System
GET /v1/sys/audit HTTP/1.1
Host: localhost:8200
Content-Type: application/json
Accept: */*
Content-Length: 2
{}
{
"file/": {
"type": "file",
"description": "Logs to a file",
"options": {
"file_path": "/var/log/vault_audit.log"
},
"local": true,
"seal_wrap": false,
"state": "enabled"
}
}
The name of the audit backend. Cannot be delimited. Example: 'mysql'
POST /v1/sys/audit-hash/{path} HTTP/1.1
Host: localhost:8200
Content-Type: application/json
Accept: */*
Content-Length: 34
{
"input": "sensitive-secret-value"
}
{
"hash": "af4fd66bc72a1a1dc6c9c3bfa20c4ee7b7fda77a824..."
}
The name of the backend. Cannot be delimited. Example: 'mysql'
User-friendly description for this audit backend.
Mark the mount as a local mount, which is not replicated and is unaffected by replication.
false
Configuration options for the audit backend.
The type of the backend. Example: "mysql"
POST /v1/sys/audit/{path} HTTP/1.1
Host: localhost:8200
Content-Type: application/json
Accept: */*
Content-Length: 58
{
"path": "mysql",
"config": {
"host": "localhost",
"port": 3306
}
}
{}
The name of the backend. Cannot be delimited. Example: 'mysql'
DELETE /v1/sys/audit/{path} HTTP/1.1
Host: localhost:8200
Accept: */*
{}
The path to mount to. Cannot be delimited. Example: 'user'
GET /v1/sys/auth/{path} HTTP/1.1
Host: localhost:8200
Accept: */*
{
"type": "userpass",
"description": "User/password based authentication",
"config": {
"default_lease_ttl": "768h",
"max_lease_ttl": "768h"
}
}
After enabling, the auth method can be accessed and configured via the auth path specified as part of the URL. For example, enabling the "userpass" auth method at "user" will make it accessible at /auth/user
.
The path to mount to. Cannot be delimited. Example: 'user'
Configuration for this mount, such as plugin_name.
User-friendly description for this credential backend.
Whether to give the mount access to Vault's external entropy.
false
Mark the mount as a local mount, which is not replicated and is unaffected by replication.
false
The options to pass into the backend. Should be a json object with string keys and values.
Name of the auth plugin to use based from the name in the plugin catalog.
The semantic version of the plugin to use.
Whether to turn on seal wrapping for the mount.
false
The type of the backend. Example: "userpass"
POST /v1/sys/auth/{path} HTTP/1.1
Host: localhost:8200
Content-Type: application/json
Accept: */*
Content-Length: 132
{
"type": "userpass",
"description": "Enable user/password authentication",
"config": {
"default_lease_ttl": "768h",
"max_lease_ttl": "768h"
}
}
{}
The path to mount to. Cannot be delimited. Example: 'user'
DELETE /v1/sys/auth/{path} HTTP/1.1
Host: localhost:8200
Accept: */*
{}
This endpoint requires sudo capability on the final path, but the same functionality can be achieved without sudo via sys/mounts/auth/[auth-path]/tune
.
Tune the configuration parameters for an auth path.
GET /v1/sys/auth/{path}/tune HTTP/1.1
Host: localhost:8200
Accept: */*
{
"default_lease_ttl": "768h",
"max_lease_ttl": "768h",
"audit_non_hmac_request_keys": [
"user"
],
"audit_non_hmac_response_keys": [
"metadata"
],
"listing_visibility": "unauth",
"passthrough_request_headers": [
"X-My-Header"
]
}
This endpoint requires sudo capability on the final path, but the same functionality can be achieved without sudo via sys/mounts/auth/[auth-path]/tune
.
Tune the configuration parameters for an auth path.
A list of headers to whitelist and allow a plugin to set on responses.
The list of keys in the request data object that will not be HMAC'ed by audit devices.
The list of keys in the response data object that will not be HMAC'ed by audit devices.
The default lease TTL for this mount.
User-friendly description for this credential backend.
Determines the visibility of the mount in the UI-specific listing endpoint. Accepted value are 'unauth' and 'hidden', with the empty default ('') behaving like 'hidden'.
The max lease TTL for this mount.
The options to pass into the backend. Should be a json object with string keys and values.
A list of headers to whitelist and pass from the request to the plugin.
The semantic version of the plugin to use.
The type of token to issue (service or batch).
The user lockout configuration to pass into the backend. Should be a json object with string keys and values.
POST /v1/sys/auth/{path}/tune HTTP/1.1
Host: localhost:8200
Content-Type: application/json
Accept: */*
Content-Length: 165
{
"default_lease_ttl": "500h",
"max_lease_ttl": "900h",
"listing_visibility": "unauth",
"audit_non_hmac_request_keys": [
"username"
],
"audit_non_hmac_response_keys": [
"token"
]
}
{}
Use 'paths' instead.
Paths on which capabilities are being queried.
Token for which capabilities are being queried.
POST /v1/sys/capabilities HTTP/1.1
Host: localhost:8200
Content-Type: application/json
Accept: */*
Content-Length: 58
{
"paths": [
"secret/data/finance",
"auth/token/lookup-self"
]
}
{
"capabilities": [
"create",
"read",
"update"
]
}
Accessor of the token for which capabilities are being queried.
Use 'paths' instead.
Paths on which capabilities are being queried.
POST /v1/sys/capabilities-accessor HTTP/1.1
Host: localhost:8200
Content-Type: application/json
Accept: */*
Content-Length: 91
{
"accessor": "dcb1dd7d-4bfc-3957-4b5d-b1595b0c099c",
"paths": [
"secret/data/hr",
"sys/policy"
]
}
{
"capabilities": [
"read",
"list"
]
}
Use 'paths' instead.
Paths on which capabilities are being queried.
Token for which capabilities are being queried.
POST /v1/sys/capabilities-self HTTP/1.1
Host: localhost:8200
Content-Type: application/json
Accept: */*
Content-Length: 43
{
"paths": [
"secret/data/team",
"sys/policy"
]
}
{
"capabilities": [
"read",
"list"
]
}
GET /v1/sys/config/auditing/request-headers HTTP/1.1
Host: localhost:8200
Accept: */*
{
"headers": [
{
"name": "X-Request-ID",
"hmac": true
},
{
"name": "Authorization",
"hmac": false
}
]
}
The name of the request header to audit.
X-Request-ID
GET /v1/sys/config/auditing/request-headers/{header} HTTP/1.1
Host: localhost:8200
Accept: */*
{
"name": "X-Request-ID",
"hmac": true
}
The name of the request header to audit.
X-Request-ID
POST /v1/sys/config/auditing/request-headers/{header} HTTP/1.1
Host: localhost:8200
Content-Type: application/json
Accept: */*
Content-Length: 13
{
"hmac": true
}
No content
The name of the request header to audit.
X-Request-ID
DELETE /v1/sys/config/auditing/request-headers/{header} HTTP/1.1
Host: localhost:8200
Accept: */*
No content
GET /v1/sys/config/control-group HTTP/1.1
Host: localhost:8200
Accept: */*
{
"control_group": {
"enforcement_level": "soft-mandatory",
"thresholds": {
"approvals": 2,
"reviewers": [
"team-leads",
"security-admins"
]
}
}
}
POST /v1/sys/config/control-group HTTP/1.1
Host: localhost:8200
Content-Type: application/json
Accept: */*
Content-Length: 130
{
"control_group": {
"enforcement_level": "soft-mandatory",
"thresholds": {
"approvals": 2,
"reviewers": [
"team-leads",
"security-admins"
]
}
}
}
{
"control_group": {
"enforcement_level": "soft-mandatory",
"thresholds": {
"approvals": 2,
"reviewers": [
"team-leads",
"security-admins"
]
}
}
}
DELETE /v1/sys/config/control-group HTTP/1.1
Host: localhost:8200
Accept: */*
No content
GET /v1/sys/config/cors HTTP/1.1
Host: localhost:8200
Accept: */*
{
"enabled": true,
"allowed_origins": [
"https://example.com"
],
"allowed_headers": [
"X-Custom-Header"
],
"allowed_methods": [
"GET",
"POST"
],
"allow_credentials": true,
"expose_headers": [
"X-Expose-This"
]
}
A comma-separated string or array of strings indicating headers that are allowed on cross-origin requests.
