System

List the enabled audit devices

get
Body
objectOptional
Responses
200
Successfully retrieved enabled audit devices.
application/json
Responseany
get
GET /v1/sys/audit HTTP/1.1
Host: localhost:8200
Content-Type: application/json
Accept: */*
Content-Length: 2

{}
{
  "file/": {
    "type": "file",
    "description": "Logs to a file",
    "options": {
      "file_path": "/var/log/vault_audit.log"
    },
    "local": true,
    "seal_wrap": false,
    "state": "enabled"
  }
}

Calculate hash via audit backend.

post
Path parameters
pathstringRequired

The name of the audit backend. Cannot be delimited. Example: 'mysql'

Body
inputstringOptional
Responses
200
Successfully calculated the hash of the input.
application/json
post
POST /v1/sys/audit-hash/{path} HTTP/1.1
Host: localhost:8200
Content-Type: application/json
Accept: */*
Content-Length: 34

{
  "input": "sensitive-secret-value"
}
{
  "hash": "af4fd66bc72a1a1dc6c9c3bfa20c4ee7b7fda77a824..."
}

Enable a new audit device at the supplied path.

post
Path parameters
pathstringRequired

The name of the backend. Cannot be delimited. Example: 'mysql'

Body
descriptionstringOptional

User-friendly description for this audit backend.

localbooleanOptional

Mark the mount as a local mount, which is not replicated and is unaffected by replication.

Default: false
optionsobject · kvpairsOptional

Configuration options for the audit backend.

typestringOptional

The type of the backend. Example: "mysql"

Responses
204
Audit device successfully enabled. No content is returned.
application/json
post
POST /v1/sys/audit/{path} HTTP/1.1
Host: localhost:8200
Content-Type: application/json
Accept: */*
Content-Length: 58

{
  "path": "mysql",
  "config": {
    "host": "localhost",
    "port": 3306
  }
}
{}

Disable the audit device at the given path.

delete
Path parameters
pathstringRequired

The name of the backend. Cannot be delimited. Example: 'mysql'

Responses
204
Audit device successfully disabled. No content is returned.
application/json
delete
DELETE /v1/sys/audit/{path} HTTP/1.1
Host: localhost:8200
Accept: */*
{}

Read the configuration of the auth engine at the given path.

get
Path parameters
pathstringRequired

The path to mount to. Cannot be delimited. Example: 'user'

Responses
200
Successfully read the auth configuration.
application/json
get
GET /v1/sys/auth/{path} HTTP/1.1
Host: localhost:8200
Accept: */*
{
  "type": "userpass",
  "description": "User/password based authentication",
  "config": {
    "default_lease_ttl": "768h",
    "max_lease_ttl": "768h"
  }
}

Enables a new auth method.

post

After enabling, the auth method can be accessed and configured via the auth path specified as part of the URL. For example, enabling the "userpass" auth method at "user" will make it accessible at /auth/user.

Path parameters
pathstringRequired

The path to mount to. Cannot be delimited. Example: 'user'

Body
configobject · mapOptional

Configuration for this mount, such as plugin_name.

descriptionstringOptional

User-friendly description for this credential backend.

external_entropy_accessbooleanOptional

Whether to give the mount access to Vault's external entropy.

Default: false
localbooleanOptional

Mark the mount as a local mount, which is not replicated and is unaffected by replication.

Default: false
optionsobject · kvpairsOptional

The options to pass into the backend. Should be a json object with string keys and values.

plugin_namestringOptional

Name of the auth plugin to use based from the name in the plugin catalog.

plugin_versionstringOptional

The semantic version of the plugin to use.

seal_wrapbooleanOptional

Whether to turn on seal wrapping for the mount.

Default: false
typestringOptional

The type of the backend. Example: "userpass"

Responses
204
Auth method successfully enabled. No content is returned.
application/json
post
POST /v1/sys/auth/{path} HTTP/1.1
Host: localhost:8200
Content-Type: application/json
Accept: */*
Content-Length: 132

{
  "type": "userpass",
  "description": "Enable user/password authentication",
  "config": {
    "default_lease_ttl": "768h",
    "max_lease_ttl": "768h"
  }
}
{}

Disable the auth method at the given auth path.

delete
Path parameters
pathstringRequired

The path to mount to. Cannot be delimited. Example: 'user'

Responses
204
Auth method successfully disabled. No content is returned.
application/json
delete
DELETE /v1/sys/auth/{path} HTTP/1.1
Host: localhost:8200
Accept: */*
{}

Reads the given auth path's configuration.

get

This endpoint requires sudo capability on the final path, but the same functionality can be achieved without sudo via sys/mounts/auth/[auth-path]/tune.

Path parameters
pathstringRequired

Tune the configuration parameters for an auth path.

Responses
200
Successfully read tuning information.
application/json
get
GET /v1/sys/auth/{path}/tune HTTP/1.1
Host: localhost:8200
Accept: */*
{
  "default_lease_ttl": "768h",
  "max_lease_ttl": "768h",
  "audit_non_hmac_request_keys": [
    "user"
  ],
  "audit_non_hmac_response_keys": [
    "metadata"
  ],
  "listing_visibility": "unauth",
  "passthrough_request_headers": [
    "X-My-Header"
  ]
}

Tune configuration parameters for a given auth path.

post

This endpoint requires sudo capability on the final path, but the same functionality can be achieved without sudo via sys/mounts/auth/[auth-path]/tune.

Path parameters
pathstringRequired

Tune the configuration parameters for an auth path.

Body
allowed_response_headersstring[]Optional

A list of headers to whitelist and allow a plugin to set on responses.

audit_non_hmac_request_keysstring[]Optional

The list of keys in the request data object that will not be HMAC'ed by audit devices.

audit_non_hmac_response_keysstring[]Optional

The list of keys in the response data object that will not be HMAC'ed by audit devices.

default_lease_ttlstringOptional

The default lease TTL for this mount.

descriptionstringOptional

User-friendly description for this credential backend.

listing_visibilitystringOptional

Determines the visibility of the mount in the UI-specific listing endpoint. Accepted value are 'unauth' and 'hidden', with the empty default ('') behaving like 'hidden'.

max_lease_ttlstringOptional

The max lease TTL for this mount.

optionsobject · kvpairsOptional

The options to pass into the backend. Should be a json object with string keys and values.

passthrough_request_headersstring[]Optional

A list of headers to whitelist and pass from the request to the plugin.

plugin_versionstringOptional

The semantic version of the plugin to use.

token_typestringOptional

The type of token to issue (service or batch).

user_lockout_configobject · mapOptional

The user lockout configuration to pass into the backend. Should be a json object with string keys and values.

Responses
204
Successfully updated tuning parameters. No content is returned.
application/json
post
POST /v1/sys/auth/{path}/tune HTTP/1.1
Host: localhost:8200
Content-Type: application/json
Accept: */*
Content-Length: 165

{
  "default_lease_ttl": "500h",
  "max_lease_ttl": "900h",
  "listing_visibility": "unauth",
  "audit_non_hmac_request_keys": [
    "username"
  ],
  "audit_non_hmac_response_keys": [
    "token"
  ]
}
{}

Returns the capabilities of the calling token on the specified paths.

post
Body
pathstring[]OptionalDeprecated

Use 'paths' instead.

pathsstring[]Optional

Paths on which capabilities are being queried.

tokenstringOptional

Token for which capabilities are being queried.

Responses
200
Successfully retrieved capabilities for the given paths.
application/json
Responseany
post
POST /v1/sys/capabilities HTTP/1.1
Host: localhost:8200
Content-Type: application/json
Accept: */*
Content-Length: 58

{
  "paths": [
    "secret/data/finance",
    "auth/token/lookup-self"
  ]
}
{
  "capabilities": [
    "create",
    "read",
    "update"
  ]
}

Returns the capabilities of the token identified by the accessor on the specified paths.

post
Body
accessorstringOptional

Accessor of the token for which capabilities are being queried.

pathstring[]OptionalDeprecated

Use 'paths' instead.

pathsstring[]Optional

Paths on which capabilities are being queried.

Responses
200
Successfully retrieved capabilities for the given paths.
application/json
Responseany
post
POST /v1/sys/capabilities-accessor HTTP/1.1
Host: localhost:8200
Content-Type: application/json
Accept: */*
Content-Length: 91

{
  "accessor": "dcb1dd7d-4bfc-3957-4b5d-b1595b0c099c",
  "paths": [
    "secret/data/hr",
    "sys/policy"
  ]
}
{
  "capabilities": [
    "read",
    "list"
  ]
}

Returns the capabilities of the calling token on the given paths.

post
Body
pathstring[]OptionalDeprecated

Use 'paths' instead.

pathsstring[]Optional

Paths on which capabilities are being queried.

tokenstringOptional

Token for which capabilities are being queried.

Responses
200
Successfully retrieved capabilities for the specified paths.
application/json
Responseany
post
POST /v1/sys/capabilities-self HTTP/1.1
Host: localhost:8200
Content-Type: application/json
Accept: */*
Content-Length: 43

{
  "paths": [
    "secret/data/team",
    "sys/policy"
  ]
}
{
  "capabilities": [
    "read",
    "list"
  ]
}

List the request headers that are configured to be audited.

get
Responses
200
Successfully listed the configured audited request headers.
application/json
get
GET /v1/sys/config/auditing/request-headers HTTP/1.1
Host: localhost:8200
Accept: */*
{
  "headers": [
    {
      "name": "X-Request-ID",
      "hmac": true
    },
    {
      "name": "Authorization",
      "hmac": false
    }
  ]
}

List the information for the given request header.

get
Path parameters
headerstringRequired

The name of the request header to audit.

Example: X-Request-ID
Responses
200
Successfully retrieved the request header auditing information.
application/json
Responseany
get
GET /v1/sys/config/auditing/request-headers/{header} HTTP/1.1
Host: localhost:8200
Accept: */*
{
  "name": "X-Request-ID",
  "hmac": true
}

Enable auditing of a header.

post
Path parameters
headerstringRequired

The name of the request header to audit.

Example: X-Request-ID
Body
hmacbooleanOptional
Responses
204
Auditing for the header enabled successfully.
post
POST /v1/sys/config/auditing/request-headers/{header} HTTP/1.1
Host: localhost:8200
Content-Type: application/json
Accept: */*
Content-Length: 13

{
  "hmac": true
}

No content

Disable auditing of the given request header.

delete
Path parameters
headerstringRequired

The name of the request header to audit.

Example: X-Request-ID
Responses
204
Auditing for the header disabled successfully.
delete
DELETE /v1/sys/config/auditing/request-headers/{header} HTTP/1.1
Host: localhost:8200
Accept: */*

No content

Read the current control group configuration.

get
Responses
200
Successfully retrieved the control group configuration.
application/json
Responseany
get
GET /v1/sys/config/control-group HTTP/1.1
Host: localhost:8200
Accept: */*
{
  "control_group": {
    "enforcement_level": "soft-mandatory",
    "thresholds": {
      "approvals": 2,
      "reviewers": [
        "team-leads",
        "security-admins"
      ]
    }
  }
}

Configure control group parameters.

post
Body
anyOptional
Responses
200
Control group configuration updated successfully.
application/json
Responseany
post
POST /v1/sys/config/control-group HTTP/1.1
Host: localhost:8200
Content-Type: application/json
Accept: */*
Content-Length: 130

{
  "control_group": {
    "enforcement_level": "soft-mandatory",
    "thresholds": {
      "approvals": 2,
      "reviewers": [
        "team-leads",
        "security-admins"
      ]
    }
  }
}
{
  "control_group": {
    "enforcement_level": "soft-mandatory",
    "thresholds": {
      "approvals": 2,
      "reviewers": [
        "team-leads",
        "security-admins"
      ]
    }
  }
}

Delete the control group configuration.

delete
Responses
204
Control group configuration deleted successfully.
delete
DELETE /v1/sys/config/control-group HTTP/1.1
Host: localhost:8200
Accept: */*

No content

Return the current CORS settings.

get
Responses
200
Current CORS settings returned successfully.
application/json
get
GET /v1/sys/config/cors HTTP/1.1
Host: localhost:8200
Accept: */*
{
  "enabled": true,
  "allowed_origins": [
    "https://example.com"
  ],
  "allowed_headers": [
    "X-Custom-Header"
  ],
  "allowed_methods": [
    "GET",
    "POST"
  ],
  "allow_credentials": true,
  "expose_headers": [
    "X-Expose-This"
  ]
}

Configure the CORS settings.

post
Body
allowed_headersstring[]Optional

A comma-separated string or array of strings indicating headers that are allowed on cross-origin requests.

allowed_originsstring[]Optional

A comma-separated string or array of strings indicating origins that may make cross-origin requests.

enablebooleanOptional

Enables or disables CORS headers on requests.

Responses
204
CORS settings successfully updated.
post
POST /v1/sys/config/cors HTTP/1.1
Host: localhost:8200
Content-Type: application/json
Accept: */*
Content-Length: 205

{
  "enabled": true,
  "allowed_origins": [
    "https://example.com"
  ],
  "allowed_headers": [
    "Authorization",
    "X-Custom-Header"
  ],
  "allowed_methods": [
    "GET",
    "POST"
  ],
  "allow_credentials": true,
  "expose_headers": [
    "X-Expose-This"
  ]
}

No content

Remove any CORS settings.

delete
Responses
204
CORS settings removed successfully.
delete
DELETE /v1/sys/config/cors HTTP/1.1
Host: localhost:8200
Accept: */*

No content

Read the group policy application configuration.

get
Responses
200
Group policy application configuration retrieved successfully.
application/json
Responseany
get
GET /v1/sys/config/group-policy-application HTTP/1.1
Host: localhost:8200
Accept: */*
{
  "enabled": true,
  "default_policy": "default",
  "override_allowed": false
}

Configure the group policy application settings.

post
Body
anyOptional
Responses
200
Group policy application configuration updated successfully.
application/json
Responseany
post
POST /v1/sys/config/group-policy-application HTTP/1.1
Host: localhost:8200
Content-Type: application/json
Accept: */*
Content-Length: 68

{
  "enabled": true,
  "default_policy": "default",
  "override_allowed": false
}
200

Group policy application configuration updated successfully.

No content

Reload the given subsystem

post
Path parameters
subsystemstringRequired

The name of the subsystem to reload.

Example: plugin-catalog
Body
anyOptional
Responses
204
Subsystem reloaded successfully.
post
POST /v1/sys/config/reload/{subsystem} HTTP/1.1
Host: localhost:8200
Content-Type: application/json
Accept: */*
Content-Length: 2

{}

No content

Return a sanitized version of the Vault server configuration.

get

The sanitized output strips configuration values in the storage, HA storage, and seals stanzas, which may contain sensitive values such as API tokens. It also removes any token or secret fields in other stanzas, such as the circonus_api_token from telemetry.

