System
Successfully retrieved enabled audit devices.
Bad request due to client error.
Unauthorized. Vault token is invalid or missing.
Forbidden. Caller lacks sufficient permission.
Internal server error.
The name of the audit backend. Cannot be delimited. Example: 'mysql'
Successfully calculated the hash of the input.
Bad request due to malformed or missing data.
Unauthorized. Vault token is invalid or missing.
Forbidden. Insufficient permissions.
Internal server error.
The name of the backend. Cannot be delimited. Example: 'mysql'
User-friendly description for this audit backend.
Mark the mount as a local mount, which is not replicated and is unaffected by replication.
falseConfiguration options for the audit backend.
The type of the backend. Example: "mysql"
Audit device successfully enabled. No content is returned.
Bad Request - The provided request body is invalid.
The name of the backend. Cannot be delimited. Example: 'mysql'
Audit device successfully disabled. No content is returned.
Bad Request - The provided path is invalid or the device cannot be disabled.
Unauthorized - Authentication failed or no access rights.
Not Found - The specified audit device path was not found.
The path to mount to. Cannot be delimited. Example: 'user'
Successfully read the auth configuration.
Bad Request - Invalid path or request format.
Unauthorized - Authentication failure.
Not Found - No auth engine found at this path.
After enabling, the auth method can be accessed and configured via the auth path specified as part of the URL. For example, enabling the "userpass" auth method at "user" will make it accessible at /auth/user.
The path to mount to. Cannot be delimited. Example: 'user'
Configuration for this mount, such as plugin_name.
User-friendly description for this credential backend.
Whether to give the mount access to Vault's external entropy.
falseMark the mount as a local mount, which is not replicated and is unaffected by replication.
falseThe options to pass into the backend. Should be a json object with string keys and values.
Name of the auth plugin to use based from the name in the plugin catalog.
The semantic version of the plugin to use.
Whether to turn on seal wrapping for the mount.
falseThe type of the backend. Example: "userpass"
Auth method successfully enabled. No content is returned.
Bad Request - Validation error or malformed input.
Unauthorized - Permission denied or token missing.
The path to mount to. Cannot be delimited. Example: 'user'
Auth method successfully disabled. No content is returned.
Bad Request - Invalid path or request format.
Unauthorized - Authentication or permission failure.
Not Found - The specified auth method path was not found.
This endpoint requires sudo capability on the final path, but the same functionality can be achieved without sudo via sys/mounts/auth/[auth-path]/tune.
Tune the configuration parameters for an auth path.
Successfully read tuning information.
Bad Request - Invalid request or path.
Unauthorized - Token missing or access denied.
This endpoint requires sudo capability on the final path, but the same functionality can be achieved without sudo via sys/mounts/auth/[auth-path]/tune.
Tune the configuration parameters for an auth path.
A list of headers to whitelist and allow a plugin to set on responses.
The list of keys in the request data object that will not be HMAC'ed by audit devices.
The list of keys in the response data object that will not be HMAC'ed by audit devices.
The default lease TTL for this mount.
User-friendly description for this credential backend.
Determines the visibility of the mount in the UI-specific listing endpoint. Accepted value are 'unauth' and 'hidden', with the empty default ('') behaving like 'hidden'.
The max lease TTL for this mount.
The options to pass into the backend. Should be a json object with string keys and values.
A list of headers to whitelist and pass from the request to the plugin.
The semantic version of the plugin to use.
The type of token to issue (service or batch).
The user lockout configuration to pass into the backend. Should be a json object with string keys and values.
Successfully updated tuning parameters. No content is returned.
Bad Request - Validation error in request.
Unauthorized - Missing or invalid token.
Use 'paths' instead.
Paths on which capabilities are being queried.
Token for which capabilities are being queried.
Successfully retrieved capabilities for the given paths.
Bad Request - Invalid request or missing fields.
Unauthorized - The token is invalid or expired.
Accessor of the token for which capabilities are being queried.
Use 'paths' instead.