A comma-separated string or array of strings indicating origins that may make cross-origin requests.
Enables or disables CORS headers on requests.
POST /v1/sys/config/cors HTTP/1.1
Host: localhost:8200
Content-Type: application/json
Accept: */*
Content-Length: 205
{
"enabled": true,
"allowed_origins": [
"https://example.com"
],
"allowed_headers": [
"Authorization",
"X-Custom-Header"
],
"allowed_methods": [
"GET",
"POST"
],
"allow_credentials": true,
"expose_headers": [
"X-Expose-This"
]
}
No content
GET /v1/sys/config/group-policy-application HTTP/1.1
Host: localhost:8200
Accept: */*
{
"enabled": true,
"default_policy": "default",
"override_allowed": false
}
POST /v1/sys/config/group-policy-application HTTP/1.1
Host: localhost:8200
Content-Type: application/json
Accept: */*
Content-Length: 68
{
"enabled": true,
"default_policy": "default",
"override_allowed": false
}
Group policy application configuration updated successfully.
No content
The name of the subsystem to reload.
plugin-catalog
POST /v1/sys/config/reload/{subsystem} HTTP/1.1
Host: localhost:8200
Content-Type: application/json
Accept: */*
Content-Length: 2
{}
No content
The sanitized output strips configuration values in the storage, HA storage, and seals stanzas, which may contain sensitive values such as API tokens. It also removes any token or secret fields in other stanzas, such as the circonus_api_token
from telemetry.
GET /v1/sys/config/state/sanitized HTTP/1.1
Host: localhost:8200
Accept: */*
{
"listener": [
{
"tcp": {
"address": "127.0.0.1:8200",
"tls_disable": true
}
}
],
"storage": {
"file": {
"path": "<stripped>"
}
},
"seal": {
"type": "<stripped>"
},
"telemetry": {
"dogstatsd_addr": "localhost:8125",
"circonus_api_token": "<stripped>"
}
}
Must be set to true
Must be set to true
GET /v1/sys/config/ui/headers HTTP/1.1
Host: localhost:8200
Content-Type: application/json
Accept: */*
Content-Length: 15
{
"list": "true"
}
{
"keys": [
"text"
]
}
The name of the header.
GET /v1/sys/config/ui/headers/{header} HTTP/1.1
Host: localhost:8200
Accept: */*
{
"value": "text",
"values": [
"text"
]
}
The name of the header.
Returns multiple values if true
The values to set the header.
POST /v1/sys/config/ui/headers/{header} HTTP/1.1
Host: localhost:8200
Content-Type: application/json
Accept: */*
Content-Length: 32
{
"value": "example-header-value"
}
No content
The name of the header.
DELETE /v1/sys/config/ui/headers/{header} HTTP/1.1
Host: localhost:8200
Accept: */*
No content
The control group ID to authorize.
POST /v1/sys/control-group/authorize HTTP/1.1
Host: localhost:8200
Content-Type: application/json
Accept: */*
Content-Length: 63
{
"group_id": "control-group-123",
"permissions": [
"read",
"write"
]
}
No content
Unique identifier for the control group request.
POST /v1/sys/control-group/request HTTP/1.1
Host: localhost:8200
Content-Type: application/json
Accept: */*
Content-Length: 88
{
"request_id": "request-456",
"data": {
"operation": "access-database",
"resource": "db-prod"
}
}
{
"status": "success",
"message": "Control group request submitted successfully."
}
This endpoint decodes an encoded token using the provided one-time password (OTP). It can be used in unauthenticated contexts.
Specifies the encoded token (result from generate-root).
Specifies the otp code for decode.
POST /v1/sys/decode-token HTTP/1.1
Host: localhost:8200
Content-Type: application/json
Accept: */*
Content-Length: 46
{
"token": "encoded-token-value",
"otp": "123456"
}
{
"decoded_token": "decoded-value"
}
GET /v1/sys/experiments HTTP/1.1
Host: localhost:8200
Content-Type: application/json
Accept: */*
Content-Length: 2
{}
{
"features": [
{
"name": "new-auth-method",
"enabled": true
},
{
"name": "faster-raft-replication",
"enabled": false
}
]
}
Returns the configuration and progress details of the ongoing root token generation process.
GET /v1/sys/generate-root HTTP/1.1
Host: localhost:8200
Accept: */*
{
"complete": true,
"encoded_root_token": "text",
"encoded_token": "text",
"nonce": "text",
"otp": "text",
"otp_length": 1,
"pgp_fingerprint": "text",
"progress": 1,
"required": 1,
"started": true
}
Starts a new root generation attempt. Only one attempt can be active at a time. Either otp
or pgp_key
must be provided.
Specifies a base64-encoded PGP public key.
POST /v1/sys/generate-root HTTP/1.1
Host: localhost:8200
Content-Type: application/json
Accept: */*
Content-Length: 81
{
"otp": "otp-secret-string",
"pgp_key": "-----BEGIN PGP PUBLIC KEY BLOCK-----\n..."
}
{
"complete": true,
"encoded_root_token": "text",
"encoded_token": "text",
"nonce": "text",
"otp": "text",
"otp_length": 1,
"pgp_fingerprint": "text",
"progress": 1,
"required": 1,
"started": true
}
Cancels any in-progress root token generation attempt, allowing a new attempt to be started.
DELETE /v1/sys/generate-root HTTP/1.1
Host: localhost:8200
Accept: */*
No content
Returns configuration and current progress details for an active root token generation attempt.
GET /v1/sys/generate-root/attempt HTTP/1.1
Host: localhost:8200
Accept: */*
{
"complete": true,
"encoded_root_token": "text",
"encoded_token": "text",
"nonce": "text",
"otp": "text",
"otp_length": 1,
"pgp_fingerprint": "text",
"progress": 1,
"required": 1,
"started": true
}
Starts a new root generation attempt. Only one attempt can be active at a time. Either otp
or pgp_key
must be provided.
Specifies a base64-encoded PGP public key.
POST /v1/sys/generate-root/attempt HTTP/1.1
Host: localhost:8200
Content-Type: application/json
Accept: */*
Content-Length: 81
{
"otp": "otp-secret-string",
"pgp_key": "-----BEGIN PGP PUBLIC KEY BLOCK-----\n..."
}
{
"complete": true,
"encoded_root_token": "text",
"encoded_token": "text",
"nonce": "text",
"otp": "text",
"otp_length": 1,
"pgp_fingerprint": "text",
"progress": 1,
"required": 1,
"started": true
}
Cancels any in-progress root token generation attempt to allow a new one to begin.
DELETE /v1/sys/generate-root/attempt HTTP/1.1
Host: localhost:8200
Accept: */*
No content
Submits a single unseal key share for the active root generation attempt. If the required threshold of key shares is reached, Vault completes the root token generation and issues the new token. The attempt nonce must be provided with each call.
Specifies a single unseal key share.
Specifies the nonce of the attempt.
POST /v1/sys/generate-root/update HTTP/1.1
Host: localhost:8200
Content-Type: application/json
Accept: */*
Content-Length: 64
{
"key": "unseal-key-share-string",
"nonce": "attempt-nonce-string"
}
{
"complete": true,
"encoded_root_token": "text",
"encoded_token": "text",
"nonce": "text",
"otp": "text",
"otp_length": 1,
"pgp_fingerprint": "text",
"progress": 1,
"required": 1,
"started": true
}
Retrieves detailed information regarding the HA cluster setup, including whether the node is active, standby, and information about the leader.