Responses
200
Sanitized configuration retrieved successfully.
application/json
Responseany
get
GET /v1/sys/config/state/sanitized HTTP/1.1
Host: localhost:8200
Accept: */*
{
  "listener": [
    {
      "tcp": {
        "address": "127.0.0.1:8200",
        "tls_disable": true
      }
    }
  ],
  "storage": {
    "file": {
      "path": "<stripped>"
    }
  },
  "seal": {
    "type": "<stripped>"
  },
  "telemetry": {
    "dogstatsd_addr": "localhost:8125",
    "circonus_api_token": "<stripped>"
  }
}

Return a list of configured UI headers.

get
Query parameters
liststring · enumRequired

Must be set to true

Possible values:
Body
liststring · enumRequired

Must be set to true

Possible values:
Responses
200
Returns a list of configured UI headers.
application/json
get
GET /v1/sys/config/ui/headers HTTP/1.1
Host: localhost:8200
Content-Type: application/json
Accept: */*
Content-Length: 15

{
  "list": "true"
}
{
  "keys": [
    "text"
  ]
}

Return the given UI header's configuration.

get
Path parameters
headerstringRequired

The name of the header.

Responses
200
Returns the configuration of the specified UI header.
application/json
get
GET /v1/sys/config/ui/headers/{header} HTTP/1.1
Host: localhost:8200
Accept: */*
{
  "value": "text",
  "values": [
    "text"
  ]
}

Configure the values to be returned for the UI header.

post
Path parameters
headerstringRequired

The name of the header.

Body
multivaluebooleanOptional

Returns multiple values if true

valuesstring[]Optional

The values to set the header.

Responses
200
Header value successfully configured.
post
POST /v1/sys/config/ui/headers/{header} HTTP/1.1
Host: localhost:8200
Content-Type: application/json
Accept: */*
Content-Length: 32

{
  "value": "example-header-value"
}

No content

Remove a UI header.

delete
Path parameters
headerstringRequired

The name of the header.

Responses
204
Header successfully removed.
delete
DELETE /v1/sys/config/ui/headers/{header} HTTP/1.1
Host: localhost:8200
Accept: */*

No content

Authorizes a control group by assigning permissions

post
Body
group_idstringRequired

The control group ID to authorize.

Responses
200
Authorization successful.
post
POST /v1/sys/control-group/authorize HTTP/1.1
Host: localhost:8200
Content-Type: application/json
Accept: */*
Content-Length: 63

{
  "group_id": "control-group-123",
  "permissions": [
    "read",
    "write"
  ]
}

No content

Submit a request for control group authorization

post
Body
request_idstringRequired

Unique identifier for the control group request.

Responses
200
Request processed successfully.
application/json
post
POST /v1/sys/control-group/request HTTP/1.1
Host: localhost:8200
Content-Type: application/json
Accept: */*
Content-Length: 88

{
  "request_id": "request-456",
  "data": {
    "operation": "access-database",
    "resource": "db-prod"
  }
}
{
  "status": "success",
  "message": "Control group request submitted successfully."
}

Decode an encoded token using a one-time password (OTP)

post

This endpoint decodes an encoded token using the provided one-time password (OTP). It can be used in unauthenticated contexts.

Body
encoded_tokenstringOptional

Specifies the encoded token (result from generate-root).

otpstringOptional

Specifies the otp code for decode.

Responses
200
Successfully decoded the token.
application/json
post
POST /v1/sys/decode-token HTTP/1.1
Host: localhost:8200
Content-Type: application/json
Accept: */*
Content-Length: 46

{
  "token": "encoded-token-value",
  "otp": "123456"
}
{
  "decoded_token": "decoded-value"
}

List available and enabled experimental features in Vault.

get
Body
objectOptional
Responses
200
Successfully returned the list of experimental features.
application/json
get
GET /v1/sys/experiments HTTP/1.1
Host: localhost:8200
Content-Type: application/json
Accept: */*
Content-Length: 2

{}
{
  "features": [
    {
      "name": "new-auth-method",
      "enabled": true
    },
    {
      "name": "faster-raft-replication",
      "enabled": false
    }
  ]
}

Read the current root token generation progress.

get

Returns the configuration and progress details of the ongoing root token generation process.

Responses
200
Successfully retrieved the root generation progress.
application/json
get
GET /v1/sys/generate-root HTTP/1.1
Host: localhost:8200
Accept: */*
{
  "complete": true,
  "encoded_root_token": "text",
  "encoded_token": "text",
  "nonce": "text",
  "otp": "text",
  "otp_length": 1,
  "pgp_fingerprint": "text",
  "progress": 1,
  "required": 1,
  "started": true
}

Initialize a new root token generation attempt.

post

Starts a new root generation attempt. Only one attempt can be active at a time. Either otp or pgp_key must be provided.

Body
pgp_keystringOptional

Specifies a base64-encoded PGP public key.

Responses
200
Successfully initialized the root generation attempt.
application/json
post
POST /v1/sys/generate-root HTTP/1.1
Host: localhost:8200
Content-Type: application/json
Accept: */*
Content-Length: 81

{
  "otp": "otp-secret-string",
  "pgp_key": "-----BEGIN PGP PUBLIC KEY BLOCK-----\n..."
}
{
  "complete": true,
  "encoded_root_token": "text",
  "encoded_token": "text",
  "nonce": "text",
  "otp": "text",
  "otp_length": 1,
  "pgp_fingerprint": "text",
  "progress": 1,
  "required": 1,
  "started": true
}

Cancel an ongoing root token generation attempt.

delete

Cancels any in-progress root token generation attempt, allowing a new attempt to be started.

Responses
204
Successfully canceled the root generation attempt.
delete
DELETE /v1/sys/generate-root HTTP/1.1
Host: localhost:8200
Accept: */*

No content

Read the progress of the current root generation attempt.

get

Returns configuration and current progress details for an active root token generation attempt.

Responses
200
Successfully retrieved root generation progress.
application/json
get
GET /v1/sys/generate-root/attempt HTTP/1.1
Host: localhost:8200
Accept: */*
{
  "complete": true,
  "encoded_root_token": "text",
  "encoded_token": "text",
  "nonce": "text",
  "otp": "text",
  "otp_length": 1,
  "pgp_fingerprint": "text",
  "progress": 1,
  "required": 1,
  "started": true
}

Initialize a new root token generation attempt.

post

Starts a new root generation attempt. Only one attempt can be active at a time. Either otp or pgp_key must be provided.

Body
pgp_keystringOptional

Specifies a base64-encoded PGP public key.

Responses
200
Successfully initialized the root generation attempt.
application/json
post
POST /v1/sys/generate-root/attempt HTTP/1.1
Host: localhost:8200
Content-Type: application/json
Accept: */*
Content-Length: 81

{
  "otp": "otp-secret-string",
  "pgp_key": "-----BEGIN PGP PUBLIC KEY BLOCK-----\n..."
}
{
  "complete": true,
  "encoded_root_token": "text",
  "encoded_token": "text",
  "nonce": "text",
  "otp": "text",
  "otp_length": 1,
  "pgp_fingerprint": "text",
  "progress": 1,
  "required": 1,
  "started": true
}

Cancel an ongoing root token generation attempt.

delete

Cancels any in-progress root token generation attempt to allow a new one to begin.

Responses
204
Successfully canceled the root generation attempt.
delete
DELETE /v1/sys/generate-root/attempt HTTP/1.1
Host: localhost:8200
Accept: */*

No content

Submit a key share to progress the root token generation attempt.

post

Submits a single unseal key share for the active root generation attempt. If the required threshold of key shares is reached, Vault completes the root token generation and issues the new token. The attempt nonce must be provided with each call.

Body
keystringOptional

Specifies a single unseal key share.

noncestringOptional

Specifies the nonce of the attempt.

Responses
200
Successfully submitted the key share. Progress updated.
application/json
post
POST /v1/sys/generate-root/update HTTP/1.1
Host: localhost:8200
Content-Type: application/json
Accept: */*
Content-Length: 64

{
  "key": "unseal-key-share-string",
  "nonce": "attempt-nonce-string"
}
{
  "complete": true,
  "encoded_root_token": "text",
  "encoded_token": "text",
  "nonce": "text",
  "otp": "text",
  "otp_length": 1,
  "pgp_fingerprint": "text",
  "progress": 1,
  "required": 1,
  "started": true
}

Retrieve the HA status of a Vault cluster.

get

Retrieves detailed information regarding the HA cluster setup, including whether the node is active, standby, and information about the leader.

Responses
200
Successfully retrieved the HA status.
application/json
get
GET /v1/sys/ha-status HTTP/1.1
Host: localhost:8200
Accept: */*
{
  "nodes": [
    {}
  ]
}

Retrieve the health status of the Vault server.

get

Returns different HTTP status codes depending on Vault's current state: - 200: Vault is initialized, unsealed, and active. - 429: Vault is unsealed and in standby mode. - 472: Vault is in data recovery mode, acting as replication secondary and active. - 501: Vault is not initialized. - 503: Vault is sealed and unavailable.

Responses
200
Initialized, unsealed, and active.
get
GET /v1/sys/health HTTP/1.1
Host: localhost:8200
Accept: */*

No content

Retrieve host instance information for the Vault server.

get

Collects and returns host-level system information including hardware details, CPU utilization, disk usage, and memory statistics. Useful for monitoring the resource consumption of the Vault instance.

Responses
200
Successfully retrieved host information.
application/json
get
GET /v1/sys/host-info HTTP/1.1
Host: localhost:8200
Accept: */*
{
  "cpu": [
    {}
  ],
  "cpu_times": [
    {}
  ],
  "disk": [
    {}
  ],
  "host": {},
  "memory": {},
  "timestamp": "2025-06-26T08:53:25.381Z"
}

List in-flight requests being processed by Vault.

get

Returns a map of ongoing API requests ("in-flight requests") to assist with debugging and load monitoring. Each entry provides information such as client details, request path, and duration.

Responses
200
Successfully retrieved in-flight request information.
application/json
Responseany
get
GET /v1/sys/in-flight-req HTTP/1.1
Host: localhost:8200
Accept: */*

No content

Returns the initialization status of Vault.

get

Checks whether Vault has already been initialized. This endpoint returns the initialization status without making any modifications to the Vault state.

Responses
200
Successfully retrieved initialization status.
application/json
Responseany
get
GET /v1/sys/init HTTP/1.1
Host: localhost:8200
Accept: */*

No content

Initialize a new Vault.

post

Initializes the Vault server. Initialization is a one-time operation. After successful initialization, Vault will generate a set of unseal keys and an initial root token. If using HSM, recovery and stored shares options can be configured during this process.

Body
pgp_keysstring[]Optional

Specifies an array of PGP public keys used to encrypt the output unseal keys. Ordering is preserved. The keys must be base64-encoded from their original binary representation. The size of this array must be the same as secret_shares.

recovery_pgp_keysstring[]Optional

Specifies an array of PGP public keys used to encrypt the output recovery keys. Ordering is preserved. The keys must be base64-encoded from their original binary representation. The size of this array must be the same as recovery_shares.

recovery_sharesintegerOptional

Specifies the number of shares to split the recovery key into.

recovery_thresholdintegerOptional

Specifies the number of shares required to reconstruct the recovery key. This must be less than or equal to recovery_shares.

root_token_pgp_keystringOptional

Specifies a PGP public key used to encrypt the initial root token. The key must be base64-encoded from its original binary representation.

secret_sharesintegerOptional

Specifies the number of shares to split the unseal key into.

secret_thresholdintegerOptional

Specifies the number of shares required to reconstruct the unseal key. This must be less than or equal secret_shares. If using Vault HSM with auto-unsealing, this value must be the same as secret_shares.

stored_sharesintegerOptional

Specifies the number of shares that should be encrypted by the HSM and stored for auto-unsealing. Currently must be the same as secret_shares.

Responses
200
Successfully initialized Vault.
application/json
Responseany
post
POST /v1/sys/init HTTP/1.1
Host: localhost:8200
Content-Type: application/json
Accept: */*
Content-Length: 101

{
  "secret_shares": 5,
  "secret_threshold": 3,
  "recovery_shares": 1,
  "recovery_threshold": 1,
  "stored_shares": 0
}

No content

Report the historical client count metrics.

get

Retrieves historical counts of unique clients that interacted with Vault, covering the current namespace and all child namespaces.

Responses
200
Successfully retrieved client activity counts.
application/json
Responseany
get
GET /v1/sys/internal/counters/activity HTTP/1.1
Host: localhost:8200
Accept: */*

No content

Export the historical client count data.

get

Exports detailed raw historical client activity data for analysis and reporting outside of Vault.

Responses
200
Successfully exported client activity data.
application/json
Responseany
get
GET /v1/sys/internal/counters/activity/export HTTP/1.1
Host: localhost:8200
Accept: */*

No content

Report the client count for the current month.

get

Returns the number of unique clients that have interacted with Vault during the current month for this namespace and all child namespaces.

Responses
200
Successfully retrieved monthly client counts.
application/json
Responseany
get
GET /v1/sys/internal/counters/activity/monthly HTTP/1.1
Host: localhost:8200
Accept: */*

No content

Read the client count tracking configuration.

get

Returns the current configuration settings for client count collection, including status, retention period, and default reporting period.

Responses
200
Successfully retrieved client count configuration.
application/json
Responseany
get
GET /v1/sys/internal/counters/config HTTP/1.1
Host: localhost:8200
Accept: */*

No content

Configure the client count collection settings.

post

Enables or disables the collection of client counts and configures the retention period and default reporting period for client activity data.

Body
default_report_monthsintegerOptional

Number of months to report if no start date specified.

Default: 12
enabledstringOptional

Enable or disable collection of client count: enable, disable, or default.

Default: default
retention_monthsintegerOptional

Number of months of client data to retain. Setting to 0 will clear all existing data.

Default: 24
Responses
200
Successfully updated client count tracking configuration.
application/json
Responseany
post
POST /v1/sys/internal/counters/config HTTP/1.1
Host: localhost:8200
Content-Type: application/json
Accept: */*
Content-Length: 70

{
  "default_report_months": 12,
  "enabled": "default",
  "retention_months": 24
}

No content

Report the number of active identity entities in the Vault cluster.

get

Retrieves the current number of active identity entities managed by the Vault server. Note: Backward compatibility is not guaranteed for this endpoint.

Responses
200
Successfully retrieved entity count.
application/json
get
GET /v1/sys/internal/counters/entities HTTP/1.1
Host: localhost:8200
Accept: */*
{
  "counters": {}
}
Deprecated

Deprecated - Count of requests seen by the Vault cluster.

get

This endpoint is currently unsupported and deprecated. Previously, it provided a count of requests handled by the Vault cluster. Note: Backward compatibility is not guaranteed.

Responses
200
Deprecated API call successful (no useful output).
get
GET /v1/sys/internal/counters/requests HTTP/1.1
Host: localhost:8200
Accept: */*

No content

Report the number of active tokens in the Vault cluster.

get

Retrieves the current number of active authentication tokens managed by Vault. Note: Backward compatibility is not guaranteed for this endpoint.