Paths on which capabilities are being queried.
Successfully retrieved capabilities for the given paths.
Bad Request - Missing or invalid accessor or paths.
Unauthorized - Invalid credentials or insufficient permissions.
Use 'paths' instead.
Paths on which capabilities are being queried.
Token for which capabilities are being queried.
Successfully retrieved capabilities for the specified paths.
Bad Request - Missing or invalid paths field.
Unauthorized - Token is missing, invalid, or lacks necessary permissions.
Successfully listed the configured audited request headers.
Bad Request - Server failed to process the request.
Unauthorized - Token is missing or does not have sufficient privileges.
The name of the request header to audit.
X-Request-IDSuccessfully retrieved the request header auditing information.
Bad Request - Invalid header format.
Unauthorized - Insufficient permissions.
The name of the request header to audit.
X-Request-IDAuditing for the header enabled successfully.
Bad Request - Could not enable auditing for header.
Unauthorized - Insufficient permissions.
No content
The name of the request header to audit.
X-Request-IDAuditing for the header disabled successfully.
Bad Request - Header not found.
Unauthorized - Insufficient permissions.
No content
A comma-separated string or array of strings indicating headers that are allowed on cross-origin requests.
A comma-separated string or array of strings indicating origins that may make cross-origin requests.
Enables or disables CORS headers on requests.
CORS settings successfully updated.
Invalid CORS configuration.
Not authorized.
No content
Group policy application configuration retrieved successfully.
Invalid request.
Forbidden. The client does not have permission.
Internal server error.
The name of the subsystem to reload.
plugin-catalogSubsystem reloaded successfully.
Invalid request.
Forbidden. The client does not have permission to reload the subsystem.
Subsystem not found.
Internal server error while reloading subsystem.
No content
The sanitized output strips configuration values in the storage, HA storage, and seals stanzas, which may contain sensitive values such as API tokens. It also removes any token or secret fields in other stanzas, such as the circonus_api_token from telemetry.
Sanitized configuration retrieved successfully.
Forbidden. The client does not have sufficient privileges.
Internal server error.
Must be set to true
Must be set to true
Returns a list of configured UI headers.
Bad request. The request is malformed or missing required parameters.
Unauthorized. The request lacks valid authentication credentials.
Forbidden. The client does not have permission to access the requested resource.
Not Found. The requested resource does not exist.
Internal Server Error. A server-side error occurred.
The name of the header.
Returns the configuration of the specified UI header.
Not Found. The requested header does not exist.
Internal Server Error. A server-side error occurred.
The name of the header.
Returns multiple values if true
The values to set the header.
Header value successfully configured.
No content
Bad request. The request is malformed or missing required parameters.
Not Found. The requested header does not exist.
Internal Server Error. A server-side error occurred.
No content
The name of the header.
Header successfully removed.
Bad request. The request is malformed or missing required parameters.
Not Found. The requested header does not exist.
Internal Server Error. A server-side error occurred.
No content
The control group ID to authorize.
Authorization successful.
No content
Bad request. The request is malformed or missing required parameters.
Unauthorized. The request lacks valid authentication credentials.
Forbidden. The client does not have permission to perform this action.
Internal Server Error. A server-side error occurred.
No content
Unique identifier for the control group request.
Request processed successfully.
Bad Request - The request is malformed or missing required parameters.
Unauthorized - Authentication credentials were missing or invalid.
Forbidden - You do not have permission to perform this action.
Not Found - The control group or requested resource does not exist.
Internal Server Error - An unexpected error occurred on the server.
This endpoint decodes an encoded token using the provided one-time password (OTP). It can be used in unauthenticated contexts.
Specifies the encoded token (result from generate-root).
Specifies the otp code for decode.
Successfully decoded the token.
Bad Request - The request is malformed or missing required parameters.
Unauthorized - Authentication credentials are missing or invalid.
Forbidden - The provided credentials are valid but insufficient.
Not Found - The token or associated resources could not be found.
Internal Server Error - An unexpected server-side error occurred.
