to "sha2-256".
sha2-256Encoding format to use. Can be "hex" or "base64". Defaults to "hex".
hexThe base64-encoded input data
Hash generated successfully using the specified algorithm.
Invalid algorithm or input provided.
POST /v1/sys/tools/hash/{urlalgorithm} HTTP/1.1
Host: localhost:8200
Content-Type: application/json
Accept: */*
Content-Length: 24
{
"input": "Hello, Vault"
}{
"data": {
"sum": "2cf24dba5fb0a030e..."
}
}The number of bytes to generate (POST body parameter). Defaults to 32 (256 bits).
32Encoding format to use. Can be "hex" or "base64". Defaults to "base64".
base64Which system to source random data from, ether "platform", "seal", or "all".
platformThe number of bytes to generate (POST URL parameter)
Random bytes generated successfully.
Invalid request parameters.
POST /v1/sys/tools/random HTTP/1.1
Host: localhost:8200
Content-Type: application/json
Accept: */*
Content-Length: 27
{
"bytes": 32,
"format": "hex"
}{
"data": {
"random_bytes": "a1b2c3d4e5f67890"
}
}Source to generate randomness from
platformPossible values: The number of bytes to generate (POST body parameter). Defaults to 32 (256 bits).
32Encoding format to use. Can be "hex" or "base64". Defaults to "base64".
base64The number of bytes to generate (POST URL parameter)
Random bytes generated successfully from specified source.
Invalid request or unknown source.
POST /v1/sys/tools/random/{source} HTTP/1.1
Host: localhost:8200
Content-Type: application/json
Accept: */*
Content-Length: 30
{
"bytes": 16,
"format": "base64"
}{
"data": {
"random_bytes": "QWxhZGRpbjpvcGVuIHNlc2FtZQ=="
}
}Number of bytes to generate
The number of bytes to generate (POST body parameter). Defaults to 32 (256 bits).
32Encoding format to use. Can be "hex" or "base64". Defaults to "base64".
base64Which system to source random data from, ether "platform", "seal", or "all".
platformRandom bytes generated successfully.
Invalid byte count or input.
POST /v1/sys/tools/random/{urlbytes} HTTP/1.1
Host: localhost:8200
Content-Type: application/json
Accept: */*
Content-Length: 16
{
"format": "hex"
}{
"data": {
"random_bytes": "f4e9d..."
}
}Source to generate randomness from
Number of bytes to generate
The number of bytes to generate (POST body parameter). Defaults to 32 (256 bits).
32Encoding format to use. Can be "hex" or "base64". Defaults to "base64".
base64Random bytes generated successfully.
Invalid input or unsupported source.
POST /v1/sys/tools/random/{source}/{urlbytes} HTTP/1.1
Host: localhost:8200
Content-Type: application/json
Accept: */*
Content-Length: 19
{
"format": "base64"
}{
"data": {
"random_bytes": "bW9yZSByYW5kb20gYnl0ZXM="
}
}Specifies a single unseal key share. This is required unless reset is true.
Specifies if previously-provided unseal keys are discarded and the unseal process is reset.
POST /v1/sys/unseal HTTP/1.1
Host: localhost:8200
Content-Type: application/json
Accept: */*
Content-Length: 27
{
"key": "text",
"reset": true
}{
"build_date": "text",
"cluster_id": "text",
"cluster_name": "text",
"hcp_link_resource_ID": "text",
"hcp_link_status": "text",
"initialized": true,
"migration": true,
"n": 1,
"nonce": "text",
"progress": 1,
"recovery_seal": true,
"sealed": true,
"storage_type": "text",
"t": 1,
"type": "text",
"version": "text"
}OK
POST /v1/sys/wrapping/lookup HTTP/1.1
Host: localhost:8200
Content-Type: application/json
Accept: */*
Content-Length: 16
{
"token": "text"
}OK
{
"creation_path": "text",
"creation_time": "2025-08-12T10:55:36.699Z",
"creation_ttl": 1
}Accepts a response-wrapped token and returns a new wrapped token.
Successfully rewrapped token
Invalid input or missing token
Forbidden - invalid or expired wrapping token
POST /v1/sys/wrapping/rewrap HTTP/1.1
Host: localhost:8200
Content-Type: application/json
Accept: */*
Content-Length: 34
{
"token": "hvs.XYZwrappedtoken123"
}{
"wrap_info": {
"token": "hvs.newwrappedtoken456",
"ttl": 300
}
}Unwraps a token and returns the original payload.
Token unwrapped successfully
Token unwrapped successfully but had no payload
Invalid request
Forbidden or token expired
POST /v1/sys/wrapping/unwrap HTTP/1.1
Host: localhost:8200
Content-Type: application/json
Accept: */*
Content-Length: 31
{
"token": "hvs.wrappedtoken123"
}{
"data": {
"foo": "bar",
"secret": "vault"
}
}Accepts a JSON object and returns it wrapped in a token.
Object wrapped successfully
Missing payload to wrap
POST /v1/sys/wrapping/wrap HTTP/1.1
Host: localhost:8200
Content-Type: application/json
Accept: */*
Content-Length: 29
{
"foo": "bar",
"user_id": "123"
}{
"wrap_info": {
"token": "hvs.wrappedtoken789",
"ttl": 300
}
}Was this helpful?