GET /v1/sys/ha-status HTTP/1.1
Host: localhost:8200
Accept: */*
{
"nodes": [
{}
]
}
Returns different HTTP status codes depending on Vault's current state: - 200: Vault is initialized, unsealed, and active. - 429: Vault is unsealed and in standby mode. - 472: Vault is in data recovery mode, acting as replication secondary and active. - 501: Vault is not initialized. - 503: Vault is sealed and unavailable.
GET /v1/sys/health HTTP/1.1
Host: localhost:8200
Accept: */*
No content
Collects and returns host-level system information including hardware details, CPU utilization, disk usage, and memory statistics. Useful for monitoring the resource consumption of the Vault instance.
GET /v1/sys/host-info HTTP/1.1
Host: localhost:8200
Accept: */*
{
"cpu": [
{}
],
"cpu_times": [
{}
],
"disk": [
{}
],
"host": {},
"memory": {},
"timestamp": "2025-06-26T08:53:25.381Z"
}
Returns a map of ongoing API requests ("in-flight requests") to assist with debugging and load monitoring. Each entry provides information such as client details, request path, and duration.
GET /v1/sys/in-flight-req HTTP/1.1
Host: localhost:8200
Accept: */*
No content
Checks whether Vault has already been initialized. This endpoint returns the initialization status without making any modifications to the Vault state.
GET /v1/sys/init HTTP/1.1
Host: localhost:8200
Accept: */*
No content
Initializes the Vault server. Initialization is a one-time operation. After successful initialization, Vault will generate a set of unseal keys and an initial root token. If using HSM, recovery and stored shares options can be configured during this process.
Specifies an array of PGP public keys used to encrypt the output unseal keys. Ordering is preserved. The keys must be base64-encoded from their original binary representation. The size of this array must be the same as secret_shares
.
Specifies an array of PGP public keys used to encrypt the output recovery keys. Ordering is preserved. The keys must be base64-encoded from their original binary representation. The size of this array must be the same as recovery_shares
.
Specifies the number of shares to split the recovery key into.
Specifies the number of shares required to reconstruct the recovery key. This must be less than or equal to recovery_shares
.
Specifies a PGP public key used to encrypt the initial root token. The key must be base64-encoded from its original binary representation.
Specifies the number of shares to split the unseal key into.
Specifies the number of shares required to reconstruct the unseal key. This must be less than or equal secret_shares. If using Vault HSM with auto-unsealing, this value must be the same as secret_shares
.
Specifies the number of shares that should be encrypted by the HSM and stored for auto-unsealing. Currently must be the same as secret_shares
.
POST /v1/sys/init HTTP/1.1
Host: localhost:8200
Content-Type: application/json
Accept: */*
Content-Length: 101
{
"secret_shares": 5,
"secret_threshold": 3,
"recovery_shares": 1,
"recovery_threshold": 1,
"stored_shares": 0
}
No content
Retrieves historical counts of unique clients that interacted with Vault, covering the current namespace and all child namespaces.
GET /v1/sys/internal/counters/activity HTTP/1.1
Host: localhost:8200
Accept: */*
No content
Exports detailed raw historical client activity data for analysis and reporting outside of Vault.
GET /v1/sys/internal/counters/activity/export HTTP/1.1
Host: localhost:8200
Accept: */*
No content
Returns the number of unique clients that have interacted with Vault during the current month for this namespace and all child namespaces.
GET /v1/sys/internal/counters/activity/monthly HTTP/1.1
Host: localhost:8200
Accept: */*
No content
Returns the current configuration settings for client count collection, including status, retention period, and default reporting period.
GET /v1/sys/internal/counters/config HTTP/1.1
Host: localhost:8200
Accept: */*
No content
Enables or disables the collection of client counts and configures the retention period and default reporting period for client activity data.
Number of months to report if no start date specified.
12
Enable or disable collection of client count: enable, disable, or default.
default
Number of months of client data to retain. Setting to 0 will clear all existing data.
24
POST /v1/sys/internal/counters/config HTTP/1.1
Host: localhost:8200
Content-Type: application/json
Accept: */*
Content-Length: 70
{
"default_report_months": 12,
"enabled": "default",
"retention_months": 24
}
No content
Retrieves the current number of active identity entities managed by the Vault server. Note: Backward compatibility is not guaranteed for this endpoint.
GET /v1/sys/internal/counters/entities HTTP/1.1
Host: localhost:8200
Accept: */*
{
"counters": {}
}
This endpoint is currently unsupported and deprecated. Previously, it provided a count of requests handled by the Vault cluster. Note: Backward compatibility is not guaranteed.
GET /v1/sys/internal/counters/requests HTTP/1.1
Host: localhost:8200
Accept: */*
No content
Retrieves the current number of active authentication tokens managed by Vault. Note: Backward compatibility is not guaranteed for this endpoint.
GET /v1/sys/internal/counters/tokens HTTP/1.1
Host: localhost:8200
Accept: */*
{
"counters": {}
}
Retrieves the entries in the router for the specified subtree (uuid, accessor, storage, root). The tag
path parameter must be one of the inspectable subtrees. This endpoint provides information about the structure and entries in the router trees.
Name of the subtree being observed (e.g., uuid, accessor, storage, root).
GET /v1/sys/internal/inspect/router/{tag} HTTP/1.1
Host: localhost:8200
Accept: */*
No content
Use generic mount paths
false
GET /v1/sys/internal/specs/openapi HTTP/1.1
Host: localhost:8200
Accept: */*
{
"openapi": "3.0.0",
"info": {
"title": "Vault API",
"version": "v1"
},
"paths": {}
}
Context string appended to every operationId
POST /v1/sys/internal/specs/openapi HTTP/1.1
Host: localhost:8200
Content-Type: application/json
Accept: */*
Content-Length: 27
{
"mounts": [
"auth/",
"sys/"
]
}
{
"openapi": "3.0.0",
"info": {
"title": "Filtered Vault API",
"version": "v1"
},
"paths": {}
}
GET /v1/sys/internal/ui/feature-flags HTTP/1.1
Host: localhost:8200
Accept: */*
{
"flags": [
{
"name": "advanced_mode",
"enabled": true
},
{
"name": "beta_theme",
"enabled": false
}
]
}
GET /v1/sys/internal/ui/mounts HTTP/1.1
Host: localhost:8200
Accept: */*
{
"mounts": {
"auth/": {
"type": "userpass",
"accessor": "auth_userpass_abcd",
"visible": true
},
"secret/": {
"type": "kv",
"options": {
"version": "2"
},
"visible": true
}
}
}
GET /v1/sys/internal/ui/namespaces HTTP/1.1
Host: localhost:8200
Accept: */*
{
"namespaces": [
{
"name": "finance/"
},
{
"name": "engineering/"
}
]
}
GET /v1/sys/internal/ui/resultant-acl HTTP/1.1
Host: localhost:8200
Accept: */*
{
"policies": [
"default",
"dev-policy"
],
"capabilities": [
"read",
"list"
]
}
GET /v1/sys/key-status HTTP/1.1
Host: localhost:8200
Accept: */*
{
"term": 5,
"install_time": "2024-11-05T12:00:00Z",
"last_rotation": "2025-01-10T08:45:00Z"
}
GET /v1/sys/leader HTTP/1.1
Host: localhost:8200
Accept: */*
{
"ha_enabled": true,
"is_self": false,
"leader_address": "https://vault-1.example.com:8200"
}
GET /v1/sys/leases HTTP/1.1
Host: localhost:8200
Accept: */*
{
"leases": [
{
"path": "auth/token/create",
"id": "a1b2c3"
},
{
"path": "secret/myapp/config",
"id": "d4e5f6"
}
]
}
The lease identifier to renew. This is included with a lease.