Successfully returned the list of experimental features.
Bad Request - The request is malformed or missing required parameters.
Unauthorized - Authentication credentials are missing or invalid.
Forbidden - You do not have permission to access experimental features.
Not Found - The resource for experimental features could not be located.
Internal Server Error - An unexpected error occurred on the server.
Returns the configuration and progress details of the ongoing root token generation process.
Successfully retrieved the root generation progress.
Bad Request - The request is malformed or invalid.
Unauthorized - Authentication credentials are missing or invalid.
Forbidden - Insufficient permissions to read root generation progress.
Not Found - No active root generation attempt found.
Internal Server Error - Unexpected server-side error.
Starts a new root generation attempt. Only one attempt can be active at a time. Either otp or pgp_key must be provided.
Specifies a base64-encoded PGP public key.
Successfully initialized the root generation attempt.
Bad Request - Missing required parameters or invalid input.
Unauthorized - Authentication credentials are missing or invalid.
Forbidden - Insufficient permissions to initialize root generation.
Conflict - A root generation attempt is already in progress.
Internal Server Error - Unexpected server-side error.
Cancels any in-progress root token generation attempt, allowing a new attempt to be started.
Successfully canceled the root generation attempt.
Bad Request - The request is malformed or invalid.
Unauthorized - Authentication credentials are missing or invalid.
Forbidden - Insufficient permissions to cancel the root generation.
Internal Server Error - Unexpected server-side error.
No content
Returns configuration and current progress details for an active root token generation attempt.
Successfully retrieved root generation progress.
Bad Request - The request is malformed or invalid.
Unauthorized - Missing or invalid authentication credentials.
Forbidden - You do not have permission to read the root generation progress.
Not Found - No active root generation attempt found.
Internal Server Error - An unexpected server-side error occurred.
Starts a new root generation attempt. Only one attempt can be active at a time. Either otp or pgp_key must be provided.
Specifies a base64-encoded PGP public key.
Successfully initialized the root generation attempt.
Bad Request - Missing required parameters or invalid input.
Unauthorized - Missing or invalid authentication credentials.
Forbidden - You do not have permission to initiate root generation.
Conflict - A root generation attempt is already in progress.
Internal Server Error - An unexpected server-side error occurred.
Cancels any in-progress root token generation attempt to allow a new one to begin.
Successfully canceled the root generation attempt.
Bad Request - The request is malformed or invalid.
Unauthorized - Missing or invalid authentication credentials.
Forbidden - You do not have permission to cancel the root generation.
Internal Server Error - An unexpected server-side error occurred.
No content
Submits a single unseal key share for the active root generation attempt. If the required threshold of key shares is reached, Vault completes the root token generation and issues the new token. The attempt nonce must be provided with each call.
Specifies a single unseal key share.
Specifies the nonce of the attempt.
Successfully submitted the key share. Progress updated.
Bad Request - The request is malformed or missing required parameters.
Unauthorized - Missing or invalid authentication credentials.
Forbidden - You do not have permission to submit key shares.
Not Found - No active root generation attempt was found.
Conflict - The root generation attempt is already completed or invalid.
Internal Server Error - A server-side error occurred.
Retrieves detailed information regarding the HA cluster setup, including whether the node is active, standby, and information about the leader.
Successfully retrieved the HA status.
Internal Server Error - Failed to retrieve HA status due to server-side issues.
Returns different HTTP status codes depending on Vault's current state: - 200: Vault is initialized, unsealed, and active. - 429: Vault is unsealed and in standby mode. - 472: Vault is in data recovery mode, acting as replication secondary and active. - 501: Vault is not initialized. - 503: Vault is sealed and unavailable.
Initialized, unsealed, and active.
No content
Bad Request - Invalid request parameters or format.
Unauthorized - Missing or invalid authentication credentials.
Unsealed and standby.
Data recovery mode replication secondary and active.
Internal Server Error - An unexpected error occurred.
Not initialized.
Sealed.