Responses
200
Successfully retrieved token count.
application/json
get
GET /v1/sys/internal/counters/tokens HTTP/1.1
Host: localhost:8200
Accept: */*
{
  "counters": {}
}

Exposes the route entry and mount entry tables present in the router.

get

Retrieves the entries in the router for the specified subtree (uuid, accessor, storage, root). The tag path parameter must be one of the inspectable subtrees. This endpoint provides information about the structure and entries in the router trees.

Path parameters
tagstringRequired

Name of the subtree being observed (e.g., uuid, accessor, storage, root).

Responses
200
Successfully retrieved the entries in the router for the specified tag.
application/json
Responseany
get
GET /v1/sys/internal/inspect/router/{tag} HTTP/1.1
Host: localhost:8200
Accept: */*

No content

Generate OpenAPI document for mounted paths

get
Query parameters
generic_mount_pathsbooleanOptional

Use generic mount paths

Default: false
Responses
200
Successfully generated OpenAPI document
application/json
Responseany
get
GET /v1/sys/internal/specs/openapi HTTP/1.1
Host: localhost:8200
Accept: */*
{
  "openapi": "3.0.0",
  "info": {
    "title": "Vault API",
    "version": "v1"
  },
  "paths": {}
}

Generate OpenAPI document with request parameters

post
Body
contextstringOptional

Context string appended to every operationId

Responses
200
Successfully generated OpenAPI document
application/json
Responseany
post
POST /v1/sys/internal/specs/openapi HTTP/1.1
Host: localhost:8200
Content-Type: application/json
Accept: */*
Content-Length: 27

{
  "mounts": [
    "auth/",
    "sys/"
  ]
}
{
  "openapi": "3.0.0",
  "info": {
    "title": "Filtered Vault API",
    "version": "v1"
  },
  "paths": {}
}

Lists enabled feature flags

get
Responses
200
Successfully listed enabled feature flags
application/json
get
GET /v1/sys/internal/ui/feature-flags HTTP/1.1
Host: localhost:8200
Accept: */*
{
  "flags": [
    {
      "name": "advanced_mode",
      "enabled": true
    },
    {
      "name": "beta_theme",
      "enabled": false
    }
  ]
}

Lists all enabled and visible auth and secrets mounts

get
Responses
200
Successfully listed visible mounts
application/json
get
GET /v1/sys/internal/ui/mounts HTTP/1.1
Host: localhost:8200
Accept: */*
{
  "mounts": {
    "auth/": {
      "type": "userpass",
      "accessor": "auth_userpass_abcd",
      "visible": true
    },
    "secret/": {
      "type": "kv",
      "options": {
        "version": "2"
      },
      "visible": true
    }
  }
}

Lists visible child namespaces

get
Responses
200
Successfully listed namespaces
application/json
get
GET /v1/sys/internal/ui/namespaces HTTP/1.1
Host: localhost:8200
Accept: */*
{
  "namespaces": [
    {
      "name": "finance/"
    },
    {
      "name": "engineering/"
    }
  ]
}

Returns the resultant ACL for a client token

get
Responses
200
Successfully returned ACL policy
application/json
get
GET /v1/sys/internal/ui/resultant-acl HTTP/1.1
Host: localhost:8200
Accept: */*
{
  "policies": [
    "default",
    "dev-policy"
  ],
  "capabilities": [
    "read",
    "list"
  ]
}

Reports backend encryption key status

get
Responses
200
Successfully retrieved key status
application/json
Responseany
get
GET /v1/sys/key-status HTTP/1.1
Host: localhost:8200
Accept: */*
{
  "term": 5,
  "install_time": "2024-11-05T12:00:00Z",
  "last_rotation": "2025-01-10T08:45:00Z"
}

Returns HA status and the current leader of Vault

get
Responses
200
Successfully returned leader status
application/json
get
GET /v1/sys/leader HTTP/1.1
Host: localhost:8200
Accept: */*
{
  "ha_enabled": true,
  "is_self": false,
  "leader_address": "https://vault-1.example.com:8200"
}

Lists active leases

get
Responses
200
Successfully listed leases
application/json
get
GET /v1/sys/leases HTTP/1.1
Host: localhost:8200
Accept: */*
{
  "leases": [
    {
      "path": "auth/token/create",
      "id": "a1b2c3"
    },
    {
      "path": "secret/myapp/config",
      "id": "d4e5f6"
    }
  ]
}

Returns the count of active leases

get
Responses
200
Successfully retrieved lease count
application/json
get
GET /v1/sys/leases/count HTTP/1.1
Host: localhost:8200
Accept: */*
{
  "lease_count": 1247
}

Retrieves metadata for a specific lease

post
Body
lease_idstringOptional

The lease identifier to renew. This is included with a lease.

Responses
200
Successfully retrieved lease metadata
application/json
post
POST /v1/sys/leases/lookup HTTP/1.1
Host: localhost:8200
Content-Type: application/json
Accept: */*
Content-Length: 39

{
  "lease_id": "auth/token/create/a1b2c3"
}
{
  "lease_id": "auth/token/create/a1b2c3",
  "renewable": true,
  "ttl": 3600
}

Lists all lease paths

get
Query parameters
liststring · enumRequired

Must be set to 'true' to trigger a list response.

Possible values:
Responses
200
Successfully listed lease paths
application/json
get
GET /v1/sys/leases/lookup/ HTTP/1.1
Host: localhost:8200
Accept: */*
{
  "keys": [
    "auth/token/create/",
    "secret/data/db-creds/"
  ]
}

Lists leases under the specified prefix

get
Path parameters
prefixstringRequired

The path to list leases under. Example: "aws/creds/deploy"

Query parameters
liststring · enumRequired

Must be set to 'true'

Possible values:
Responses
200
Successfully listed leases for the prefix
application/json
get
GET /v1/sys/leases/lookup/{prefix} HTTP/1.1
Host: localhost:8200
Accept: */*
{
  "keys": [
    "aws/creds/deploy/app1",
    "aws/creds/deploy/app2"
  ]
}

Renews a lease by extending its TTL.

post
Body
incrementinteger · secondsOptional

The desired increment in seconds to the lease

lease_idstringOptional

The lease identifier to renew. This is included with a lease.

url_lease_idstringOptional

The lease identifier to renew. This is included with a lease.

Responses
204
Lease renewed successfully (no content)
post
POST /v1/sys/leases/renew HTTP/1.1
Host: localhost:8200
Content-Type: application/json
Accept: */*
Content-Length: 63

{
  "lease_id": "database/creds/my-role/Y7sGbfd9",
  "increment": 3600
}

No content

Renews a lease using a lease ID in the path.

post
Path parameters
url_lease_idstringRequired

The lease ID to renew. Example: "database/creds/my-role/Y7sGbfd9"

Body
incrementinteger · secondsOptional

The desired increment in seconds to the lease

lease_idstringOptional

The lease identifier to renew. This is included with a lease.

Responses
204
Lease renewed successfully (no content)
post
POST /v1/sys/leases/renew/{url_lease_id} HTTP/1.1
Host: localhost:8200
Content-Type: application/json
Accept: */*
Content-Length: 18

{
  "increment": 1800
}

No content

Immediately revokes a lease.

post
Body
lease_idstringOptional

The lease identifier to renew. This is included with a lease.

syncbooleanOptional

Whether or not to perform the revocation synchronously

Default: true
url_lease_idstringOptional

The lease identifier to renew. This is included with a lease.

Responses
204
Lease revoked successfully (no content)
post
POST /v1/sys/leases/revoke HTTP/1.1
Host: localhost:8200
Content-Type: application/json
Accept: */*
Content-Length: 46

{
  "lease_id": "database/creds/my-role/Y7sGbfd9"
}

No content

Revokes all secrets or tokens generated under a given prefix immediately

post

Unlike /sys/leases/revoke-prefix, this path ignores backend errors encountered during revocation. This is potentially very dangerous and should only be used in specific emergency situations where errors in the backend or the connected backend service prevent normal revocation.

By ignoring these errors, Vault abdicates responsibility for ensuring that the issued credentials or secrets are properly revoked and/or cleaned up. Access to this endpoint should be tightly controlled.

Path parameters
prefixstringRequired

The path to revoke keys under. Example: "prod/aws/ops"

Responses
204
OK
post
POST /v1/sys/leases/revoke-force/{prefix} HTTP/1.1
Host: localhost:8200
Accept: */*
204

OK

No content

Revokes all secrets (via a lease ID prefix) or tokens (via the tokens' path property) generated under a given prefix immediately.

post
Path parameters
prefixstringRequired

The path to revoke keys under. Example: "prod/aws/ops"

Body
syncbooleanOptional

Whether or not to perform the revocation synchronously

Default: true
Responses
204
OK
post
POST /v1/sys/leases/revoke-prefix/{prefix} HTTP/1.1
Host: localhost:8200
Content-Type: application/json
Accept: */*
Content-Length: 13

{
  "sync": true
}
204

OK

No content

Revokes a lease immediately.

post
Path parameters
url_lease_idstringRequired

The lease identifier to renew. This is included with a lease.

Body
lease_idstringOptional

The lease identifier to renew. This is included with a lease.

syncbooleanOptional

Whether or not to perform the revocation synchronously

Default: true
Responses
204
OK
post
POST /v1/sys/leases/revoke/{url_lease_id} HTTP/1.1
Host: localhost:8200
Content-Type: application/json
Accept: */*
Content-Length: 31

{
  "lease_id": "text",
  "sync": true
}
204

OK

No content

Trigger a background lease tidy operation.

post
Body
anyOptional
Responses
204
Lease tidy completed successfully; no content returned.
post
POST /v1/sys/leases/tidy HTTP/1.1
Host: localhost:8200
Content-Type: application/json
Accept: */*
Content-Length: 52

{
  "safety_buffer": "1h",
  "safety_buffer_percentage": 10
}

No content

Retrieve the status of the currently installed license.

get
Responses
200
Successfully retrieved license status.
application/json
Responseany
get
GET /v1/sys/license/status HTTP/1.1
Host: localhost:8200
Accept: */*
{
  "license_type": "enterprise",
  "expiration_time": "2025-12-31T23:59:59Z",
  "status": "valid"
}

List the locked user count metrics for the current namespace and all child namespaces.

get
Responses
200
Successfully retrieved locked user metrics.
application/json
Responseany
get
GET /v1/sys/locked-users HTTP/1.1
Host: localhost:8200
Accept: */*
{
  "total_locked_users": 3,
  "namespaces": [
    {
      "name": "root",
      "locked_users": 1
    },
    {
      "name": "team-a",
      "locked_users": 2
    }
  ]
}

Unlock a locked user by mount accessor and alias identifier.

post
Path parameters
alias_identifierstringRequired

Identifier of the alias (e.g., username or RoleID).

mount_accessorstringRequired

Identifier of the mount entry associated with the user.

Responses
200
User successfully unlocked.
application/json
Responseany
post
POST /v1/sys/locked-users/{mount_accessor}/unlock/{alias_identifier} HTTP/1.1
Host: localhost:8200
Accept: */*
{
  "success": true,
  "message": "User unlocked successfully"
}

Read the verbosity level for all existing loggers.

get
Responses
200
Current verbosity levels retrieved.
application/json
Responseany
get
GET /v1/sys/loggers HTTP/1.1
Host: localhost:8200
Accept: */*
{
  "default": "info",
  "loggers": {
    "audit": "warn",
    "core": "debug"
  }
}

Modify verbosity levels for all loggers.

post
Body
levelstringOptional

Log verbosity level. Supported values (in order of detail) are "trace", "debug", "info", "warn", and "error".

Responses
204
Logger levels updated.
post
POST /v1/sys/loggers HTTP/1.1
Host: localhost:8200
Content-Type: application/json
Accept: */*
Content-Length: 46

{
  "default": "info",
  "loggers": {
    "audit": "error"
  }
}

No content

Revert all loggers to the configured log level.

delete
Responses
204
Log levels reverted.
delete
DELETE /v1/sys/loggers HTTP/1.1
Host: localhost:8200
Accept: */*

No content

Read verbosity level of a specific logger.

get
Path parameters
namestringRequired

Name of the logger to modify.

Responses
200
Logger verbosity level retrieved.
application/json
Responseany
get
GET /v1/sys/loggers/{name} HTTP/1.1
Host: localhost:8200
Accept: */*
{
  "name": "audit",
  "level": "warn"
}

Modify the log level of a specific logger.

post
Path parameters
namestringRequired

Name of the logger to modify.

Body
levelstringOptional

Log verbosity level. Supported values (in order of detail) are "trace", "debug", "info", "warn", and "error".

Responses
204
Logger level updated.
post
POST /v1/sys/loggers/{name} HTTP/1.1
Host: localhost:8200
Content-Type: application/json
Accept: */*
Content-Length: 17

{
  "level": "debug"
}

No content

Revert a specific logger to the configured log level.

delete
Path parameters
namestringRequired

Name of the logger to modify.

Responses
204
Logger reverted.
delete
DELETE /v1/sys/loggers/{name} HTTP/1.1
Host: localhost:8200
Accept: */*

No content

Manage lists of managed keys by type.

get
Path parameters
typestringRequired
Query parameters
liststring · enumRequired

Must be set to "true" to list keys.

Possible values:
Responses
200
Managed keys listed.
application/json
Responseany
get
GET /v1/sys/managed-keys/{type} HTTP/1.1
Host: localhost:8200
Accept: */*
{
  "keys": [
    "key1",
    "key2"
  ]
}

Get a specific managed key by type and name.

get
Path parameters
typestringRequired
namestringRequired
Responses
200
Managed key details.
application/json
Responseany
get
GET /v1/sys/managed-keys/{type}/{name} HTTP/1.1
Host: localhost:8200
Accept: */*
{
  "name": "key1",
  "type": "encryption",
  "status": "active"
}

Update a specific managed key by type and name.

post
Path parameters
typestringRequired
namestringRequired
Responses
200
Managed key written.
application/json
Responseany
post
POST /v1/sys/managed-keys/{type}/{name} HTTP/1.1
Host: localhost:8200
Accept: */*

No content

Delete a specific managed key by type and name.

delete
Path parameters
typestringRequired
namestringRequired
Responses
204
Managed key deleted.
delete
DELETE /v1/sys/managed-keys/{type}/{name} HTTP/1.1
Host: localhost:8200
Accept: */*

No content

Test signing functionality for a managed key.

post
Path parameters
typestringRequired

The type of the managed key (e.g., "transit", "pkcs11").

namestringRequired

The name of the managed key to use for the test signing operation.

Body
anyOptional
Responses
200
Test signing successful.
application/json
Responseany
post
POST /v1/sys/managed-keys/{type}/{name}/test/sign HTTP/1.1
Host: localhost:8200
Content-Type: application/json
Accept: */*
Content-Length: 69

{
  "input": "aGVsbG8gd29ybGQ=",
  "algorithm": "sha2-256",
  "prehashed": false
}
{
  "signature": "vault:v1:abc123signaturedata"
}

Export system metrics in Prometheus format.

get
Query parameters
formatstring · enumOptional

The output format for the metrics. Currently, only prometheus is supported.