POST /v1/sys/leases/lookup HTTP/1.1
Host: localhost:8200
Content-Type: application/json
Accept: */*
Content-Length: 39
{
"lease_id": "auth/token/create/a1b2c3"
}
{
"lease_id": "auth/token/create/a1b2c3",
"renewable": true,
"ttl": 3600
}
Must be set to 'true'
to trigger a list response.
GET /v1/sys/leases/lookup/ HTTP/1.1
Host: localhost:8200
Accept: */*
{
"keys": [
"auth/token/create/",
"secret/data/db-creds/"
]
}
The path to list leases under. Example: "aws/creds/deploy"
Must be set to 'true'
GET /v1/sys/leases/lookup/{prefix} HTTP/1.1
Host: localhost:8200
Accept: */*
{
"keys": [
"aws/creds/deploy/app1",
"aws/creds/deploy/app2"
]
}
The desired increment in seconds to the lease
The lease identifier to renew. This is included with a lease.
The lease identifier to renew. This is included with a lease.
POST /v1/sys/leases/renew HTTP/1.1
Host: localhost:8200
Content-Type: application/json
Accept: */*
Content-Length: 63
{
"lease_id": "database/creds/my-role/Y7sGbfd9",
"increment": 3600
}
No content
The lease ID to renew. Example: "database/creds/my-role/Y7sGbfd9"
The desired increment in seconds to the lease
The lease identifier to renew. This is included with a lease.
POST /v1/sys/leases/renew/{url_lease_id} HTTP/1.1
Host: localhost:8200
Content-Type: application/json
Accept: */*
Content-Length: 18
{
"increment": 1800
}
No content
The lease identifier to renew. This is included with a lease.
Whether or not to perform the revocation synchronously
true
The lease identifier to renew. This is included with a lease.
POST /v1/sys/leases/revoke HTTP/1.1
Host: localhost:8200
Content-Type: application/json
Accept: */*
Content-Length: 46
{
"lease_id": "database/creds/my-role/Y7sGbfd9"
}
No content
Unlike /sys/leases/revoke-prefix
, this path ignores backend errors encountered during revocation. This is potentially very dangerous and should only be used in specific emergency situations where errors in the backend or the connected backend service prevent normal revocation.
By ignoring these errors, Vault abdicates responsibility for ensuring that the issued credentials or secrets are properly revoked and/or cleaned up. Access to this endpoint should be tightly controlled.
The path to revoke keys under. Example: "prod/aws/ops"
POST /v1/sys/leases/revoke-force/{prefix} HTTP/1.1
Host: localhost:8200
Accept: */*
OK
No content
Revokes all secrets (via a lease ID prefix) or tokens (via the tokens' path property) generated under a given prefix immediately.
The path to revoke keys under. Example: "prod/aws/ops"
Whether or not to perform the revocation synchronously
true
POST /v1/sys/leases/revoke-prefix/{prefix} HTTP/1.1
Host: localhost:8200
Content-Type: application/json
Accept: */*
Content-Length: 13
{
"sync": true
}
OK
No content
The lease identifier to renew. This is included with a lease.
The lease identifier to renew. This is included with a lease.
Whether or not to perform the revocation synchronously
true
POST /v1/sys/leases/revoke/{url_lease_id} HTTP/1.1
Host: localhost:8200
Content-Type: application/json
Accept: */*
Content-Length: 31
{
"lease_id": "text",
"sync": true
}
OK
No content
POST /v1/sys/leases/tidy HTTP/1.1
Host: localhost:8200
Content-Type: application/json
Accept: */*
Content-Length: 52
{
"safety_buffer": "1h",
"safety_buffer_percentage": 10
}
No content
GET /v1/sys/license/status HTTP/1.1
Host: localhost:8200
Accept: */*
{
"license_type": "enterprise",
"expiration_time": "2025-12-31T23:59:59Z",
"status": "valid"
}
GET /v1/sys/locked-users HTTP/1.1
Host: localhost:8200
Accept: */*
{
"total_locked_users": 3,
"namespaces": [
{
"name": "root",
"locked_users": 1
},
{
"name": "team-a",
"locked_users": 2
}
]
}
Identifier of the alias (e.g., username or RoleID).
Identifier of the mount entry associated with the user.
POST /v1/sys/locked-users/{mount_accessor}/unlock/{alias_identifier} HTTP/1.1
Host: localhost:8200
Accept: */*
{
"success": true,
"message": "User unlocked successfully"
}
GET /v1/sys/loggers HTTP/1.1
Host: localhost:8200
Accept: */*
{
"default": "info",
"loggers": {
"audit": "warn",
"core": "debug"
}
}
Log verbosity level. Supported values (in order of detail) are "trace", "debug", "info", "warn", and "error".
POST /v1/sys/loggers HTTP/1.1
Host: localhost:8200
Content-Type: application/json
Accept: */*
Content-Length: 46
{
"default": "info",
"loggers": {
"audit": "error"
}
}
No content
Name of the logger to modify.
GET /v1/sys/loggers/{name} HTTP/1.1
Host: localhost:8200
Accept: */*
{
"name": "audit",
"level": "warn"
}
Name of the logger to modify.
Log verbosity level. Supported values (in order of detail) are "trace", "debug", "info", "warn", and "error".
POST /v1/sys/loggers/{name} HTTP/1.1
Host: localhost:8200
Content-Type: application/json
Accept: */*
Content-Length: 17
{
"level": "debug"
}
No content
Must be set to "true"
to list keys.
GET /v1/sys/managed-keys/{type} HTTP/1.1
Host: localhost:8200
Accept: */*
{
"keys": [
"key1",
"key2"
]
}
GET /v1/sys/managed-keys/{type}/{name} HTTP/1.1
Host: localhost:8200
Accept: */*
{
"name": "key1",
"type": "encryption",
"status": "active"
}
The type of the managed key (e.g., "transit", "pkcs11").
The name of the managed key to use for the test signing operation.
POST /v1/sys/managed-keys/{type}/{name}/test/sign HTTP/1.1
Host: localhost:8200
Content-Type: application/json
Accept: */*
Content-Length: 69
{
"input": "aGVsbG8gd29ybGQ=",
"algorithm": "sha2-256",
"prehashed": false
}
{
"signature": "vault:v1:abc123signaturedata"
}
The output format for the metrics. Currently, only prometheus
is supported.
GET /v1/sys/metrics HTTP/1.1
Host: localhost:8200
Content-Type: application/json
Accept: */*
Content-Length: 23
{
"format": "prometheus"
}
# HELP vault_core_handle_request_count Total number of handled requests
# TYPE vault_core_handle_request_count counter
vault_core_handle_request_count{code="200",method="GET",path="/v1/sys/metrics"} 42
A required parameter that must be set to true
to retrieve the list of MFA methods.
GET /v1/sys/mfa/method HTTP/1.1
Host: localhost:8200
Content-Type: application/json
Accept: */*
Content-Length: 15
{
"list": "true"
}
{
"data": {
"methods": [
{
"name": "duo",
"type": "duo"
},
{
"name": "okta",
"type": "okta"
},
{
"name": "totp",
"type": "totp"
}
]
}
}
The unique name of the Okta MFA method.
GET /v1/sys/mfa/method/okta/{name} HTTP/1.1
Host: localhost:8200
Accept: */*
{
"data": {
"name": "okta-main",
"type": "okta",
"org_name": "example-org",
"token": "s.exampletoken"
}
}
The unique name of the Okta MFA method.