No content
Collects and returns host-level system information including hardware details, CPU utilization, disk usage, and memory statistics. Useful for monitoring the resource consumption of the Vault instance.
Successfully retrieved host information.
Bad Request - Malformed request or invalid parameters.
Unauthorized - Authentication credentials missing or invalid.
Internal Server Error - Failed to retrieve host information.
Returns a map of ongoing API requests ("in-flight requests") to assist with debugging and load monitoring. Each entry provides information such as client details, request path, and duration.
Successfully retrieved in-flight request information.
Bad Request - Malformed request or invalid parameters.
Unauthorized - Authentication credentials missing or invalid.
Internal Server Error - Failed to retrieve in-flight request information.
No content
Checks whether Vault has already been initialized. This endpoint returns the initialization status without making any modifications to the Vault state.
Successfully retrieved initialization status.
Bad Request - Malformed request.
Internal Server Error - Failed to retrieve initialization status.
No content
Initializes the Vault server. Initialization is a one-time operation. After successful initialization, Vault will generate a set of unseal keys and an initial root token. If using HSM, recovery and stored shares options can be configured during this process.
Specifies an array of PGP public keys used to encrypt the output unseal keys. Ordering is preserved. The keys must be base64-encoded from their original binary representation. The size of this array must be the same as secret_shares.
Specifies an array of PGP public keys used to encrypt the output recovery keys. Ordering is preserved. The keys must be base64-encoded from their original binary representation. The size of this array must be the same as recovery_shares.
Specifies the number of shares to split the recovery key into.
Specifies the number of shares required to reconstruct the recovery key. This must be less than or equal to recovery_shares.
Specifies a PGP public key used to encrypt the initial root token. The key must be base64-encoded from its original binary representation.
Specifies the number of shares to split the unseal key into.
Specifies the number of shares required to reconstruct the unseal key. This must be less than or equal secret_shares. If using Vault HSM with auto-unsealing, this value must be the same as secret_shares.
Specifies the number of shares that should be encrypted by the HSM and stored for auto-unsealing. Currently must be the same as secret_shares.
Successfully initialized Vault.
Bad Request - Vault is already initialized or request parameters are invalid.
Conflict - Vault is already initialized.
Internal Server Error - Failed to initialize Vault.
No content
Retrieves historical counts of unique clients that interacted with Vault, covering the current namespace and all child namespaces.
Successfully retrieved client activity counts.
Bad Request - Malformed request.
Internal Server Error - Failed to retrieve counts.
No content
Exports detailed raw historical client activity data for analysis and reporting outside of Vault.
Successfully exported client activity data.
Bad Request - Malformed request.
Internal Server Error - Failed to export activity data.
No content
Returns the number of unique clients that have interacted with Vault during the current month for this namespace and all child namespaces.
Successfully retrieved monthly client counts.
Bad Request - Malformed request.
Internal Server Error - Failed to retrieve monthly counts.
No content
Returns the current configuration settings for client count collection, including status, retention period, and default reporting period.
Successfully retrieved client count configuration.
Bad Request - Malformed request.
Internal Server Error - Failed to retrieve configuration.
No content
Enables or disables the collection of client counts and configures the retention period and default reporting period for client activity data.
Number of months to report if no start date specified.
12Enable or disable collection of client count: enable, disable, or default.
defaultNumber of months of client data to retain. Setting to 0 will clear all existing data.
24Successfully updated client count tracking configuration.
Bad Request - Invalid configuration settings provided.
Internal Server Error - Failed to update configuration.
No content
Retrieves the current number of active identity entities managed by the Vault server. Note: Backward compatibility is not guaranteed for this endpoint.
Successfully retrieved entity count.
Bad Request - Malformed or invalid request.
Internal Server Error - Failed to retrieve entity count.
This endpoint is currently unsupported and deprecated. Previously, it provided a count of requests handled by the Vault cluster. Note: Backward compatibility is not guaranteed.
Deprecated API call successful (no useful output).
No content
Bad Request - Invalid call to deprecated API.