Possible values:
Body
anyOptional
Responses
200
Metrics exported successfully.
text/plain
Responseany
get
GET /v1/sys/metrics HTTP/1.1
Host: localhost:8200
Content-Type: application/json
Accept: */*
Content-Length: 23

{
  "format": "prometheus"
}
# HELP vault_core_handle_request_count Total number of handled requests
# TYPE vault_core_handle_request_count counter
vault_core_handle_request_count{code="200",method="GET",path="/v1/sys/metrics"} 42

List configured Multi-Factor Authentication (MFA) methods.

get
Query parameters
liststring · enumRequired

A required parameter that must be set to true to retrieve the list of MFA methods.

Possible values:
Body
anyOptional
Responses
200
Successfully retrieved the list of configured MFA methods.
application/json
Responseany
get
GET /v1/sys/mfa/method HTTP/1.1
Host: localhost:8200
Content-Type: application/json
Accept: */*
Content-Length: 15

{
  "list": "true"
}
{
  "data": {
    "methods": [
      {
        "name": "duo",
        "type": "duo"
      },
      {
        "name": "okta",
        "type": "okta"
      },
      {
        "name": "totp",
        "type": "totp"
      }
    ]
  }
}

Read the configuration of a specific Okta MFA method.

get
Path parameters
namestringRequired

The unique name of the Okta MFA method.

Responses
200
Successfully retrieved the Okta MFA configuration.
application/json
Responseany
get
GET /v1/sys/mfa/method/okta/{name} HTTP/1.1
Host: localhost:8200
Accept: */*
{
  "data": {
    "name": "okta-main",
    "type": "okta",
    "org_name": "example-org",
    "token": "s.exampletoken"
  }
}

Create or update an Okta MFA method configuration.

post
Path parameters
namestringRequired

The unique name of the Okta MFA method.

Body
anyOptional
Responses
200
Successfully created or updated the Okta MFA method.
application/json
Responseany
post
POST /v1/sys/mfa/method/okta/{name} HTTP/1.1
Host: localhost:8200
Content-Type: application/json
Accept: */*
Content-Length: 51

{
  "org_name": "example-org",
  "token": "s.exampletoken"
}
{
  "data": {
    "success": true
  }
}

Delete the specified Okta MFA method configuration.

delete
Path parameters
namestringRequired

The unique name of the Okta MFA method.

Responses
204
The method was successfully deleted; no content returned.
delete
DELETE /v1/sys/mfa/method/okta/{name} HTTP/1.1
Host: localhost:8200
Accept: */*

No content

Retrieve a PingID MFA method configuration.

get
Path parameters
namestringRequired

The name of the PingID MFA method configuration.

Responses
200
Successfully retrieved the PingID configuration.
application/json
Responseany
get
GET /v1/sys/mfa/method/pingid/{name} HTTP/1.1
Host: localhost:8200
Accept: */*
{
  "data": {
    "name": "pingid-main",
    "type": "pingid",
    "apikey": "abc123",
    "org_alias": "my-org",
    "token": "s.mytoken"
  }
}

Create or update a PingID MFA method configuration.

post
Path parameters
namestringRequired

The name of the PingID MFA method configuration.

Body
anyOptional
Responses
200
PingID method created or updated successfully.
application/json
Responseany
post
POST /v1/sys/mfa/method/pingid/{name} HTTP/1.1
Host: localhost:8200
Content-Type: application/json
Accept: */*
Content-Length: 60

{
  "apikey": "abc123",
  "org_alias": "my-org",
  "token": "s.mytoken"
}
{
  "data": {
    "success": true
  }
}

Delete a PingID MFA method configuration by name.

delete
Path parameters
namestringRequired

The name of the PingID MFA method configuration.

Responses
204
PingID method configuration deleted successfully. No content returned.
delete
DELETE /v1/sys/mfa/method/pingid/{name} HTTP/1.1
Host: localhost:8200
Accept: */*

No content

Read a TOTP MFA method configuration.

get
Path parameters
namestringRequired

The name of the TOTP MFA method configuration.

Responses
200
Successfully retrieved the TOTP method configuration.
application/json
Responseany
get
GET /v1/sys/mfa/method/totp/{name} HTTP/1.1
Host: localhost:8200
Accept: */*
{
  "data": {
    "name": "totp-auth",
    "type": "totp",
    "issuer": "vault",
    "period": 30,
    "skew": 1
  }
}

Create or update a TOTP MFA method configuration.

post
Path parameters
namestringRequired

The name of the TOTP MFA method configuration.

Body
anyOptional
Responses
200
TOTP method created or updated successfully.
application/json
Responseany
post
POST /v1/sys/mfa/method/totp/{name} HTTP/1.1
Host: localhost:8200
Content-Type: application/json
Accept: */*
Content-Length: 39

{
  "issuer": "vault",
  "period": 30,
  "skew": 1
}
{
  "data": {
    "success": true
  }
}

Delete a TOTP MFA method configuration by name.

delete
Path parameters
namestringRequired

The name of the TOTP MFA method configuration.

Responses
204
TOTP method deleted successfully. No content returned.
delete
DELETE /v1/sys/mfa/method/totp/{name} HTTP/1.1
Host: localhost:8200
Accept: */*

No content

Admin-level destroy operation for a TOTP MFA method configuration.

post
Path parameters
namestringRequired

The name of the TOTP MFA method configuration to destroy.

Responses
200
The TOTP method was successfully destroyed.
application/json
Responseany
post
POST /v1/sys/mfa/method/totp/{name}/admin-destroy HTTP/1.1
Host: localhost:8200
Accept: */*
{
  "data": {
    "destroyed": true
  }
}

Admin-level operation to generate a new TOTP key for a user.

post
Path parameters
namestringRequired

The name of the TOTP MFA method configuration.

Body
anyOptional
Responses
200
TOTP key successfully generated.
application/json
Responseany
post
POST /v1/sys/mfa/method/totp/{name}/admin-generate HTTP/1.1
Host: localhost:8200
Content-Type: application/json
Accept: */*
Content-Length: 52

{
  "account_name": "[email protected]",
  "issuer": "vault"
}
{
  "data": {
    "url": "otpauth://totp/vault:[email protected]?secret=ABCDEFG12345678&issuer=vault",
    "barcode": "<base64-barcode-image>"
  }
}

Generate a TOTP key and OTP URL for a specific TOTP MFA method configuration.

get
Path parameters
namestringRequired

Name of the TOTP MFA method configuration to generate a key for.

Responses
200
Successfully retrieved the TOTP key and OTP URL.
application/json
Responseany
get
GET /v1/sys/mfa/method/totp/{name}/generate HTTP/1.1
Host: localhost:8200
Accept: */*
{
  "data": {
    "url": "otpauth://totp/vault:[email protected]?secret=XYZABC123456&issuer=vault",
    "barcode": "iVBORw0KGgoAAAANSUhEUgAA..."
  }
}

Validates the login for the given MFA methods.

post

Validates MFA credentials submitted by the user. Upon successful validation, it returns an authentication response that includes a client token. This endpoint is typically called after initial credentials are provided and MFA is required.

Body
mfa_payloadobject · mapRequired

A map from MFA method ID to a slice of passcodes or an empty slice if the method does not use passcodes

mfa_request_idstringRequired

ID for this MFA request

Responses
200
Successful MFA validation and authentication.
application/json
Responseany
post
POST /v1/sys/mfa/validate HTTP/1.1
Host: localhost:8200
Content-Type: application/json
Accept: */*
Content-Length: 40

{
  "method_id": "totp-d3f1",
  "otp": "123456"
}
{
  "auth": {
    "client_token": "s.QKJ123abcXYZ",
    "accessor": "vS2iRzHyXweKzwo0tUR",
    "policies": [
      "default"
    ],
    "lease_duration": 2764800,
    "renewable": true
  }
}

Retrieve system logs with specified log format and log level.

get

Fetch system logs based on the selected output format and log level.

Query parameters
log_formatstring · enumOptional

Output format of logs. Supported values are "standard" and "json". The default is "standard".

Default: standardPossible values:
log_levelstring · enumOptional

Log level to view system logs at. Currently supported values are "trace", "debug", "info", "warn", "error".

Possible values:
Responses
200
OK
application/json
get
GET /v1/sys/monitor HTTP/1.1
Host: localhost:8200
Accept: */*
200

OK

{
  "log_format": "standard",
  "log_level": "info",
  "logs": [
    "System initialized",
    "Connection successful",
    "Error at 10:23 AM"
  ]
}

Retrieve a list of currently mounted backends.

get
Responses
200
OK
application/json
get
GET /v1/sys/mounts HTTP/1.1
Host: localhost:8200
Accept: */*
{
  "mounts": [
    {
      "path": "secret/",
      "type": "kv",
      "description": "Key-Value secrets engine"
    },
    {
      "path": "pki/",
      "type": "cert",
      "description": "PKI secrets engine"
    }
  ]
}

Read the configuration of the secret engine at the given path.

get
Path parameters
pathstringRequired

The path to mount to. Example: "aws/east"

Responses
200
OK
application/json
get
GET /v1/sys/mounts/{path} HTTP/1.1
Host: localhost:8200
Accept: */*
200

OK

{
  "accessor": "text",
  "config": {},
  "deprecation_status": "text",
  "description": "text",
  "external_entropy_access": true,
  "local": false,
  "options": {},
  "plugin_version": "text",
  "running_plugin_version": "text",
  "running_sha256": "text",
  "seal_wrap": false,
  "type": "text",
  "uuid": "text"
}

Enable a new secrets engine at the given path.

post
Path parameters
pathstringRequired

The path to mount to. Example: "aws/east"

Body
configobject · mapOptional

Configuration for this mount, such as default_lease_ttl and max_lease_ttl.

descriptionstringOptional

User-friendly description for this mount.

external_entropy_accessbooleanOptional

Whether to give the mount access to Vault's external entropy.

Default: false
localbooleanOptional

Mark the mount as a local mount, which is not replicated and is unaffected by replication.

Default: false
optionsobject · kvpairsOptional

The options to pass into the backend. Should be a json object with string keys and values.

plugin_namestringOptional

Name of the plugin to mount based from the name registered in the plugin catalog.

plugin_versionstringOptional

The semantic version of the plugin to use.

seal_wrapbooleanOptional

Whether to turn on seal wrapping for the mount.

Default: false
typestringOptional

The type of the backend. Example: "passthrough"

Responses
204
OK
post
POST /v1/sys/mounts/{path} HTTP/1.1
Host: localhost:8200
Content-Type: application/json
Accept: */*
Content-Length: 170

{
  "config": {},
  "description": "text",
  "external_entropy_access": false,
  "local": false,
  "options": {},
  "plugin_name": "text",
  "plugin_version": "text",
  "seal_wrap": false,
  "type": "text"
}
204

OK

No content

Disable the mount point specified at the given path.

delete
Path parameters
pathstringRequired

The path to mount to. Example: "aws/east"

Responses
200
OK
delete
DELETE /v1/sys/mounts/{path} HTTP/1.1
Host: localhost:8200
Accept: */*
200

OK

No content

Read the tuning configuration of a mounted backend.

get
Path parameters
pathstringRequired

The path to mount to. Example: "aws/east"

Responses
200
OK
application/json
get
GET /v1/sys/mounts/{path}/tune HTTP/1.1
Host: localhost:8200
Accept: */*
{
  "default_lease_ttl": "768h",
  "max_lease_ttl": "768h",
  "description": "AWS Secrets Engine",
  "audit_non_hmac_request_keys": [
    "role"
  ]
}

Update the tuning configuration parameters for a mounted backend.

post
Path parameters
pathstringRequired

The path to mount to. Example: "aws/east"

Body
default_lease_ttlstringOptional
max_lease_ttlstringOptional
descriptionstringOptional
audit_non_hmac_request_keysstring[]Optional
Responses
200
OK
application/json
post
POST /v1/sys/mounts/{path}/tune HTTP/1.1
Host: localhost:8200
Content-Type: application/json
Accept: */*
Content-Length: 135

{
  "default_lease_ttl": "500h",
  "max_lease_ttl": "1000h",
  "description": "Updated AWS config",
  "audit_non_hmac_request_keys": [
    "role",
    "region"
  ]
}
{
  "success": true
}

List namespaces

get
Query parameters
liststring · enumRequired

Must be set to true

Possible values:
Responses
200
OK
application/json
get
GET /v1/sys/namespaces/ HTTP/1.1
Host: localhost:8200
Accept: */*
200

OK

{
  "keys": [
    "text"
  ]
}

Lock the API for all namespaces to prevent changes.

post
Body
reasonstringOptional
Responses
200
OK
application/json
post
POST /v1/sys/namespaces/api-lock/lock HTTP/1.1
Host: localhost:8200
Content-Type: application/json
Accept: */*
Content-Length: 39

{
  "reason": "Planned maintenance window"
}
{
  "success": true
}

Unlock the API for all namespaces.

post
Body
reasonstringOptional
Responses
200
OK
application/json
post
POST /v1/sys/namespaces/api-lock/unlock HTTP/1.1
Host: localhost:8200
Content-Type: application/json
Accept: */*
Content-Length: 33

{
  "reason": "Maintenance complete"
}
{
  "success": true
}

Unlock the API at a specific namespace path.

post
Path parameters
pathstringRequired
Body
Responses
200
OK
application/json
post
POST /v1/sys/namespaces/api-lock/unlock/{path} HTTP/1.1
Host: localhost:8200
Accept: */*
{
  "success": true
}

Read namespace information

get
Path parameters
pathstringRequired

The path of the namespace

Responses
200
OK
application/json
get
GET /v1/sys/namespaces/{path} HTTP/1.1
Host: localhost:8200
Accept: */*
200

OK

{
  "custom_metadata": {},
  "id": "text",
  "path": "text"
}

Create a new namespace

post
Path parameters
pathstringRequired

The path of the namespace

Body
custom_metadataobject · mapOptional

A map of arbitrary string to string valued user-provided metadata meant to describe the namespace

Responses
200
OK
application/json
post
POST /v1/sys/namespaces/{path} HTTP/1.1
Host: localhost:8200
Content-Type: application/json
Accept: */*
Content-Length: 22

{
  "custom_metadata": {}
}
200

OK

{
  "custom_metadata": {},
  "id": "text",
  "path": "text"
}

Delete a namespace

delete
Path parameters
pathstringRequired

The path of the namespace

Responses
200
OK
delete
DELETE /v1/sys/namespaces/{path} HTTP/1.1
Host: localhost:8200
Accept: */*
200

OK

No content

List all the plugins registered with Vault.

get
Responses
200
OK
application/json
get
GET /v1/sys/plugins/catalog HTTP/1.1
Host: localhost:8200
Accept: */*
{
  "data": {
    "example-plugin": {
      "type": "auth",
      "sha256": "abc123...",
      "command": "vault-plugin-example",
      "args": []
    }
  }
}

Return the configuration data for the plugin with the given name.

get
Path parameters
namestringRequired

The name of the plugin

Responses
200
OK
application/json
get
GET /v1/sys/plugins/catalog/{name} HTTP/1.1
Host: localhost:8200
Accept: */*
200

OK

{
  "args": [
    "text"
  ],
  "builtin": true,
  "command": "text",
  "deprecation_status": "text",
  "name": "text",
  "sha256": "text",
  "version": "text"
}

Register a new plugin, or updates an existing one with the supplied name.

post
Path parameters
namestringRequired

The name of the plugin

Body
argsstring[]Optional

The args passed to plugin command.

commandstringOptional

The command used to start the plugin. The executable defined in this command must exist in vault's plugin directory.

envstring[]Optional

The environment variables passed to plugin command. Each entry is of the form "key=value".

sha256stringOptional

The SHA256 sum of the executable used in the command field. This should be HEX encoded.

typestringOptional

The type of the plugin, may be auth, secret, or database

versionstringOptional

The semantic version of the plugin to use.