POST /v1/sys/mfa/method/okta/{name} HTTP/1.1
Host: localhost:8200
Content-Type: application/json
Accept: */*
Content-Length: 51
{
"org_name": "example-org",
"token": "s.exampletoken"
}
{
"data": {
"success": true
}
}
The unique name of the Okta MFA method.
DELETE /v1/sys/mfa/method/okta/{name} HTTP/1.1
Host: localhost:8200
Accept: */*
No content
The name of the PingID MFA method configuration.
GET /v1/sys/mfa/method/pingid/{name} HTTP/1.1
Host: localhost:8200
Accept: */*
{
"data": {
"name": "pingid-main",
"type": "pingid",
"apikey": "abc123",
"org_alias": "my-org",
"token": "s.mytoken"
}
}
The name of the PingID MFA method configuration.
POST /v1/sys/mfa/method/pingid/{name} HTTP/1.1
Host: localhost:8200
Content-Type: application/json
Accept: */*
Content-Length: 60
{
"apikey": "abc123",
"org_alias": "my-org",
"token": "s.mytoken"
}
{
"data": {
"success": true
}
}
The name of the PingID MFA method configuration.
DELETE /v1/sys/mfa/method/pingid/{name} HTTP/1.1
Host: localhost:8200
Accept: */*
No content
The name of the TOTP MFA method configuration.
GET /v1/sys/mfa/method/totp/{name} HTTP/1.1
Host: localhost:8200
Accept: */*
{
"data": {
"name": "totp-auth",
"type": "totp",
"issuer": "vault",
"period": 30,
"skew": 1
}
}
The name of the TOTP MFA method configuration.
POST /v1/sys/mfa/method/totp/{name} HTTP/1.1
Host: localhost:8200
Content-Type: application/json
Accept: */*
Content-Length: 39
{
"issuer": "vault",
"period": 30,
"skew": 1
}
{
"data": {
"success": true
}
}
The name of the TOTP MFA method configuration.
DELETE /v1/sys/mfa/method/totp/{name} HTTP/1.1
Host: localhost:8200
Accept: */*
No content
The name of the TOTP MFA method configuration to destroy.
POST /v1/sys/mfa/method/totp/{name}/admin-destroy HTTP/1.1
Host: localhost:8200
Accept: */*
{
"data": {
"destroyed": true
}
}
The name of the TOTP MFA method configuration.
POST /v1/sys/mfa/method/totp/{name}/admin-generate HTTP/1.1
Host: localhost:8200
Content-Type: application/json
Accept: */*
Content-Length: 52
{
"account_name": "[email protected]",
"issuer": "vault"
}
{
"data": {
"url": "otpauth://totp/vault:[email protected]?secret=ABCDEFG12345678&issuer=vault",
"barcode": "<base64-barcode-image>"
}
}
Name of the TOTP MFA method configuration to generate a key for.
GET /v1/sys/mfa/method/totp/{name}/generate HTTP/1.1
Host: localhost:8200
Accept: */*
{
"data": {
"url": "otpauth://totp/vault:[email protected]?secret=XYZABC123456&issuer=vault",
"barcode": "iVBORw0KGgoAAAANSUhEUgAA..."
}
}
Validates MFA credentials submitted by the user. Upon successful validation, it returns an authentication response that includes a client token. This endpoint is typically called after initial credentials are provided and MFA is required.
A map from MFA method ID to a slice of passcodes or an empty slice if the method does not use passcodes
ID for this MFA request
POST /v1/sys/mfa/validate HTTP/1.1
Host: localhost:8200
Content-Type: application/json
Accept: */*
Content-Length: 40
{
"method_id": "totp-d3f1",
"otp": "123456"
}
{
"auth": {
"client_token": "s.QKJ123abcXYZ",
"accessor": "vS2iRzHyXweKzwo0tUR",
"policies": [
"default"
],
"lease_duration": 2764800,
"renewable": true
}
}
Fetch system logs based on the selected output format and log level.
Output format of logs. Supported values are "standard" and "json". The default is "standard".
standard
Possible values: Log level to view system logs at. Currently supported values are "trace", "debug", "info", "warn", "error".
GET /v1/sys/monitor HTTP/1.1
Host: localhost:8200
Accept: */*
OK
{
"log_format": "standard",
"log_level": "info",
"logs": [
"System initialized",
"Connection successful",
"Error at 10:23 AM"
]
}
GET /v1/sys/mounts HTTP/1.1
Host: localhost:8200
Accept: */*
{
"mounts": [
{
"path": "secret/",
"type": "kv",
"description": "Key-Value secrets engine"
},
{
"path": "pki/",
"type": "cert",
"description": "PKI secrets engine"
}
]
}
The path to mount to. Example: "aws/east"
GET /v1/sys/mounts/{path} HTTP/1.1
Host: localhost:8200
Accept: */*
OK
{
"accessor": "text",
"config": {},
"deprecation_status": "text",
"description": "text",
"external_entropy_access": true,
"local": false,
"options": {},
"plugin_version": "text",
"running_plugin_version": "text",
"running_sha256": "text",
"seal_wrap": false,
"type": "text",
"uuid": "text"
}
The path to mount to. Example: "aws/east"
Configuration for this mount, such as default_lease_ttl and max_lease_ttl.
User-friendly description for this mount.
Whether to give the mount access to Vault's external entropy.
false
Mark the mount as a local mount, which is not replicated and is unaffected by replication.
false
The options to pass into the backend. Should be a json object with string keys and values.
Name of the plugin to mount based from the name registered in the plugin catalog.
The semantic version of the plugin to use.
Whether to turn on seal wrapping for the mount.
false
The type of the backend. Example: "passthrough"
POST /v1/sys/mounts/{path} HTTP/1.1
Host: localhost:8200
Content-Type: application/json
Accept: */*
Content-Length: 170
{
"config": {},
"description": "text",
"external_entropy_access": false,
"local": false,
"options": {},
"plugin_name": "text",
"plugin_version": "text",
"seal_wrap": false,
"type": "text"
}
OK
No content
The path to mount to. Example: "aws/east"
GET /v1/sys/mounts/{path}/tune HTTP/1.1
Host: localhost:8200
Accept: */*
{
"default_lease_ttl": "768h",
"max_lease_ttl": "768h",
"description": "AWS Secrets Engine",
"audit_non_hmac_request_keys": [
"role"
]
}
The path to mount to. Example: "aws/east"
POST /v1/sys/mounts/{path}/tune HTTP/1.1
Host: localhost:8200
Content-Type: application/json
Accept: */*
Content-Length: 135
{
"default_lease_ttl": "500h",
"max_lease_ttl": "1000h",
"description": "Updated AWS config",
"audit_non_hmac_request_keys": [
"role",
"region"
]
}
{
"success": true
}
POST /v1/sys/namespaces/api-lock/lock HTTP/1.1
Host: localhost:8200
Content-Type: application/json
Accept: */*
Content-Length: 39
{
"reason": "Planned maintenance window"
}
{
"success": true
}
POST /v1/sys/namespaces/api-lock/unlock HTTP/1.1
Host: localhost:8200
Content-Type: application/json
Accept: */*
Content-Length: 33
{
"reason": "Maintenance complete"
}
{
"success": true
}
The path of the namespace
A map of arbitrary string to string valued user-provided metadata meant to describe the namespace
POST /v1/sys/namespaces/{path} HTTP/1.1
Host: localhost:8200
Content-Type: application/json
Accept: */*
Content-Length: 22
{
"custom_metadata": {}
}
OK
{
"custom_metadata": {},
"id": "text",
"path": "text"
}
GET /v1/sys/plugins/catalog HTTP/1.1
Host: localhost:8200
Accept: */*
{
"data": {
"example-plugin": {
"type": "auth",
"sha256": "abc123...",
"command": "vault-plugin-example",
"args": []
}
}
}
The name of the plugin
GET /v1/sys/plugins/catalog/{name} HTTP/1.1
Host: localhost:8200
Accept: */*
OK
{
"args": [
"text"
],
"builtin": true,
"command": "text",
"deprecation_status": "text",
"name": "text",
"sha256": "text",
"version": "text"
}
The name of the plugin
The args passed to plugin command.