Internal Server Error - Deprecated API failure.
No content
Retrieves the current number of active authentication tokens managed by Vault. Note: Backward compatibility is not guaranteed for this endpoint.
Successfully retrieved token count.
Bad Request - Malformed or invalid request.
Internal Server Error - Failed to retrieve token count.
Retrieves the entries in the router for the specified subtree (uuid, accessor, storage, root). The tag path parameter must be one of the inspectable subtrees. This endpoint provides information about the structure and entries in the router trees.
Name of the subtree being observed (e.g., uuid, accessor, storage, root).
Successfully retrieved the entries in the router for the specified tag.
Bad Request - Invalid or malformed tag or missing required parameters.
Not Found - The specified tag does not exist in the router.
Internal Server Error - Failed to retrieve router entries.
No content
Context string appended to every operationId
Successfully generated OpenAPI document
Invalid request
Internal server error
The lease identifier to renew. This is included with a lease.
Successfully retrieved lease metadata
Bad request
Lease not found
Internal server error
The path to list leases under. Example: "aws/creds/deploy"
Must be set to 'true'
Successfully listed leases for the prefix
Invalid input
Prefix not found
Internal server error
The desired increment in seconds to the lease
The lease identifier to renew. This is included with a lease.
The lease identifier to renew. This is included with a lease.
Lease renewed successfully (no content)
Bad request
Lease not found
Internal server error
No content
The lease ID to renew. Example: "database/creds/my-role/Y7sGbfd9"
The desired increment in seconds to the lease
The lease identifier to renew. This is included with a lease.
Lease renewed successfully (no content)
Bad request
Lease not found
Internal server error
No content
The lease identifier to renew. This is included with a lease.
Whether or not to perform the revocation synchronously
trueThe lease identifier to renew. This is included with a lease.
Lease revoked successfully (no content)
Bad request
Lease not found
Internal server error
No content
Unlike /sys/leases/revoke-prefix, this path ignores backend errors encountered during revocation. This is potentially very dangerous and should only be used in specific emergency situations where errors in the backend or the connected backend service prevent normal revocation.
By ignoring these errors, Vault abdicates responsibility for ensuring that the issued credentials or secrets are properly revoked and/or cleaned up. Access to this endpoint should be tightly controlled.
The path to revoke keys under. Example: "prod/aws/ops"
OK
OK
No content
Revokes all secrets (via a lease ID prefix) or tokens (via the tokens' path property) generated under a given prefix immediately.
The path to revoke keys under. Example: "prod/aws/ops"
Whether or not to perform the revocation synchronously
trueOK
OK
No content
The lease identifier to renew. This is included with a lease.
The lease identifier to renew. This is included with a lease.
Whether or not to perform the revocation synchronously
trueOK
OK
No content
Identifier of the alias (e.g., username or RoleID).
Identifier of the mount entry associated with the user.
User successfully unlocked.
User or mount not found.
Internal server error.
Name of the logger to modify.
Log verbosity level. Supported values (in order of detail) are "trace", "debug", "info", "warn", and "error".
Logger level updated.
Invalid log level.
No content
Must be set to "true" to list keys.
Managed keys listed.
Missing or incorrect query parameter.
The type of the managed key (e.g., "transit", "pkcs11").
The name of the managed key to use for the test signing operation.
Test signing successful.
Invalid input data for signing.
Managed key not found.
Internal server error during test sign.
The output format for the metrics. Currently, only prometheus is supported.
Metrics exported successfully.
Bad request. The format parameter is invalid or missing.
Internal server error while exporting metrics.
A required parameter that must be set to true to retrieve the list of MFA methods.
Successfully retrieved the list of configured MFA methods.
Bad request. The list parameter was missing or invalid.
Internal server error while retrieving MFA methods.
The unique name of the Okta MFA method.
Successfully retrieved the Okta MFA configuration.
Invalid request syntax or parameters.
Forbidden – insufficient access rights.
The specified MFA method was not found.
Unexpected internal server error.