Responses
200
OK
post
POST /v1/sys/plugins/catalog/{name} HTTP/1.1
Host: localhost:8200
Content-Type: application/json
Accept: */*
Content-Length: 96

{
  "args": [
    "text"
  ],
  "command": "text",
  "env": [
    "text"
  ],
  "sha256": "text",
  "type": "text",
  "version": "text"
}
200

OK

No content

Remove the plugin with the given name.

delete
Path parameters
namestringRequired

The name of the plugin

Responses
200
OK
delete
DELETE /v1/sys/plugins/catalog/{name} HTTP/1.1
Host: localhost:8200
Accept: */*
200

OK

No content

List the plugins in the catalog.

get
Path parameters
typestringRequired

The type of the plugin, may be auth, secret, or database

Query parameters
liststring · enumRequired

Must be set to true

Possible values:
Responses
200
OK
application/json
get
GET /v1/sys/plugins/catalog/{type} HTTP/1.1
Host: localhost:8200
Accept: */*
200

OK

{
  "keys": [
    "text"
  ]
}

Return the configuration data for the plugin with the given name.

get
Path parameters
namestringRequired

The name of the plugin

typestringRequired

The type of the plugin, may be auth, secret, or database

Responses
200
OK
application/json
get
GET /v1/sys/plugins/catalog/{type}/{name} HTTP/1.1
Host: localhost:8200
Accept: */*
200

OK

{
  "args": [
    "text"
  ],
  "builtin": true,
  "command": "text",
  "deprecation_status": "text",
  "name": "text",
  "sha256": "text",
  "version": "text"
}

Register a new plugin, or updates an existing one with the supplied name.

post
Path parameters
namestringRequired

The name of the plugin

typestringRequired

The type of the plugin, may be auth, secret, or database

Body
argsstring[]Optional

The args passed to plugin command.

commandstringOptional

The command used to start the plugin. The executable defined in this command must exist in vault's plugin directory.

envstring[]Optional

The environment variables passed to plugin command. Each entry is of the form "key=value".

sha256stringOptional

The SHA256 sum of the executable used in the command field. This should be HEX encoded.

versionstringOptional

The semantic version of the plugin to use.

Responses
200
OK
post
POST /v1/sys/plugins/catalog/{type}/{name} HTTP/1.1
Host: localhost:8200
Content-Type: application/json
Accept: */*
Content-Length: 82

{
  "args": [
    "text"
  ],
  "command": "text",
  "env": [
    "text"
  ],
  "sha256": "text",
  "version": "text"
}
200

OK

No content

Remove the plugin with the given name.

delete
Path parameters
namestringRequired

The name of the plugin

typestringRequired

The type of the plugin, may be auth, secret, or database

Responses
200
OK
delete
DELETE /v1/sys/plugins/catalog/{type}/{name} HTTP/1.1
Host: localhost:8200
Accept: */*
200

OK

No content

Reload mounted plugin backends.

post

Either the plugin name (plugin) or the desired plugin backend mounts (mounts) must be provided, but not both. In the case that the plugin name is provided, all mounted paths that use that plugin backend will be reloaded. If (scope) is provided and is (global), the plugin(s) are reloaded globally.

Body
mountsstring[]Optional

The mount paths of the plugin backends to reload.

pluginstringOptional

The name of the plugin to reload, as registered in the plugin catalog.

scopestringOptional
Responses
200
OK
application/json
post
POST /v1/sys/plugins/reload/backend HTTP/1.1
Host: localhost:8200
Content-Type: application/json
Accept: */*
Content-Length: 50

{
  "mounts": [
    "text"
  ],
  "plugin": "text",
  "scope": "text"
}
{
  "reload_id": "text"
}

Check the status of any pending plugin reloads for secret backends.

get
Responses
200
OK
application/json
get
GET /v1/sys/plugins/reload/backend/status HTTP/1.1
Host: localhost:8200
Accept: */*
{
  "reload_required": true,
  "plugins": [
    "example-plugin",
    "database-plugin"
  ]
}

Retrieve a list of all configured ACL policies.

get
Query parameters
liststring · enumRequired

Must be set to true to list ACL policies.

Example: truePossible values:
Responses
200
OK
application/json
get
GET /v1/sys/policies/acl HTTP/1.1
Host: localhost:8200
Accept: */*
{
  "data": {
    "keys": [
      "default",
      "admin",
      "readonly"
    ]
  }
}

Retrieve information about the named ACL policy.

get
Path parameters
namestringRequired

The name of the policy. Example: "ops"

Responses
200
OK
application/json
get
GET /v1/sys/policies/acl/{name} HTTP/1.1
Host: localhost:8200
Accept: */*
200

OK

{
  "name": "text",
  "policy": "text",
  "rules": "text"
}

Add a new or update an existing ACL policy.

post
Path parameters
namestringRequired

The name of the policy. Example: "ops"

Body
policystringOptional

The rules of the policy.

Responses
204
OK
post
POST /v1/sys/policies/acl/{name} HTTP/1.1
Host: localhost:8200
Content-Type: application/json
Accept: */*
Content-Length: 17

{
  "policy": "text"
}
204

OK

No content

Delete the ACL policy with the given name.

delete
Path parameters
namestringRequired

The name of the policy. Example: "ops"

Responses
204
OK
delete
DELETE /v1/sys/policies/acl/{name} HTTP/1.1
Host: localhost:8200
Accept: */*
204

OK

No content

List all externally managed group policies (EGPs).

get
Query parameters
liststring · enumRequired

Must be set to true to retrieve EGPs.

Example: truePossible values:
Responses
200
OK
application/json
get
GET /v1/sys/policies/egp HTTP/1.1
Host: localhost:8200
Accept: */*
{
  "data": {
    "keys": [
      "egp-policy-admin",
      "egp-policy-ops"
    ]
  }
}

Read an EGP policy by name.

get
Path parameters
namestringRequired

The name of the EGP policy.

Responses
200
OK
application/json
get
GET /v1/sys/policies/egp/{name} HTTP/1.1
Host: localhost:8200
Accept: */*
{
  "data": {
    "name": "egp-policy-admin",
    "policy": "path \"secret/*\" {\n  capabilities = [\"read\"]\n}\n"
  }
}

Create or update an EGP policy by name.

post
Path parameters
namestringRequired

The name of the EGP policy.

Body
policystringRequired
Responses
200
Policy created or updated successfully
post
POST /v1/sys/policies/egp/{name} HTTP/1.1
Host: localhost:8200
Content-Type: application/json
Accept: */*
Content-Length: 101

{
  "policy": "path \"secret/data/finance\" {\n  capabilities = [\"create\", \"read\", \"update\"]\n}\n"
}

No content

Delete an EGP policy by name.

delete
Path parameters
namestringRequired

The name of the EGP policy.

Responses
204
Policy deleted successfully (empty body)
delete
DELETE /v1/sys/policies/egp/{name} HTTP/1.1
Host: localhost:8200
Accept: */*

No content

List the existing password policies.

get
Query parameters
liststring · enumRequired

Must be set to true

Possible values:
Responses
200
OK
application/json
get
GET /v1/sys/policies/password HTTP/1.1
Host: localhost:8200
Accept: */*
200

OK

{
  "keys": [
    "text"
  ]
}

Retrieve an existing password policy.

get
Path parameters
namestringRequired

The name of the password policy.

Responses
204
OK
application/json
get
GET /v1/sys/policies/password/{name} HTTP/1.1
Host: localhost:8200
Accept: */*
204

OK

{
  "policy": "text"
}

Add a new or update an existing password policy.

post
Path parameters
namestringRequired

The name of the password policy.

Body
policystringOptional

The password policy

Responses
204
OK
post
POST /v1/sys/policies/password/{name} HTTP/1.1
Host: localhost:8200
Content-Type: application/json
Accept: */*
Content-Length: 17

{
  "policy": "text"
}
204

OK

No content

Delete a password policy.

delete
Path parameters
namestringRequired

The name of the password policy.

Responses
204
OK
delete
DELETE /v1/sys/policies/password/{name} HTTP/1.1
Host: localhost:8200
Accept: */*
204

OK

No content

Generate a password from an existing password policy.

get
Path parameters
namestringRequired

The name of the password policy.

Responses
200
OK
application/json
get
GET /v1/sys/policies/password/{name}/generate HTTP/1.1
Host: localhost:8200
Accept: */*
200

OK

{
  "password": "text"
}

List all role-based group policies (RGPs).

get
Query parameters
liststring · enumRequired

Must be set to true to list RGPs.

Example: truePossible values:
Responses
200
OK
application/json
Responseany
get
GET /v1/sys/policies/rgp HTTP/1.1
Host: localhost:8200
Accept: */*
{
  "data": {
    "keys": [
      "rgp-policy-admin",
      "rgp-policy-audit"
    ]
  }
}

Read a specific RGP policy by name.

get
Path parameters
namestringRequired

The name of the RGP policy.

Responses
200
OK
application/json
Responseany
get
GET /v1/sys/policies/rgp/{name} HTTP/1.1
Host: localhost:8200
Accept: */*
{
  "data": {
    "name": "rgp-policy-admin",
    "policy": "path \"sys/*\" {\n  capabilities = [\"create\", \"read\", \"update\"]\n}\n"
  }
}

Create or update an RGP policy by name.

post
Path parameters
namestringRequired

The name of the RGP policy.

Body
anyOptional
Responses
200
Policy written successfully
post
POST /v1/sys/policies/rgp/{name} HTTP/1.1
Host: localhost:8200
Content-Type: application/json
Accept: */*
Content-Length: 82

{
  "policy": "path \"sys/config/*\" {\n  capabilities = [\"read\", \"update\"]\n}\n"
}

No content

Delete a specific RGP policy by name.

delete
Path parameters
namestringRequired

The name of the RGP policy.

Responses
204
Policy deleted successfully (empty body)
delete
DELETE /v1/sys/policies/rgp/{name} HTTP/1.1
Host: localhost:8200
Accept: */*

No content

List all access control policies.

get
Query parameters
liststringOptional

Return a list if true

Example: true
Responses
200
OK
application/json
get
GET /v1/sys/policy HTTP/1.1
Host: localhost:8200
Accept: */*
{
  "data": {
    "keys": [
      "default",
      "root",
      "readonly"
    ]
  }
}

Retrieve the policy body for the named policy.

get
Path parameters
namestringRequired

The name of the policy. Example: "ops"

Responses
200
OK
application/json
get
GET /v1/sys/policy/{name} HTTP/1.1
Host: localhost:8200
Accept: */*
200

OK

{
  "name": "text",
  "policy": "text",
  "rules": "text"
}

Add a new or update an existing policy.

post
Path parameters
namestringRequired

The name of the policy. Example: "ops"

Body
policystringOptional

The rules of the policy.

rulesstringOptionalDeprecated

The rules of the policy.

Responses
204
OK
post
POST /v1/sys/policy/{name} HTTP/1.1
Host: localhost:8200
Content-Type: application/json
Accept: */*
Content-Length: 17

{
  "policy": "text"
}
204

OK

No content

Delete the policy with the given name.

delete
Path parameters
namestringRequired

The name of the policy. Example: "ops"

Responses
204
OK
delete
DELETE /v1/sys/policy/{name} HTTP/1.1
Host: localhost:8200
Accept: */*
204

OK

No content

Returns an HTML page listing the available profiles.

get

Returns an HTML page listing the available profiles. This should be mainly accessed via browsers or applications that can render pages.

Responses
200
OK
get
GET /v1/sys/pprof HTTP/1.1
Host: localhost:8200
Accept: */*
200

OK

No content

Returns a sampling of all past memory allocations.

get

Returns a sampling of all past memory allocations.

Responses
200
OK
get
GET /v1/sys/pprof/allocs HTTP/1.1
Host: localhost:8200
Accept: */*
200

OK

No content

Returns stack traces that led to blocking on synchronization primitives

get

Returns stack traces that led to blocking on synchronization primitives

Responses
200
OK
get
GET /v1/sys/pprof/block HTTP/1.1
Host: localhost:8200
Accept: */*
200

OK

No content

Returns the running program's command line.

get

Returns the running program's command line, with arguments separated by NUL bytes.

Responses
200
OK
get
GET /v1/sys/pprof/cmdline HTTP/1.1
Host: localhost:8200
Accept: */*
200

OK

No content

Returns stack traces of all current goroutines.

get

Returns stack traces of all current goroutines.

Responses
200
OK
get
GET /v1/sys/pprof/goroutine HTTP/1.1
Host: localhost:8200
Accept: */*
200

OK

No content

Returns a sampling of memory allocations of live object.

get

Returns a sampling of memory allocations of live object.

Responses
200
OK
get
GET /v1/sys/pprof/heap HTTP/1.1
Host: localhost:8200
Accept: */*
200

OK

No content

Returns stack traces of holders of contended mutexes

get

Returns stack traces of holders of contended mutexes

Responses
200
OK
get
GET /v1/sys/pprof/mutex HTTP/1.1
Host: localhost:8200
Accept: */*
200

OK

No content

Returns a pprof-formatted cpu profile payload.

get

Returns a pprof-formatted cpu profile payload. Profiling lasts for duration specified in seconds GET parameter, or for 30 seconds if not specified.

Responses
200
OK
get
GET /v1/sys/pprof/profile HTTP/1.1
Host: localhost:8200
Accept: */*
200

OK

No content

Returns the program counters listed in the request.

get

Returns the program counters listed in the request.

Responses
200
OK
get
GET /v1/sys/pprof/symbol HTTP/1.1
Host: localhost:8200
Accept: */*
200

OK

No content

Returns stack traces that led to the creation of new OS threads

get

Returns stack traces that led to the creation of new OS threads

Responses
200
OK
get
GET /v1/sys/pprof/threadcreate HTTP/1.1
Host: localhost:8200
Accept: */*
200

OK

No content

Returns the execution trace in binary form.

get

Returns the execution trace in binary form. Tracing lasts for duration specified in seconds GET parameter, or for 1 second if not specified.