The command used to start the plugin. The executable defined in this command must exist in vault's plugin directory.
The environment variables passed to plugin command. Each entry is of the form "key=value".
The SHA256 sum of the executable used in the command field. This should be HEX encoded.
The type of the plugin, may be auth, secret, or database
The semantic version of the plugin to use.
POST /v1/sys/plugins/catalog/{name} HTTP/1.1
Host: localhost:8200
Content-Type: application/json
Accept: */*
Content-Length: 96
{
"args": [
"text"
],
"command": "text",
"env": [
"text"
],
"sha256": "text",
"type": "text",
"version": "text"
}
OK
No content
The type of the plugin, may be auth, secret, or database
Must be set to true
GET /v1/sys/plugins/catalog/{type} HTTP/1.1
Host: localhost:8200
Accept: */*
OK
{
"keys": [
"text"
]
}
The name of the plugin
The type of the plugin, may be auth, secret, or database
GET /v1/sys/plugins/catalog/{type}/{name} HTTP/1.1
Host: localhost:8200
Accept: */*
OK
{
"args": [
"text"
],
"builtin": true,
"command": "text",
"deprecation_status": "text",
"name": "text",
"sha256": "text",
"version": "text"
}
The name of the plugin
The type of the plugin, may be auth, secret, or database
The args passed to plugin command.
The command used to start the plugin. The executable defined in this command must exist in vault's plugin directory.
The environment variables passed to plugin command. Each entry is of the form "key=value".
The SHA256 sum of the executable used in the command field. This should be HEX encoded.
The semantic version of the plugin to use.
POST /v1/sys/plugins/catalog/{type}/{name} HTTP/1.1
Host: localhost:8200
Content-Type: application/json
Accept: */*
Content-Length: 82
{
"args": [
"text"
],
"command": "text",
"env": [
"text"
],
"sha256": "text",
"version": "text"
}
OK
No content
Either the plugin name (plugin
) or the desired plugin backend mounts (mounts
) must be provided, but not both. In the case that the plugin name is provided, all mounted paths that use that plugin backend will be reloaded. If (scope
) is provided and is (global
), the plugin(s) are reloaded globally.
The mount paths of the plugin backends to reload.
The name of the plugin to reload, as registered in the plugin catalog.
POST /v1/sys/plugins/reload/backend HTTP/1.1
Host: localhost:8200
Content-Type: application/json
Accept: */*
Content-Length: 50
{
"mounts": [
"text"
],
"plugin": "text",
"scope": "text"
}
{
"reload_id": "text"
}
GET /v1/sys/plugins/reload/backend/status HTTP/1.1
Host: localhost:8200
Accept: */*
{
"reload_required": true,
"plugins": [
"example-plugin",
"database-plugin"
]
}
Must be set to true
to list ACL policies.
true
Possible values: GET /v1/sys/policies/acl HTTP/1.1
Host: localhost:8200
Accept: */*
{
"data": {
"keys": [
"default",
"admin",
"readonly"
]
}
}
The name of the policy. Example: "ops"
The rules of the policy.
POST /v1/sys/policies/acl/{name} HTTP/1.1
Host: localhost:8200
Content-Type: application/json
Accept: */*
Content-Length: 17
{
"policy": "text"
}
OK
No content
Must be set to true
to retrieve EGPs.
true
Possible values: GET /v1/sys/policies/egp HTTP/1.1
Host: localhost:8200
Accept: */*
{
"data": {
"keys": [
"egp-policy-admin",
"egp-policy-ops"
]
}
}
The name of the EGP policy.
GET /v1/sys/policies/egp/{name} HTTP/1.1
Host: localhost:8200
Accept: */*
{
"data": {
"name": "egp-policy-admin",
"policy": "path \"secret/*\" {\n capabilities = [\"read\"]\n}\n"
}
}
The name of the EGP policy.
POST /v1/sys/policies/egp/{name} HTTP/1.1
Host: localhost:8200
Content-Type: application/json
Accept: */*
Content-Length: 101
{
"policy": "path \"secret/data/finance\" {\n capabilities = [\"create\", \"read\", \"update\"]\n}\n"
}
No content
The name of the EGP policy.
DELETE /v1/sys/policies/egp/{name} HTTP/1.1
Host: localhost:8200
Accept: */*
No content
The name of the password policy.
The password policy
POST /v1/sys/policies/password/{name} HTTP/1.1
Host: localhost:8200
Content-Type: application/json
Accept: */*
Content-Length: 17
{
"policy": "text"
}
OK
No content
Must be set to true
to list RGPs.
true
Possible values: GET /v1/sys/policies/rgp HTTP/1.1
Host: localhost:8200
Accept: */*
{
"data": {
"keys": [
"rgp-policy-admin",
"rgp-policy-audit"
]
}
}
The name of the RGP policy.
GET /v1/sys/policies/rgp/{name} HTTP/1.1
Host: localhost:8200
Accept: */*
{
"data": {
"name": "rgp-policy-admin",
"policy": "path \"sys/*\" {\n capabilities = [\"create\", \"read\", \"update\"]\n}\n"
}
}
The name of the RGP policy.
POST /v1/sys/policies/rgp/{name} HTTP/1.1
Host: localhost:8200
Content-Type: application/json
Accept: */*
Content-Length: 82
{
"policy": "path \"sys/config/*\" {\n capabilities = [\"read\", \"update\"]\n}\n"
}
No content
The name of the RGP policy.
DELETE /v1/sys/policies/rgp/{name} HTTP/1.1
Host: localhost:8200
Accept: */*
No content
The name of the policy. Example: "ops"
The rules of the policy.
The rules of the policy.
POST /v1/sys/policy/{name} HTTP/1.1
Host: localhost:8200
Content-Type: application/json
Accept: */*
Content-Length: 17
{
"policy": "text"
}
OK
No content
If set, starts audit logging of requests that get rejected due to rate limit quota rule violations.
If set, additional rate limit quota HTTP headers will be added to responses.
Specifies the list of exempt paths from all rate limit quotas. If empty no paths will be exempt.
POST /v1/sys/quotas/config HTTP/1.1
Host: localhost:8200
Content-Type: application/json
Accept: */*
Content-Length: 42
{
"enabled": true,
"interval": "1s",
"rate": 50
}
No content
Must be set to true
GET /v1/sys/quotas/lease-count HTTP/1.1
Host: localhost:8200
Accept: */*
{
"data": {
"keys": [
"quota1",
"quota2"
]
}
}
GET /v1/sys/quotas/lease-count/{name} HTTP/1.1
Host: localhost:8200
Accept: */*
{
"data": {
"name": "quota1",
"max_leases": 500,
"namespace": "root"
}
}
POST /v1/sys/quotas/lease-count/{name} HTTP/1.1
Host: localhost:8200
Content-Type: application/json
Accept: */*
Content-Length: 19
{
"max_leases": 1000
}
Quota created or updated successfully
{
"data": {
"success": true
}
}
Must be set to true
GET /v1/sys/quotas/rate-limit HTTP/1.1
Host: localhost:8200
Accept: */*
{
"data": {
"keys": [
"global-read-quota",
"admin-api-quota"
]
}
}
Name of the quota rule.
GET /v1/sys/quotas/rate-limit/{name} HTTP/1.1
Host: localhost:8200
Accept: */*
{
"data": {
"name": "global-read-quota",
"rate": 10,
"interval": "1s",
"path": "*"
}
}
Name of the quota rule.