The unique name of the Okta MFA method.
Successfully created or updated the Okta MFA method.
Bad request – invalid payload or missing fields.
Forbidden – access denied.
Internal server error.
The unique name of the Okta MFA method.
The method was successfully deleted; no content returned.
Invalid request syntax or missing required fields.
Forbidden – client lacks necessary permissions.
The requested MFA method was not found.
Internal server error.
No content
The name of the PingID MFA method configuration.
Successfully retrieved the PingID configuration.
Invalid input.
Forbidden.
Method not found.
Server error.
The name of the PingID MFA method configuration.
PingID method created or updated successfully.
Bad request.
Forbidden.
Internal server error.
The name of the PingID MFA method configuration.
PingID method configuration deleted successfully. No content returned.
Invalid request or parameters.
Forbidden. Client lacks necessary permissions.
PingID method configuration not found.
Internal server error.
No content
The name of the TOTP MFA method configuration.
Successfully retrieved the TOTP method configuration.
Invalid input or missing parameters.
Forbidden.
Method not found.
Server error.
The name of the TOTP MFA method configuration.
TOTP method created or updated successfully.
Bad request or validation error.
Forbidden.
Internal server error.
The name of the TOTP MFA method configuration.
TOTP method deleted successfully. No content returned.
Bad request or invalid input.
Forbidden. Insufficient permissions.
The specified TOTP method configuration was not found.
Internal server error.
No content
The name of the TOTP MFA method configuration to destroy.
The TOTP method was successfully destroyed.
Invalid request format or parameters.
Forbidden. The user does not have the required permissions.
The specified TOTP method configuration was not found.
Internal server error.
The name of the TOTP MFA method configuration.
TOTP key successfully generated.
Bad request. Invalid input data.
Forbidden. Insufficient permissions to perform this operation.
The specified TOTP configuration was not found.
Internal server error.
Name of the TOTP MFA method configuration to generate a key for.
Successfully retrieved the TOTP key and OTP URL.
Bad request — invalid request parameters.
Forbidden — insufficient permissions to generate TOTP key.
Not found — specified TOTP method does not exist.
Internal server error — unexpected error occurred.
Validates MFA credentials submitted by the user. Upon successful validation, it returns an authentication response that includes a client token. This endpoint is typically called after initial credentials are provided and MFA is required.
A map from MFA method ID to a slice of passcodes or an empty slice if the method does not use passcodes
ID for this MFA request
Successful MFA validation and authentication.
Bad request — missing or invalid fields in the request.
Forbidden — MFA validation failed or unauthorized access.
Not found — specified MFA method or user not found.
Internal server error — unexpected failure during validation.
Fetch system logs based on the selected output format and log level.
Output format of logs. Supported values are "standard" and "json". The default is "standard".
standardPossible values: Log level to view system logs at. Currently supported values are "trace", "debug", "info", "warn", "error".
OK
OK
The path to mount to. Example: "aws/east"
Configuration for this mount, such as default_lease_ttl and max_lease_ttl.
User-friendly description for this mount.
Whether to give the mount access to Vault's external entropy.
falseMark the mount as a local mount, which is not replicated and is unaffected by replication.
falseThe options to pass into the backend. Should be a json object with string keys and values.
Name of the plugin to mount based from the name registered in the plugin catalog.
The semantic version of the plugin to use.
Whether to turn on seal wrapping for the mount.
falseThe type of the backend. Example: "passthrough"
OK
OK
No content
The path to mount to. Example: "aws/east"
OK
Bad Request
Internal Server Error
The name of the plugin
The args passed to plugin command.
The command used to start the plugin. The executable defined in this command must exist in vault's plugin directory.
The environment variables passed to plugin command. Each entry is of the form "key=value".
The SHA256 sum of the executable used in the command field. This should be HEX encoded.
The type of the plugin, may be auth, secret, or database
The semantic version of the plugin to use.
OK
No content
OK
No content
The name of the plugin
The type of the plugin, may be auth, secret, or database
The args passed to plugin command.