Responses
200
OK
get
GET /v1/sys/pprof/trace HTTP/1.1
Host: localhost:8200
Accept: */*
200

OK

No content

Read the current quota configuration.

get
Responses
200
OK
application/json
get
GET /v1/sys/quotas/config HTTP/1.1
Host: localhost:8200
Accept: */*
{
  "data": {
    "enabled": true,
    "interval": "1s",
    "rate": 100
  }
}

Create or update the quota configuration.

post
Body
enable_rate_limit_audit_loggingbooleanOptional

If set, starts audit logging of requests that get rejected due to rate limit quota rule violations.

enable_rate_limit_response_headersbooleanOptional

If set, additional rate limit quota HTTP headers will be added to responses.

rate_limit_exempt_pathsstring[]Optional

Specifies the list of exempt paths from all rate limit quotas. If empty no paths will be exempt.

Responses
204
Quota configuration updated successfully (empty body)
post
POST /v1/sys/quotas/config HTTP/1.1
Host: localhost:8200
Content-Type: application/json
Accept: */*
Content-Length: 42

{
  "enabled": true,
  "interval": "1s",
  "rate": 50
}

No content

List all configured lease count quotas.

get
Query parameters
liststring · enumRequired

Must be set to true

Possible values:
Responses
200
A list of lease count quotas
application/json
Responseany
get
GET /v1/sys/quotas/lease-count HTTP/1.1
Host: localhost:8200
Accept: */*
{
  "data": {
    "keys": [
      "quota1",
      "quota2"
    ]
  }
}

Read the specified lease count quota configuration.

get
Path parameters
namestringRequired
Responses
200
Lease count quota configuration
application/json
Responseany
get
GET /v1/sys/quotas/lease-count/{name} HTTP/1.1
Host: localhost:8200
Accept: */*
{
  "data": {
    "name": "quota1",
    "max_leases": 500,
    "namespace": "root"
  }
}

Create or update a lease count quota.

post
Path parameters
namestringRequired
Body
anyOptional
Responses
200
Quota created or updated successfully
application/json
Responseany
post
POST /v1/sys/quotas/lease-count/{name} HTTP/1.1
Host: localhost:8200
Content-Type: application/json
Accept: */*
Content-Length: 19

{
  "max_leases": 1000
}
200

Quota created or updated successfully

{
  "data": {
    "success": true
  }
}

Delete a lease count quota.

delete
Path parameters
namestringRequired
Responses
204
Quota deleted successfully (no content)
delete
DELETE /v1/sys/quotas/lease-count/{name} HTTP/1.1
Host: localhost:8200
Accept: */*

No content

List rate limit quota names

get
Query parameters
liststring · enumRequired

Must be set to true

Possible values:
Responses
200
A list of rate limit quota names
application/json
get
GET /v1/sys/quotas/rate-limit HTTP/1.1
Host: localhost:8200
Accept: */*
{
  "data": {
    "keys": [
      "global-read-quota",
      "admin-api-quota"
    ]
  }
}

Read a specific rate limit quota configuration

get
Path parameters
namestringRequired

Name of the quota rule.

Responses
200
Rate limit quota configuration
application/json
get
GET /v1/sys/quotas/rate-limit/{name} HTTP/1.1
Host: localhost:8200
Accept: */*
{
  "data": {
    "name": "global-read-quota",
    "rate": 10,
    "interval": "1s",
    "path": "*"
  }
}

Create or update a rate limit quota

post
Path parameters
namestringRequired

Name of the quota rule.

Body
block_intervalinteger · secondsOptional

If set, when a client reaches a rate limit threshold, the client will be prohibited from any further requests until after the 'block_interval' has elapsed.

intervalinteger · secondsOptional

The duration to enforce rate limiting for (default '1s').

pathstringOptional

Path of the mount or namespace to apply the quota. A blank path configures a global quota. For example namespace1/ adds a quota to a full namespace, namespace1/auth/userpass adds a quota to userpass in namespace1.

ratenumber · floatOptional

The maximum number of requests in a given interval to be allowed by the quota rule. The 'rate' must be positive.

rolestringOptional

Login role to apply this quota to. Note that when set, path must be configured to a valid auth method with a concept of roles.

typestringOptional

Type of the quota rule.

Responses
204
Quota created or updated successfully (no content)
post
POST /v1/sys/quotas/rate-limit/{name} HTTP/1.1
Host: localhost:8200
Content-Type: application/json
Accept: */*
Content-Length: 42

{
  "rate": 5,
  "interval": "1s",
  "path": "auth/*"
}

No content

Delete a rate limit quota

delete
Path parameters
namestringRequired

Name of the quota rule.

Responses
204
Quota deleted successfully (no content)
delete
DELETE /v1/sys/quotas/rate-limit/{name} HTTP/1.1
Host: localhost:8200
Accept: */*

No content

Return the backup copy of PGP-encrypted unseal keys.

get
Responses
200
OK
application/json
get
GET /v1/sys/rekey/backup HTTP/1.1
Host: localhost:8200
Accept: */*
200

OK

{
  "keys": {},
  "keys_base64": {},
  "nonce": "text"
}

Delete the backup copy of PGP-encrypted unseal keys.

delete
Responses
204
OK
delete
DELETE /v1/sys/rekey/backup HTTP/1.1
Host: localhost:8200
Accept: */*
204

OK

No content

Reads the configuration and progress of the current rekey attempt.

get
Responses
200
OK
application/json
get
GET /v1/sys/rekey/init HTTP/1.1
Host: localhost:8200
Accept: */*
200

OK

{
  "backup": true,
  "n": 1,
  "nounce": "text",
  "pgp_fingerprints": [
    "text"
  ],
  "progress": 1,
  "required": 1,
  "started": "text",
  "t": 1,
  "verification_nonce": "text",
  "verification_required": true
}

Initializes a new rekey attempt.

post

Only a single rekey attempt can take place at a time, and changing the parameters of a rekey requires canceling and starting a new rekey, which will also provide a new nonce.

Body
backupbooleanOptional

Specifies if using PGP-encrypted keys, whether Vault should also store a plaintext backup of the PGP-encrypted keys.

pgp_keysstring[]Optional

Specifies an array of PGP public keys used to encrypt the output unseal keys. Ordering is preserved. The keys must be base64-encoded from their original binary representation. The size of this array must be the same as secret_shares.

require_verificationbooleanOptional

Turns on verification functionality

secret_sharesintegerOptional

Specifies the number of shares to split the unseal key into.

secret_thresholdintegerOptional

Specifies the number of shares required to reconstruct the unseal key. This must be less than or equal secret_shares. If using Vault HSM with auto-unsealing, this value must be the same as secret_shares.

Responses
200
OK
application/json
post
POST /v1/sys/rekey/init HTTP/1.1
Host: localhost:8200
Content-Type: application/json
Accept: */*
Content-Length: 102

{
  "backup": true,
  "pgp_keys": [
    "text"
  ],
  "require_verification": true,
  "secret_shares": 1,
  "secret_threshold": 1
}
200

OK

{
  "backup": true,
  "n": 1,
  "nounce": "text",
  "pgp_fingerprints": [
    "text"
  ],
  "progress": 1,
  "required": 1,
  "started": "text",
  "t": 1,
  "verification_nonce": "text",
  "verification_required": true
}

Cancels any in-progress rekey.

delete

This clears the rekey settings as well as any progress made. This must be called to change the parameters of the rekey. Note: verification is still a part of a rekey. If rekeying is canceled during the verification flow, the current unseal keys remain valid.

Responses
200
OK
delete
DELETE /v1/sys/rekey/init HTTP/1.1
Host: localhost:8200
Accept: */*
200

OK

No content

Read the backup of the recovery keys

get
Responses
200
Successfully retrieved the recovery key backup
application/json
get
GET /v1/sys/rekey/recovery-key-backup HTTP/1.1
Host: localhost:8200
Accept: */*
{
  "data": {
    "keys_base64": [
      "Q2FzZV9Bbm90aGVyX0tleQ==",
      "U29tZV9CYXNlNjRfRW5jb2RlZF9LZXk="
    ]
  }
}

Delete the recovery key backup

delete
Responses
204
Successfully deleted the recovery key backup
delete
DELETE /v1/sys/rekey/recovery-key-backup HTTP/1.1
Host: localhost:8200
Accept: */*

No content

Enter a single unseal key share to progress the rekey of the Vault.

post
Body
keystringOptional

Specifies a single unseal key share.

noncestringOptional

Specifies the nonce of the rekey attempt.

Responses
200
OK
application/json
post
POST /v1/sys/rekey/update HTTP/1.1
Host: localhost:8200
Content-Type: application/json
Accept: */*
Content-Length: 29

{
  "key": "text",
  "nonce": "text"
}
200

OK

{
  "backup": true,
  "complete": true,
  "keys": [
    "text"
  ],
  "keys_base64": [
    "text"
  ],
  "n": 1,
  "nounce": "text",
  "pgp_fingerprints": [
    "text"
  ],
  "progress": 1,
  "required": 1,
  "started": "text",
  "t": 1,
  "verification_nonce": "text",
  "verification_required": true
}

Read the configuration and progress of the current rekey verification attempt.

get
Responses
200
OK
application/json
get
GET /v1/sys/rekey/verify HTTP/1.1
Host: localhost:8200
Accept: */*
200

OK

{
  "n": 1,
  "nounce": "text",
  "progress": 1,
  "started": "text",
  "t": 1
}

Enter a single new key share to progress the rekey verification operation.

post
Body
keystringOptional

Specifies a single unseal share key from the new set of shares.

noncestringOptional

Specifies the nonce of the rekey verification operation.

Responses
200
OK
application/json
post
POST /v1/sys/rekey/verify HTTP/1.1
Host: localhost:8200
Content-Type: application/json
Accept: */*
Content-Length: 29

{
  "key": "text",
  "nonce": "text"
}
200

OK

{
  "complete": true,
  "nounce": "text"
}

Cancel any in-progress rekey verification operation.

delete

This clears any progress made and resets the nonce. Unlike a DELETE against sys/rekey/init, this only resets the current verification operation, not the entire rekey atttempt.

Responses
200
OK
application/json
delete
DELETE /v1/sys/rekey/verify HTTP/1.1
Host: localhost:8200
Accept: */*
200

OK

{
  "n": 1,
  "nounce": "text",
  "progress": 1,
  "started": "text",
  "t": 1
}

Initiate a mount migration

post
Body
fromstringOptional

The previous mount point.

tostringOptional

The new mount point.

Responses
200
OK
application/json
post
POST /v1/sys/remount HTTP/1.1
Host: localhost:8200
Content-Type: application/json
Accept: */*
Content-Length: 27

{
  "from": "text",
  "to": "text"
}
200

OK

{
  "migration_id": "text"
}

Check status of a mount migration

get
Path parameters
migration_idstringRequired

The ID of the migration operation

Responses
200
OK
application/json
get
GET /v1/sys/remount/status/{migration_id} HTTP/1.1
Host: localhost:8200
Accept: */*
200

OK

{
  "migration_id": "text",
  "migration_info": {}
}

Renews a lease, requesting to extend the lease.

post
Body
incrementinteger · secondsOptional

The desired increment in seconds to the lease

lease_idstringOptional

The lease identifier to renew. This is included with a lease.

url_lease_idstringOptional

The lease identifier to renew. This is included with a lease.

Responses
204
OK
post
POST /v1/sys/renew HTTP/1.1
Host: localhost:8200
Content-Type: application/json
Accept: */*
Content-Length: 55

{
  "increment": 1,
  "lease_id": "text",
  "url_lease_id": "text"
}
204

OK

No content

Renews a lease, requesting to extend the lease.

post
Path parameters
url_lease_idstringRequired

The lease identifier to renew. This is included with a lease.

Body
incrementinteger · secondsOptional

The desired increment in seconds to the lease

lease_idstringOptional

The lease identifier to renew. This is included with a lease.

Responses
204
OK
post
POST /v1/sys/renew/{url_lease_id} HTTP/1.1
Host: localhost:8200
Content-Type: application/json
Accept: */*
Content-Length: 33

{
  "increment": 1,
  "lease_id": "text"
}
204

OK

No content

Demotes the DR primary node

post
Responses
200
DR primary successfully demoted
application/json
Responseany
post
POST /v1/sys/replication/dr/primary/demote HTTP/1.1
Host: localhost:8200
Accept: */*
{
  "data": {
    "message": "Demotion initiated"
  }
}

Disables the DR primary replication

post
Responses
200
DR replication successfully disabled
application/json
Responseany
post
POST /v1/sys/replication/dr/primary/disable HTTP/1.1
Host: localhost:8200
Accept: */*
{
  "data": {
    "message": "DR primary disabled"
  }
}

Enables the DR primary replication

post
Body
anyOptional
Responses
200
DR replication successfully enabled
application/json
Responseany
post
POST /v1/sys/replication/dr/primary/enable HTTP/1.1
Host: localhost:8200
Content-Type: application/json
Accept: */*
Content-Length: 77

{
  "mode": "primary",
  "primary_cluster_addr": "https://vault-primary.example.com"
}
{
  "data": {
    "message": "DR primary enabled"
  }
}

Revokes a DR secondary cluster

post
Body
anyOptional
Responses
200
DR secondary successfully revoked
application/json
Responseany
post
POST /v1/sys/replication/dr/primary/revoke-secondary HTTP/1.1
Host: localhost:8200
Content-Type: application/json
Accept: */*
Content-Length: 34

{
  "secondary_cluster_id": "dc-east"
}
{
  "data": {
    "message": "Secondary revoked successfully"
  }
}

Creates a token for a DR secondary to join the primary

post
Body
anyOptional
Responses
200
Token successfully created
application/json
Responseany
post
POST /v1/sys/replication/dr/primary/secondary-token HTTP/1.1
Host: localhost:8200
Content-Type: application/json
Accept: */*
Content-Length: 35

{
  "id": "dc-west",
  "namespace": "root"
}
{
  "data": {
    "secondary_token": "s.SOME_LONG_TOKEN_STRING"
  }
}

Reload a specific DR secondary subsystem configuration.

post
Path parameters
subsystemstringRequired
Responses
200
Configuration reloaded successfully.
application/json
Responseany
post
POST /v1/sys/replication/dr/secondary/config/reload/{subsystem} HTTP/1.1
Host: localhost:8200
Accept: */*
200

Configuration reloaded successfully.

{
  "data": {
    "message": "Reload triggered for 'storage' subsystem."
  }
}

Disable DR secondary replication.

post
Responses
200
DR secondary replication disabled.
application/json
Responseany
post
POST /v1/sys/replication/dr/secondary/disable HTTP/1.1
Host: localhost:8200
Accept: */*
200

DR secondary replication disabled.

{
  "data": {
    "message": "Secondary disabled."
  }
}

Enable DR secondary replication.

post
Body
anyOptional
Responses
200
DR secondary enabled.
application/json
Responseany
post
POST /v1/sys/replication/dr/secondary/enable HTTP/1.1
Host: localhost:8200
Content-Type: application/json
Accept: */*
Content-Length: 36

{
  "token": "s.SECONDARY_TOKEN_STRING"
}
200

DR secondary enabled.