If set, when a client reaches a rate limit threshold, the client will be prohibited from any further requests until after the 'block_interval' has elapsed.
The duration to enforce rate limiting for (default '1s').
Path of the mount or namespace to apply the quota. A blank path configures a global quota. For example namespace1/ adds a quota to a full namespace, namespace1/auth/userpass adds a quota to userpass in namespace1.
The maximum number of requests in a given interval to be allowed by the quota rule. The 'rate' must be positive.
Login role to apply this quota to. Note that when set, path must be configured to a valid auth method with a concept of roles.
Type of the quota rule.
POST /v1/sys/quotas/rate-limit/{name} HTTP/1.1
Host: localhost:8200
Content-Type: application/json
Accept: */*
Content-Length: 42
{
"rate": 5,
"interval": "1s",
"path": "auth/*"
}
No content
GET /v1/sys/rekey/init HTTP/1.1
Host: localhost:8200
Accept: */*
OK
{
"backup": true,
"n": 1,
"nounce": "text",
"pgp_fingerprints": [
"text"
],
"progress": 1,
"required": 1,
"started": "text",
"t": 1,
"verification_nonce": "text",
"verification_required": true
}
Only a single rekey attempt can take place at a time, and changing the parameters of a rekey requires canceling and starting a new rekey, which will also provide a new nonce.
Specifies if using PGP-encrypted keys, whether Vault should also store a plaintext backup of the PGP-encrypted keys.
Specifies an array of PGP public keys used to encrypt the output unseal keys. Ordering is preserved. The keys must be base64-encoded from their original binary representation. The size of this array must be the same as secret_shares.
Turns on verification functionality
Specifies the number of shares to split the unseal key into.
Specifies the number of shares required to reconstruct the unseal key. This must be less than or equal secret_shares. If using Vault HSM with auto-unsealing, this value must be the same as secret_shares.
POST /v1/sys/rekey/init HTTP/1.1
Host: localhost:8200
Content-Type: application/json
Accept: */*
Content-Length: 102
{
"backup": true,
"pgp_keys": [
"text"
],
"require_verification": true,
"secret_shares": 1,
"secret_threshold": 1
}
OK
{
"backup": true,
"n": 1,
"nounce": "text",
"pgp_fingerprints": [
"text"
],
"progress": 1,
"required": 1,
"started": "text",
"t": 1,
"verification_nonce": "text",
"verification_required": true
}
This clears the rekey settings as well as any progress made. This must be called to change the parameters of the rekey. Note: verification is still a part of a rekey. If rekeying is canceled during the verification flow, the current unseal keys remain valid.
DELETE /v1/sys/rekey/init HTTP/1.1
Host: localhost:8200
Accept: */*
OK
No content
GET /v1/sys/rekey/recovery-key-backup HTTP/1.1
Host: localhost:8200
Accept: */*
{
"data": {
"keys_base64": [
"Q2FzZV9Bbm90aGVyX0tleQ==",
"U29tZV9CYXNlNjRfRW5jb2RlZF9LZXk="
]
}
}
Specifies a single unseal key share.
Specifies the nonce of the rekey attempt.
POST /v1/sys/rekey/update HTTP/1.1
Host: localhost:8200
Content-Type: application/json
Accept: */*
Content-Length: 29
{
"key": "text",
"nonce": "text"
}
OK
{
"backup": true,
"complete": true,
"keys": [
"text"
],
"keys_base64": [
"text"
],
"n": 1,
"nounce": "text",
"pgp_fingerprints": [
"text"
],
"progress": 1,
"required": 1,
"started": "text",
"t": 1,
"verification_nonce": "text",
"verification_required": true
}
Specifies a single unseal share key from the new set of shares.
Specifies the nonce of the rekey verification operation.
POST /v1/sys/rekey/verify HTTP/1.1
Host: localhost:8200
Content-Type: application/json
Accept: */*
Content-Length: 29
{
"key": "text",
"nonce": "text"
}
OK
{
"complete": true,
"nounce": "text"
}
This clears any progress made and resets the nonce. Unlike a DELETE
against sys/rekey/init
, this only resets the current verification operation, not the entire rekey atttempt.
DELETE /v1/sys/rekey/verify HTTP/1.1
Host: localhost:8200
Accept: */*
OK
{
"n": 1,
"nounce": "text",
"progress": 1,
"started": "text",
"t": 1
}
The previous mount point.
The new mount point.
POST /v1/sys/remount HTTP/1.1
Host: localhost:8200
Content-Type: application/json
Accept: */*
Content-Length: 27
{
"from": "text",
"to": "text"
}
OK
{
"migration_id": "text"
}
The desired increment in seconds to the lease
The lease identifier to renew. This is included with a lease.
The lease identifier to renew. This is included with a lease.
POST /v1/sys/renew HTTP/1.1
Host: localhost:8200
Content-Type: application/json
Accept: */*
Content-Length: 55
{
"increment": 1,
"lease_id": "text",
"url_lease_id": "text"
}
OK
No content
The lease identifier to renew. This is included with a lease.
The desired increment in seconds to the lease
The lease identifier to renew. This is included with a lease.
POST /v1/sys/renew/{url_lease_id} HTTP/1.1
Host: localhost:8200
Content-Type: application/json
Accept: */*
Content-Length: 33
{
"increment": 1,
"lease_id": "text"
}
OK
No content
POST /v1/sys/replication/dr/primary/enable HTTP/1.1
Host: localhost:8200
Content-Type: application/json
Accept: */*
Content-Length: 77
{
"mode": "primary",
"primary_cluster_addr": "https://vault-primary.example.com"
}
{
"data": {
"message": "DR primary enabled"
}
}
POST /v1/sys/replication/dr/primary/revoke-secondary HTTP/1.1
Host: localhost:8200
Content-Type: application/json
Accept: */*
Content-Length: 34
{
"secondary_cluster_id": "dc-east"
}
{
"data": {
"message": "Secondary revoked successfully"
}
}
POST /v1/sys/replication/dr/primary/secondary-token HTTP/1.1
Host: localhost:8200
Content-Type: application/json
Accept: */*
Content-Length: 35
{
"id": "dc-west",
"namespace": "root"
}
{
"data": {
"secondary_token": "s.SOME_LONG_TOKEN_STRING"
}
}
POST /v1/sys/replication/dr/secondary/config/reload/{subsystem} HTTP/1.1
Host: localhost:8200
Accept: */*
Configuration reloaded successfully.
{
"data": {
"message": "Reload triggered for 'storage' subsystem."
}
}
POST /v1/sys/replication/dr/secondary/enable HTTP/1.1
Host: localhost:8200
Content-Type: application/json
Accept: */*
Content-Length: 36
{
"token": "s.SECONDARY_TOKEN_STRING"
}
DR secondary enabled.
{
"data": {
"message": "Secondary enabled successfully."
}
}
POST /v1/sys/replication/dr/secondary/generate-public-key HTTP/1.1
Host: localhost:8200
Accept: */*
Public key generated.
{
"data": {
"public_key": "-----BEGIN PUBLIC KEY-----\nABC123...\n-----END PUBLIC KEY-----"
}
}
POST /v1/sys/replication/dr/secondary/update-primary HTTP/1.1
Host: localhost:8200
Content-Type: application/json
Accept: */*
Content-Length: 60
{
"primary_cluster_addr": "https://vault-primary.example.com"
}
Primary configuration updated.
{
"data": {
"message": "Primary address updated."
}
}
GET /v1/sys/replication/performance/primary/dynamic-filter/{id} HTTP/1.1
Host: localhost:8200
Accept: */*
Filter details retrieved.