The command used to start the plugin. The executable defined in this command must exist in vault's plugin directory.
The environment variables passed to plugin command. Each entry is of the form "key=value".
The SHA256 sum of the executable used in the command field. This should be HEX encoded.
The semantic version of the plugin to use.
OK
No content
OK
No content
Either the plugin name (plugin) or the desired plugin backend mounts (mounts) must be provided, but not both. In the case that the plugin name is provided, all mounted paths that use that plugin backend will be reloaded. If (scope) is provided and is (global), the plugin(s) are reloaded globally.
The mount paths of the plugin backends to reload.
The name of the plugin to reload, as registered in the plugin catalog.
OK
OK
The name of the EGP policy.
Policy created or updated successfully
No content
Invalid policy definition
Internal Server Error
No content
If set, starts audit logging of requests that get rejected due to rate limit quota rule violations.
If set, additional rate limit quota HTTP headers will be added to responses.
Specifies the list of exempt paths from all rate limit quotas. If empty no paths will be exempt.
Quota configuration updated successfully (empty body)
Invalid configuration request
Internal server error
No content
Name of the quota rule.
If set, when a client reaches a rate limit threshold, the client will be prohibited from any further requests until after the 'block_interval' has elapsed.
The duration to enforce rate limiting for (default '1s').
Path of the mount or namespace to apply the quota. A blank path configures a global quota. For example namespace1/ adds a quota to a full namespace, namespace1/auth/userpass adds a quota to userpass in namespace1.
The maximum number of requests in a given interval to be allowed by the quota rule. The 'rate' must be positive.
Login role to apply this quota to. Note that when set, path must be configured to a valid auth method with a concept of roles.
Type of the quota rule.
Quota created or updated successfully (no content)
Invalid quota configuration
No content
Only a single rekey attempt can take place at a time, and changing the parameters of a rekey requires canceling and starting a new rekey, which will also provide a new nonce.
Specifies if using PGP-encrypted keys, whether Vault should also store a plaintext backup of the PGP-encrypted keys.
Specifies an array of PGP public keys used to encrypt the output unseal keys. Ordering is preserved. The keys must be base64-encoded from their original binary representation. The size of this array must be the same as secret_shares.
Turns on verification functionality
Specifies the number of shares to split the unseal key into.
Specifies the number of shares required to reconstruct the unseal key. This must be less than or equal secret_shares. If using Vault HSM with auto-unsealing, this value must be the same as secret_shares.
OK
OK
This clears the rekey settings as well as any progress made. This must be called to change the parameters of the rekey. Note: verification is still a part of a rekey. If rekeying is canceled during the verification flow, the current unseal keys remain valid.
OK
No content
OK
No content
The desired increment in seconds to the lease
The lease identifier to renew. This is included with a lease.
The lease identifier to renew. This is included with a lease.
OK
OK
No content
The lease identifier to renew. This is included with a lease.
The desired increment in seconds to the lease
The lease identifier to renew. This is included with a lease.
OK
OK
No content
The lease identifier to renew. This is included with a lease.
Whether or not to perform the revocation synchronously
trueThe lease identifier to renew. This is included with a lease.
OK
OK
No content
Unlike /sys/leases/revoke-prefix, this path ignores backend errors encountered during revocation. This is potentially very dangerous and should only be used in specific emergency situations where errors in the backend or the connected backend service prevent normal revocation.
By ignoring these errors, Vault abdicates responsibility for ensuring that the issued credentials or secrets are properly revoked and/or cleaned up. Access to this endpoint should be tightly controlled.
The path to revoke keys under. Example: "prod/aws/ops"
OK
OK
No content
Revokes all secrets (via a lease ID prefix) or tokens (via the tokens' path property) generated under a given prefix immediately.
The path to revoke keys under. Example: "prod/aws/ops"
Whether or not to perform the revocation synchronously
trueOK
OK
No content
The lease identifier to renew. This is included with a lease.
The lease identifier to renew. This is included with a lease.