{
  "data": {
    "message": "Secondary enabled successfully."
  }
}

Generate a new DR secondary public key.

post
Responses
200
Public key generated.
application/json
Responseany
post
POST /v1/sys/replication/dr/secondary/generate-public-key HTTP/1.1
Host: localhost:8200
Accept: */*
200

Public key generated.

{
  "data": {
    "public_key": "-----BEGIN PUBLIC KEY-----\nABC123...\n-----END PUBLIC KEY-----"
  }
}

Check license status on the DR secondary.

get
Responses
200
License status retrieved.
application/json
Responseany
get
GET /v1/sys/replication/dr/secondary/license/status HTTP/1.1
Host: localhost:8200
Accept: */*
200

License status retrieved.

{
  "data": {
    "valid": true,
    "expiry": "2025-12-31T23:59:59Z"
  }
}

Delete the DR secondary operation token.

post
Responses
200
Operation token deleted.
application/json
Responseany
post
POST /v1/sys/replication/dr/secondary/operation-token/delete HTTP/1.1
Host: localhost:8200
Accept: */*
200

Operation token deleted.

{
  "data": {
    "message": "Operation token deleted."
  }
}

Promote the DR secondary to primary.

post
Responses
200
Secondary promoted to primary.
application/json
Responseany
post
POST /v1/sys/replication/dr/secondary/promote HTTP/1.1
Host: localhost:8200
Accept: */*
200

Secondary promoted to primary.

{
  "data": {
    "message": "Secondary promoted to primary."
  }
}

Recover a DR secondary.

post
Responses
200
Secondary recovery started.
application/json
Responseany
post
POST /v1/sys/replication/dr/secondary/recover HTTP/1.1
Host: localhost:8200
Accept: */*
200

Secondary recovery started.

{
  "data": {
    "message": "Recovery initiated."
  }
}

Trigger reindexing on the DR secondary.

post
Responses
200
Reindexing triggered.
application/json
Responseany
post
POST /v1/sys/replication/dr/secondary/reindex HTTP/1.1
Host: localhost:8200
Accept: */*
200

Reindexing triggered.

{
  "data": {
    "message": "Reindex started."
  }
}

Update the DR primary cluster configuration.

post
Body
anyOptional
Responses
200
Primary configuration updated.
application/json
Responseany
post
POST /v1/sys/replication/dr/secondary/update-primary HTTP/1.1
Host: localhost:8200
Content-Type: application/json
Accept: */*
Content-Length: 60

{
  "primary_cluster_addr": "https://vault-primary.example.com"
}
200

Primary configuration updated.

{
  "data": {
    "message": "Primary address updated."
  }
}

Read DR replication status.

get
Responses
200
DR status retrieved.
application/json
Responseany
get
GET /v1/sys/replication/dr/status HTTP/1.1
Host: localhost:8200
Accept: */*
200

DR status retrieved.

{
  "data": {
    "mode": "secondary",
    "cluster_id": "abc123"
  }
}

Demote the performance primary cluster.

post
Responses
200
Demotion successful.
application/json
Responseany
post
POST /v1/sys/replication/performance/primary/demote HTTP/1.1
Host: localhost:8200
Accept: */*
200

Demotion successful.

{
  "data": {
    "message": "Primary demoted."
  }
}

Disable performance primary replication.

post
Responses
200
Replication disabled.
application/json
Responseany
post
POST /v1/sys/replication/performance/primary/disable HTTP/1.1
Host: localhost:8200
Accept: */*
200

Replication disabled.

{
  "data": {
    "message": "Primary replication disabled."
  }
}

Read a dynamic filter by ID.

get
Path parameters
idstringRequired
Responses
200
Filter details retrieved.
application/json
Responseany
get
GET /v1/sys/replication/performance/primary/dynamic-filter/{id} HTTP/1.1
Host: localhost:8200
Accept: */*
200

Filter details retrieved.

{
  "data": {
    "id": "filter-abc",
    "paths": [
      "auth/*"
    ]
  }
}

Enable performance primary replication.

post
Body
anyOptional
Responses
200
Replication enabled.
application/json
Responseany
post
POST /v1/sys/replication/performance/primary/enable HTTP/1.1
Host: localhost:8200
Content-Type: application/json
Accept: */*
Content-Length: 39

{
  "token": "s.PERF_PRIMARY_TOKEN_STRING"
}
200

Replication enabled.

{
  "data": {
    "message": "Primary replication enabled."
  }
}

Get a paths filter by ID.

get
Path parameters
idstringRequired
Responses
200
Filter details.
application/json
Responseany
get
GET /v1/sys/replication/performance/primary/paths-filter/{id} HTTP/1.1
Host: localhost:8200
Accept: */*
200

Filter details.

{
  "data": {
    "id": "paths-filter-xyz",
    "paths": [
      "secret/data/*"
    ]
  }
}

Create or update a paths filter.

post
Path parameters
idstringRequired
Body
anyOptional
Responses
200
Filter updated successfully.
application/json
Responseany
post
POST /v1/sys/replication/performance/primary/paths-filter/{id} HTTP/1.1
Host: localhost:8200
Content-Type: application/json
Accept: */*
Content-Length: 27

{
  "paths": [
    "secret/data/*"
  ]
}
200

Filter updated successfully.

{
  "data": {
    "message": "Paths filter updated."
  }
}

Delete a paths filter by ID.

delete
Path parameters
idstringRequired
Responses
204
Filter deleted successfully.
delete
DELETE /v1/sys/replication/performance/primary/paths-filter/{id} HTTP/1.1
Host: localhost:8200
Accept: */*
204

Filter deleted successfully.

No content

Revoke a secondary from the performance primary.

post
Responses
200
Secondary revoked successfully.
application/json
Responseany
post
POST /v1/sys/replication/performance/primary/revoke-secondary HTTP/1.1
Host: localhost:8200
Accept: */*
200

Secondary revoked successfully.

{
  "data": {
    "message": "Secondary revoked."
  }
}

Generate a secondary token.

post
Body
anyOptional
Responses
200
Token generated.
application/json
Responseany
post
POST /v1/sys/replication/performance/primary/secondary-token HTTP/1.1
Host: localhost:8200
Content-Type: application/json
Accept: */*
Content-Length: 46

{
  "secondary_cluster_name": "us-west-secondary"
}
200

Token generated.

{
  "data": {
    "token": "s.TOKENSTRING"
  }
}

Disable a performance secondary.

post
Responses
200
Secondary disabled.
application/json
Responseany
post
POST /v1/sys/replication/performance/secondary/disable HTTP/1.1
Host: localhost:8200
Accept: */*
200

Secondary disabled.

{
  "data": {
    "message": "Secondary disabled."
  }
}

Get a secondary dynamic filter by ID.

get
Path parameters
idstringRequired
Responses
200
Filter information retrieved.
application/json
Responseany
get
GET /v1/sys/replication/performance/secondary/dynamic-filter/{id} HTTP/1.1
Host: localhost:8200
Accept: */*
200

Filter information retrieved.

{
  "data": {
    "id": "filter-123",
    "paths": [
      "auth/token/*"
    ]
  }
}

Enable performance secondary replication.

post
Body
anyOptional
Responses
200
Secondary enabled.
application/json
Responseany
post
POST /v1/sys/replication/performance/secondary/enable HTTP/1.1
Host: localhost:8200
Content-Type: application/json
Accept: */*
Content-Length: 29

{
  "token": "s.SECONDARY_TOKEN"
}
200

Secondary enabled.

{
  "data": {
    "message": "Secondary enabled."
  }
}

Generate public key for performance secondary.

post
Responses
200
Public key generated.
application/json
Responseany
post
POST /v1/sys/replication/performance/secondary/generate-public-key HTTP/1.1
Host: localhost:8200
Accept: */*
200

Public key generated.

{
  "data": {
    "public_key": "-----BEGIN PUBLIC KEY-----\n...\n-----END PUBLIC KEY-----"
  }
}

Promote performance secondary to primary.

post
Responses
200
Secondary promoted to primary.
application/json
Responseany
post
POST /v1/sys/replication/performance/secondary/promote HTTP/1.1
Host: localhost:8200
Accept: */*
200

Secondary promoted to primary.

{
  "data": {
    "message": "Secondary promoted to primary."
  }
}

Update primary information for the secondary.

post
Body
anyOptional
Responses
200
Primary updated successfully.
application/json
Responseany
post
POST /v1/sys/replication/performance/secondary/update-primary HTTP/1.1
Host: localhost:8200
Content-Type: application/json
Accept: */*
Content-Length: 56

{
  "primary_api_addr": "https://vault-primary.example.com"
}
200

Primary updated successfully.

{
  "data": {
    "message": "Primary address updated."
  }
}

Get the status of performance replication.

get
Responses
200
Replication status returned.
application/json
Responseany
get
GET /v1/sys/replication/performance/status HTTP/1.1
Host: localhost:8200
Accept: */*
200

Replication status returned.

{
  "data": {
    "mode": "primary",
    "cluster_id": "cluster-xyz"
  }
}

Demote the current primary cluster.

post
Responses
200
Primary successfully demoted.
application/json
Responseany
post
POST /v1/sys/replication/primary/demote HTTP/1.1
Host: localhost:8200
Accept: */*
{
  "data": {
    "message": "Primary cluster demoted."
  }
}

Disable the replication feature on the primary.

post
Responses
200
Replication disabled on primary.
application/json
Responseany
post
POST /v1/sys/replication/primary/disable HTTP/1.1
Host: localhost:8200
Accept: */*
{
  "data": {
    "message": "Replication disabled on primary."
  }
}

Enable the primary cluster for replication.

post
Body
anyOptional
Responses
200
Primary replication enabled.
application/json
Responseany
post
POST /v1/sys/replication/primary/enable HTTP/1.1
Host: localhost:8200
Content-Type: application/json
Accept: */*
Content-Length: 39

{
  "token": "s.PRIMARY_REPLICATION_TOKEN"
}
{
  "data": {
    "message": "Primary replication enabled."
  }
}

Revoke the replication relationship with a secondary.

post
Responses
200
Secondary successfully revoked.
application/json
Responseany
post
POST /v1/sys/replication/primary/revoke-secondary HTTP/1.1
Host: localhost:8200
Accept: */*
{
  "data": {
    "message": "Secondary replication revoked."
  }
}

Generate a token to be used by a secondary to join the primary.

post
Body
anyOptional
Responses
200
Token successfully generated.
application/json
Responseany
post
POST /v1/sys/replication/primary/secondary-token HTTP/1.1
Host: localhost:8200
Content-Type: application/json
Accept: */*
Content-Length: 26

{
  "id": "secondary-us-east"
}
{
  "data": {
    "token": "s.abcdef123456"
  }
}

Trigger internal recovery of the replication state.

post
Responses
200
Recovery initiated.
application/json
Responseany
post
POST /v1/sys/replication/recover HTTP/1.1
Host: localhost:8200
Accept: */*
{
  "data": {
    "message": "Recovery initiated successfully."
  }
}

Trigger a reindex of all replication state data.

post
Responses
200
Reindexing triggered.
application/json
Responseany
post
POST /v1/sys/replication/reindex HTTP/1.1
Host: localhost:8200
Accept: */*
{
  "data": {
    "message": "Reindex triggered successfully."
  }
}

Disable replication on a secondary cluster.

post
Responses
200
Secondary replication disabled.
application/json
Responseany
post
POST /v1/sys/replication/secondary/disable HTTP/1.1
Host: localhost:8200
Accept: */*
{
  "data": {
    "message": "Secondary disabled."
  }
}

Enable replication on a secondary cluster.

post
Body
anyOptional
Responses
200
Secondary replication enabled.
application/json
Responseany
post
POST /v1/sys/replication/secondary/enable HTTP/1.1
Host: localhost:8200
Content-Type: application/json
Accept: */*
Content-Length: 31

{
  "token": "s.replication-token"
}
{
  "data": {
    "message": "Secondary enabled."
  }
}

Promote a performance or DR secondary to become the primary.

post
Responses
200
Secondary successfully promoted.
application/json
Responseany
post
POST /v1/sys/replication/secondary/promote HTTP/1.1
Host: localhost:8200
Accept: */*
{
  "data": {
    "message": "Secondary promoted to primary."
  }
}

Provide a new connection configuration to a primary from a secondary.

post
Body
anyOptional
Responses
200
Primary address updated successfully.
application/json
Responseany
post
POST /v1/sys/replication/secondary/update-primary HTTP/1.1
Host: localhost:8200
Content-Type: application/json
Accept: */*
Content-Length: 133

{
  "primary_api_addr": "https://vault-primary.example.com:8200",
  "ca_file": "-----BEGIN CERTIFICATE-----\n...\n-----END CERTIFICATE-----"
}
{
  "data": {
    "message": "Primary connection info updated."
  }
}

Get the current status of replication for this Vault node.

get
Responses
200
Current replication status returned.
application/json
Responseany
get
GET /v1/sys/replication/status HTTP/1.1
Host: localhost:8200
Accept: */*
{
  "data": {
    "mode": "performance",
    "state": "secondary",
    "primary_cluster_addr": "https://vault-primary.example.com:8200",
    "known_secondaries": [
      {
        "cluster_id": "us-west-secondary",
        "api_address": "https://vault-us-west.example.com:8200"
      }
    ]
  }
}

Revokes a lease immediately.

post
Body
lease_idstringOptional

The lease identifier to renew. This is included with a lease.

syncbooleanOptional

Whether or not to perform the revocation synchronously

Default: true
url_lease_idstringOptional

The lease identifier to renew. This is included with a lease.

Responses
204
OK
post
POST /v1/sys/revoke HTTP/1.1
Host: localhost:8200
Content-Type: application/json
Accept: */*
Content-Length: 53

{
  "lease_id": "text",
  "sync": true,
  "url_lease_id": "text"
}
204

OK

No content

Revokes all secrets or tokens generated under a given prefix immediately

post

Unlike /sys/leases/revoke-prefix, this path ignores backend errors encountered during revocation. This is potentially very dangerous and should only be used in specific emergency situations where errors in the backend or the connected backend service prevent normal revocation.

By ignoring these errors, Vault abdicates responsibility for ensuring that the issued credentials or secrets are properly revoked and/or cleaned up. Access to this endpoint should be tightly controlled.

Path parameters
prefixstringRequired

The path to revoke keys under. Example: "prod/aws/ops"

Responses
204
OK
post
POST /v1/sys/revoke-force/{prefix} HTTP/1.1
Host: localhost:8200
Accept: */*
204

OK

No content

Revokes all secrets (via a lease ID prefix) or tokens (via the tokens' path property) generated under a given prefix immediately.

post
Path parameters
prefixstringRequired

The path to revoke keys under. Example: "prod/aws/ops"

Body
syncbooleanOptional

Whether or not to perform the revocation synchronously

Default: true
Responses
204
OK
post
POST /v1/sys/revoke-prefix/{prefix} HTTP/1.1
Host: localhost:8200
Content-Type: application/json
Accept: */*
Content-Length: 13

{
  "sync": true
}
204

OK

No content

Revokes a lease immediately.

post
Path parameters
url_lease_idstringRequired

The lease identifier to renew. This is included with a lease.

Body
lease_idstringOptional

The lease identifier to renew. This is included with a lease.

syncbooleanOptional

Whether or not to perform the revocation synchronously

Default: true
Responses
204
OK
post
POST /v1/sys/revoke/{url_lease_id} HTTP/1.1
Host: localhost:8200
Content-Type: application/json
Accept: */*
Content-Length: 31

{
  "lease_id": "text",
  "sync": true
}
204

OK

No content

Rotate the backend encryption key.

post

Rotates the backend encryption key used to persist Vault data. This operation is a no-op if key rotation is disabled.

Responses
204
Key rotation successful. No content returned.
post
POST /v1/sys/rotate HTTP/1.1
Host: localhost:8200
Accept: */*

No content

Read encryption key rotation configuration.

get
Responses
200
Current encryption key rotation configuration.
application/json
get
GET /v1/sys/rotate/config HTTP/1.1
Host: localhost:8200
Accept: */*
{
  "data": {
    "auto_rotate_period": "24h",
    "last_rotation_time": "2025-05-01T00:00:00Z"
  }
}

Configure encryption key rotation settings.

post
Body
enabledbooleanOptional

Whether automatic rotation is enabled.

intervalinteger · secondsOptional

How long after installation of an active key term that the key will be automatically rotated.

max_operationsinteger · int64Optional

The number of encryption operations performed before the barrier key is automatically rotated.

Responses
204
Configuration updated successfully.
post
POST /v1/sys/rotate/config HTTP/1.1
Host: localhost:8200
Content-Type: application/json
Accept: */*
Content-Length: 28

{
  "auto_rotate_period": "24h"
}

No content

Seal the Vault.

post
Responses
204
OK
post
POST /v1/sys/seal HTTP/1.1
Host: localhost:8200
Accept: */*
204

OK

No content

Check the seal status of a Vault.

get
Responses
200Success
application/json
get
GET /v1/sys/seal-status HTTP/1.1
Host: localhost:8200
Accept: */*
200Success
{
  "build_date": "text",
  "cluster_id": "text",
  "cluster_name": "text",
  "hcp_link_resource_ID": "text",
  "hcp_link_status": "text",
  "initialized": true,
  "migration": true,
  "n": 1,
  "nonce": "text",
  "progress": 1,
  "recovery_seal": true,
  "sealed": true,
  "storage_type": "text",
  "t": 1,
  "type": "text",
  "version": "text"
}

Check sealwrap rewrap status

get

Returns information about keys or values that require rewrap due to changes in the underlying seal configuration.

Responses
200
Sealwrap rewrap status retrieved successfully.
application/json
Responseany
get
GET /v1/sys/sealwrap/rewrap HTTP/1.1
Host: localhost:8200
Accept: */*
{
  "data": {
    "keys_to_rewrap": [
      "sys/policy/foo",
      "auth/token/accessor/bar"
    ],
    "total": 2
  }
}

Perform sealwrap rewrap

post

Triggers rewrap for keys encrypted with an old seal configuration. This may take time depending on the size of the data.

Body
anyOptional
Responses
200
Rewrap operation completed successfully.
application/json
Responseany
post
POST /v1/sys/sealwrap/rewrap HTTP/1.1
Host: localhost:8200
Content-Type: application/json
Accept: */*
Content-Length: 54

{
  "paths": [
    "sys/policy/foo",
    "auth/token/accessor/bar"
  ]
}
{
  "data": {
    "rewrapped_paths": [
      "sys/policy/foo",
      "auth/token/accessor/bar"
    ]
  }
}

Cause the node to give up active status.

post

This endpoint forces the node to give up active status. If the node does not have active status, this endpoint does nothing. Note that the node will sleep for ten seconds before attempting to grab the active lock again, but if no standby nodes grab the active lock in the interim, the same node may become the active node again.

Responses
204
empty body
post
POST /v1/sys/step-down HTTP/1.1
Host: localhost:8200
Accept: */*
204

empty body

No content

List all configured automatic snapshot jobs

get
Query parameters
liststring · enumRequired

Must be set to true

Possible values:
Responses
200
Successfully listed configured snapshot jobs.
application/json
Responseany
get
GET /v1/sys/storage/raft/snapshot-auto/config/ HTTP/1.1
Host: localhost:8200
Accept: */*
{
  "data": {
    "keys": [
      "daily",
      "hourly"
    ]
  }
}

Read configuration for a specific snapshot job

get
Path parameters
namestringRequired

The name of the snapshot job configuration.

Responses
200
Snapshot job configuration retrieved.
application/json
Responseany
get
GET /v1/sys/storage/raft/snapshot-auto/config/{name} HTTP/1.1
Host: localhost:8200
Accept: */*
{
  "data": {
    "interval": "1h",
    "retain": 5,
    "storage_path_prefix": "snapshots/hourly"
  }
}

Create or update a snapshot job configuration

post
Path parameters
namestringRequired

The name of the snapshot job configuration.

Body
anyOptional
Responses
200
Snapshot configuration saved successfully.
application/json
Responseany
post
POST /v1/sys/storage/raft/snapshot-auto/config/{name} HTTP/1.1
Host: localhost:8200
Content-Type: application/json
Accept: */*
Content-Length: 69

{
  "interval": "1h",
  "retain": 5,
  "storage_path_prefix": "snapshots/hourly"
}
{
  "data": {
    "interval": "1h",
    "retain": 5,
    "storage_path_prefix": "snapshots/hourly"
  }
}

Delete the specified snapshot job configuration

delete
Path parameters
namestringRequired

The name of the snapshot job configuration.

Responses
204
Snapshot configuration deleted. Empty response body.
delete
DELETE /v1/sys/storage/raft/snapshot-auto/config/{name} HTTP/1.1
Host: localhost:8200
Accept: */*

No content

Read status of a named snapshot job

get
Path parameters
namestringRequired

The name of the snapshot job

Responses
200
Status of the snapshot job retrieved successfully.
application/json
Responseany
get
GET /v1/sys/storage/raft/snapshot-auto/status/{name} HTTP/1.1
Host: localhost:8200
Accept: */*
{
  "data": {
    "last_snapshot": "2025-05-01T10:00:00Z",
    "next_snapshot_due": "2025-05-01T11:00:00Z",
    "state": "active"
  }
}

Generate a hash sum for input data using a configured default algorithm

post

Accepts raw input data and returns its hash digest using Vault's configured default hash algorithm.

Body
algorithmstringOptional

Algorithm to use (POST body parameter). Valid values are: * sha2-224 * sha2-256 * sha2-384 * sha2-512 Defaults to "sha2-256".

Default: sha2-256
formatstringOptional

Encoding format to use. Can be "hex" or "base64". Defaults to "hex".

Default: hex
inputstringOptional

The base64-encoded input data

urlalgorithmstringOptional

Algorithm to use (POST URL parameter)

Responses
200
Hash generated successfully.
application/json
post
POST /v1/sys/tools/hash HTTP/1.1
Host: localhost:8200
Content-Type: application/json
Accept: */*
Content-Length: 24

{
  "input": "Hello, Vault"
}
{
  "data": {
    "sum": "a830d7beb04eb7549ce990fb7dc962e499a27230"
  }
}

Generate a hash sum for input data using a specific algorithm

post

Accepts raw input data and returns its hash digest using the algorithm specified in the URL.

Path parameters
urlalgorithmstringRequired

The hash algorithm to use (e.g., sha2-256, sha2-512)

Body
algorithmstringOptional

Algorithm to use (POST body parameter). Valid values are: * sha2-224 * sha2-256 * sha2-384 * sha2-512 Defaults to "sha2-256".

Default: sha2-256
formatstringOptional

Encoding format to use. Can be "hex" or "base64". Defaults to "hex".

Default: hex
inputstringOptional

The base64-encoded input data

Responses
200
Hash generated successfully using the specified algorithm.
application/json
post
POST /v1/sys/tools/hash/{urlalgorithm} HTTP/1.1
Host: localhost:8200
Content-Type: application/json
Accept: */*
Content-Length: 24

{
  "input": "Hello, Vault"
}
{
  "data": {
    "sum": "2cf24dba5fb0a030e..."
  }
}

Generate random bytes using the default platform source

post
Body
bytesintegerOptional

The number of bytes to generate (POST body parameter). Defaults to 32 (256 bits).

Default: 32
formatstringOptional

Encoding format to use. Can be "hex" or "base64". Defaults to "base64".

Default: base64
sourcestringOptional

Which system to source random data from, ether "platform", "seal", or "all".

Default: platform
urlbytesstringOptional

The number of bytes to generate (POST URL parameter)

Responses
200
Random bytes generated successfully.
application/json
post
POST /v1/sys/tools/random HTTP/1.1
Host: localhost:8200
Content-Type: application/json
Accept: */*
Content-Length: 27

{
  "bytes": 32,
  "format": "hex"
}
{
  "data": {
    "random_bytes": "a1b2c3d4e5f67890"
  }
}

Generate random bytes using a specified source

post
Path parameters
sourcestring · enumRequired

Source to generate randomness from

Default: platformPossible values:
Body
bytesintegerOptional

The number of bytes to generate (POST body parameter). Defaults to 32 (256 bits).

Default: 32
formatstringOptional

Encoding format to use. Can be "hex" or "base64". Defaults to "base64".

Default: base64
urlbytesstringOptional

The number of bytes to generate (POST URL parameter)

Responses
200
Random bytes generated successfully from specified source.
application/json
post
POST /v1/sys/tools/random/{source} HTTP/1.1
Host: localhost:8200
Content-Type: application/json
Accept: */*
Content-Length: 30

{
  "bytes": 16,
  "format": "base64"
}
{
  "data": {
    "random_bytes": "QWxhZGRpbjpvcGVuIHNlc2FtZQ=="
  }
}

Generate a specific number of random bytes

post
Path parameters
urlbytesstringRequired

Number of bytes to generate

Body
bytesintegerOptional

The number of bytes to generate (POST body parameter). Defaults to 32 (256 bits).

Default: 32
formatstringOptional

Encoding format to use. Can be "hex" or "base64". Defaults to "base64".

Default: base64
sourcestringOptional

Which system to source random data from, ether "platform", "seal", or "all".

Default: platform
Responses
200
Random bytes generated successfully.
application/json
post
POST /v1/sys/tools/random/{urlbytes} HTTP/1.1
Host: localhost:8200
Content-Type: application/json
Accept: */*
Content-Length: 16

{
  "format": "hex"
}
{
  "data": {
    "random_bytes": "f4e9d..."
  }
}

Generate a specific number of random bytes from a given source

post
Path parameters
sourcestring · enumRequired

Source to generate randomness from

Possible values:
urlbytesstringRequired

Number of bytes to generate

Body
bytesintegerOptional

The number of bytes to generate (POST body parameter). Defaults to 32 (256 bits).

Default: 32
formatstringOptional

Encoding format to use. Can be "hex" or "base64". Defaults to "base64".

Default: base64
Responses
200
Random bytes generated successfully.
application/json
post
POST /v1/sys/tools/random/{source}/{urlbytes} HTTP/1.1
Host: localhost:8200
Content-Type: application/json
Accept: */*
Content-Length: 19

{
  "format": "base64"
}
{
  "data": {
    "random_bytes": "bW9yZSByYW5kb20gYnl0ZXM="
  }
}

Unseal the Vault.

post
Body
keystringOptional

Specifies a single unseal key share. This is required unless reset is true.

resetbooleanOptional

Specifies if previously-provided unseal keys are discarded and the unseal process is reset.

Responses
200Success
application/json
post
POST /v1/sys/unseal HTTP/1.1
Host: localhost:8200
Content-Type: application/json
Accept: */*
Content-Length: 27

{
  "key": "text",
  "reset": true
}
200Success
{
  "build_date": "text",
  "cluster_id": "text",
  "cluster_name": "text",
  "hcp_link_resource_ID": "text",
  "hcp_link_status": "text",
  "initialized": true,
  "migration": true,
  "n": 1,
  "nonce": "text",
  "progress": 1,
  "recovery_seal": true,
  "sealed": true,
  "storage_type": "text",
  "t": 1,
  "type": "text",
  "version": "text"
}

Returns map of historical version change entries

get
Query parameters
liststring · enumRequired

Must be set to true

Possible values:
Responses
200
OK
application/json
get
GET /v1/sys/version-history HTTP/1.1
Host: localhost:8200
Accept: */*
200

OK

{
  "key_info": {},
  "keys": [
    "text"
  ]
}

Look up wrapping properties for the requester's token.

get
Responses
200
OK
application/json
get
GET /v1/sys/wrapping/lookup HTTP/1.1
Host: localhost:8200
Accept: */*
200

OK

{
  "creation_path": "text",
  "creation_time": "2025-06-26T08:53:25.381Z",
  "creation_ttl": 1
}

Look up wrapping properties for the given token.

post
Body
tokenstringOptional
Responses
200
OK
application/json
post
POST /v1/sys/wrapping/lookup HTTP/1.1
Host: localhost:8200
Content-Type: application/json
Accept: */*
Content-Length: 16

{
  "token": "text"
}
200

OK

{
  "creation_path": "text",
  "creation_time": "2025-06-26T08:53:25.381Z",
  "creation_ttl": 1
}

Rotates a response-wrapped token

post

Accepts a response-wrapped token and returns a new wrapped token.

Body
tokenstringOptional
Responses
200
Successfully rewrapped token
application/json
Responseany
post
POST /v1/sys/wrapping/rewrap HTTP/1.1
Host: localhost:8200
Content-Type: application/json
Accept: */*
Content-Length: 34

{
  "token": "hvs.XYZwrappedtoken123"
}
{
  "wrap_info": {
    "token": "hvs.newwrappedtoken456",
    "ttl": 300
  }
}

Unwraps a response-wrapped token

post

Unwraps a token and returns the original payload.

Body
tokenstringOptional
Responses
200
Token unwrapped successfully
application/json
Responseany
post
POST /v1/sys/wrapping/unwrap HTTP/1.1
Host: localhost:8200
Content-Type: application/json
Accept: */*
Content-Length: 31

{
  "token": "hvs.wrappedtoken123"
}
{
  "data": {
    "foo": "bar",
    "secret": "vault"
  }
}

Response-wraps an arbitrary JSON object

post

Accepts a JSON object and returns it wrapped in a token.

Body
anyOptional
Responses
200
Object wrapped successfully
application/json
Responseany
post
POST /v1/sys/wrapping/wrap HTTP/1.1
Host: localhost:8200
Content-Type: application/json
Accept: */*
Content-Length: 29

{
  "foo": "bar",
  "user_id": "123"
}
{
  "wrap_info": {
    "token": "hvs.wrappedtoken789",
    "ttl": 300
  }
}

Was this helpful?