Whether or not to perform the revocation synchronously
trueOK
OK
No content
Rotates the backend encryption key used to persist Vault data. This operation is a no-op if key rotation is disabled.
Key rotation successful. No content returned.
Forbidden. Sudo permissions required.
Internal server error during key rotation.
No content
Whether automatic rotation is enabled.
How long after installation of an active key term that the key will be automatically rotated.
The number of encryption operations performed before the barrier key is automatically rotated.
Configuration updated successfully.
Invalid input configuration.
Forbidden. Sudo permissions required.
No content
Returns information about keys or values that require rewrap due to changes in the underlying seal configuration.
Sealwrap rewrap status retrieved successfully.
Internal error while fetching rewrap status.
Triggers rewrap for keys encrypted with an old seal configuration. This may take time depending on the size of the data.
Rewrap operation completed successfully.
Invalid request parameters.
Internal error during rewrap operation.
This endpoint forces the node to give up active status. If the node does not have active status, this endpoint does nothing. Note that the node will sleep for ten seconds before attempting to grab the active lock again, but if no standby nodes grab the active lock in the interim, the same node may become the active node again.
empty body
empty body
No content
Must be set to true
Successfully listed configured snapshot jobs.
Missing or incorrect list=true query parameter.
The name of the snapshot job configuration.
Snapshot job configuration retrieved.
Snapshot configuration not found.
The name of the snapshot job configuration.
Snapshot configuration saved successfully.
Invalid configuration.
Accepts raw input data and returns its hash digest using Vault's configured default hash algorithm.
Algorithm to use (POST body parameter). Valid values are: * sha2-224 * sha2-256 * sha2-384 * sha2-512 Defaults to "sha2-256".
sha2-256Encoding format to use. Can be "hex" or "base64". Defaults to "hex".
hexThe base64-encoded input data
Algorithm to use (POST URL parameter)
Hash generated successfully.
Invalid input provided.
Accepts raw input data and returns its hash digest using the algorithm specified in the URL.
The hash algorithm to use (e.g., sha2-256, sha2-512)
Algorithm to use (POST body parameter). Valid values are: * sha2-224 * sha2-256 * sha2-384 * sha2-512 Defaults to "sha2-256".
sha2-256Encoding format to use. Can be "hex" or "base64". Defaults to "hex".
hexThe base64-encoded input data
Hash generated successfully using the specified algorithm.
Invalid algorithm or input provided.
The number of bytes to generate (POST body parameter). Defaults to 32 (256 bits).
32Encoding format to use. Can be "hex" or "base64". Defaults to "base64".
base64Which system to source random data from, ether "platform", "seal", or "all".
platformThe number of bytes to generate (POST URL parameter)
Random bytes generated successfully.
Invalid request parameters.
Source to generate randomness from
platformPossible values: The number of bytes to generate (POST body parameter). Defaults to 32 (256 bits).
32Encoding format to use. Can be "hex" or "base64". Defaults to "base64".
base64The number of bytes to generate (POST URL parameter)
Random bytes generated successfully from specified source.
Invalid request or unknown source.
Number of bytes to generate
The number of bytes to generate (POST body parameter). Defaults to 32 (256 bits).
32Encoding format to use. Can be "hex" or "base64". Defaults to "base64".
base64Which system to source random data from, ether "platform", "seal", or "all".
platformRandom bytes generated successfully.
Invalid byte count or input.
Source to generate randomness from
Number of bytes to generate
The number of bytes to generate (POST body parameter). Defaults to 32 (256 bits).
32Encoding format to use. Can be "hex" or "base64". Defaults to "base64".
base64Random bytes generated successfully.
Invalid input or unsupported source.
Accepts a response-wrapped token and returns a new wrapped token.
Successfully rewrapped token
Invalid input or missing token
Forbidden - invalid or expired wrapping token
Unwraps a token and returns the original payload.
Token unwrapped successfully
Token unwrapped successfully but had no payload
Invalid request
Forbidden or token expired
Last updated
Was this helpful?