{
"data": {
"id": "filter-abc",
"paths": [
"auth/*"
]
}
}
POST /v1/sys/replication/performance/primary/enable HTTP/1.1
Host: localhost:8200
Content-Type: application/json
Accept: */*
Content-Length: 39
{
"token": "s.PERF_PRIMARY_TOKEN_STRING"
}
Replication enabled.
{
"data": {
"message": "Primary replication enabled."
}
}
GET /v1/sys/replication/performance/primary/paths-filter/{id} HTTP/1.1
Host: localhost:8200
Accept: */*
Filter details.
{
"data": {
"id": "paths-filter-xyz",
"paths": [
"secret/data/*"
]
}
}
POST /v1/sys/replication/performance/primary/paths-filter/{id} HTTP/1.1
Host: localhost:8200
Content-Type: application/json
Accept: */*
Content-Length: 27
{
"paths": [
"secret/data/*"
]
}
Filter updated successfully.
{
"data": {
"message": "Paths filter updated."
}
}
POST /v1/sys/replication/performance/primary/revoke-secondary HTTP/1.1
Host: localhost:8200
Accept: */*
Secondary revoked successfully.
{
"data": {
"message": "Secondary revoked."
}
}
POST /v1/sys/replication/performance/primary/secondary-token HTTP/1.1
Host: localhost:8200
Content-Type: application/json
Accept: */*
Content-Length: 46
{
"secondary_cluster_name": "us-west-secondary"
}
Token generated.
{
"data": {
"token": "s.TOKENSTRING"
}
}
GET /v1/sys/replication/performance/secondary/dynamic-filter/{id} HTTP/1.1
Host: localhost:8200
Accept: */*
Filter information retrieved.
{
"data": {
"id": "filter-123",
"paths": [
"auth/token/*"
]
}
}
POST /v1/sys/replication/performance/secondary/enable HTTP/1.1
Host: localhost:8200
Content-Type: application/json
Accept: */*
Content-Length: 29
{
"token": "s.SECONDARY_TOKEN"
}
Secondary enabled.
{
"data": {
"message": "Secondary enabled."
}
}
POST /v1/sys/replication/performance/secondary/generate-public-key HTTP/1.1
Host: localhost:8200
Accept: */*
Public key generated.
{
"data": {
"public_key": "-----BEGIN PUBLIC KEY-----\n...\n-----END PUBLIC KEY-----"
}
}
POST /v1/sys/replication/performance/secondary/promote HTTP/1.1
Host: localhost:8200
Accept: */*
Secondary promoted to primary.
{
"data": {
"message": "Secondary promoted to primary."
}
}
POST /v1/sys/replication/performance/secondary/update-primary HTTP/1.1
Host: localhost:8200
Content-Type: application/json
Accept: */*
Content-Length: 56
{
"primary_api_addr": "https://vault-primary.example.com"
}
Primary updated successfully.
{
"data": {
"message": "Primary address updated."
}
}
POST /v1/sys/replication/primary/demote HTTP/1.1
Host: localhost:8200
Accept: */*
{
"data": {
"message": "Primary cluster demoted."
}
}
POST /v1/sys/replication/primary/disable HTTP/1.1
Host: localhost:8200
Accept: */*
{
"data": {
"message": "Replication disabled on primary."
}
}
POST /v1/sys/replication/primary/enable HTTP/1.1
Host: localhost:8200
Content-Type: application/json
Accept: */*
Content-Length: 39
{
"token": "s.PRIMARY_REPLICATION_TOKEN"
}
{
"data": {
"message": "Primary replication enabled."
}
}
POST /v1/sys/replication/primary/revoke-secondary HTTP/1.1
Host: localhost:8200
Accept: */*
{
"data": {
"message": "Secondary replication revoked."
}
}
POST /v1/sys/replication/primary/secondary-token HTTP/1.1
Host: localhost:8200
Content-Type: application/json
Accept: */*
Content-Length: 26
{
"id": "secondary-us-east"
}
{
"data": {
"token": "s.abcdef123456"
}
}
POST /v1/sys/replication/recover HTTP/1.1
Host: localhost:8200
Accept: */*
{
"data": {
"message": "Recovery initiated successfully."
}
}
POST /v1/sys/replication/secondary/enable HTTP/1.1
Host: localhost:8200
Content-Type: application/json
Accept: */*
Content-Length: 31
{
"token": "s.replication-token"
}
{
"data": {
"message": "Secondary enabled."
}
}
POST /v1/sys/replication/secondary/promote HTTP/1.1
Host: localhost:8200
Accept: */*
{
"data": {
"message": "Secondary promoted to primary."
}
}
POST /v1/sys/replication/secondary/update-primary HTTP/1.1
Host: localhost:8200
Content-Type: application/json
Accept: */*
Content-Length: 133
{
"primary_api_addr": "https://vault-primary.example.com:8200",
"ca_file": "-----BEGIN CERTIFICATE-----\n...\n-----END CERTIFICATE-----"
}
{
"data": {
"message": "Primary connection info updated."
}
}
GET /v1/sys/replication/status HTTP/1.1
Host: localhost:8200
Accept: */*
{
"data": {
"mode": "performance",
"state": "secondary",
"primary_cluster_addr": "https://vault-primary.example.com:8200",
"known_secondaries": [
{
"cluster_id": "us-west-secondary",
"api_address": "https://vault-us-west.example.com:8200"
}
]
}
}
The lease identifier to renew. This is included with a lease.
Whether or not to perform the revocation synchronously
true
The lease identifier to renew. This is included with a lease.
POST /v1/sys/revoke HTTP/1.1
Host: localhost:8200
Content-Type: application/json
Accept: */*
Content-Length: 53
{
"lease_id": "text",
"sync": true,
"url_lease_id": "text"
}
OK
No content
Unlike /sys/leases/revoke-prefix
, this path ignores backend errors encountered during revocation. This is potentially very dangerous and should only be used in specific emergency situations where errors in the backend or the connected backend service prevent normal revocation.
By ignoring these errors, Vault abdicates responsibility for ensuring that the issued credentials or secrets are properly revoked and/or cleaned up. Access to this endpoint should be tightly controlled.
The path to revoke keys under. Example: "prod/aws/ops"
POST /v1/sys/revoke-force/{prefix} HTTP/1.1
Host: localhost:8200
Accept: */*
OK
No content
Revokes all secrets (via a lease ID prefix) or tokens (via the tokens' path property) generated under a given prefix immediately.
The path to revoke keys under. Example: "prod/aws/ops"
Whether or not to perform the revocation synchronously
true
POST /v1/sys/revoke-prefix/{prefix} HTTP/1.1
Host: localhost:8200
Content-Type: application/json
Accept: */*
Content-Length: 13
{
"sync": true
}
OK
No content
The lease identifier to renew. This is included with a lease.
The lease identifier to renew. This is included with a lease.
Whether or not to perform the revocation synchronously
true
POST /v1/sys/revoke/{url_lease_id} HTTP/1.1
Host: localhost:8200
Content-Type: application/json
Accept: */*
Content-Length: 31
{
"lease_id": "text",
"sync": true
}
OK
No content
Rotates the backend encryption key used to persist Vault data. This operation is a no-op if key rotation is disabled.
POST /v1/sys/rotate HTTP/1.1
Host: localhost:8200
Accept: */*
No content
GET /v1/sys/rotate/config HTTP/1.1
Host: localhost:8200
Accept: */*
{
"data": {
"auto_rotate_period": "24h",
"last_rotation_time": "2025-05-01T00:00:00Z"
}
}
Whether automatic rotation is enabled.
How long after installation of an active key term that the key will be automatically rotated.
The number of encryption operations performed before the barrier key is automatically rotated.
POST /v1/sys/rotate/config HTTP/1.1
Host: localhost:8200
Content-Type: application/json
Accept: */*
Content-Length: 28
{
"auto_rotate_period": "24h"
}
No content
GET /v1/sys/seal-status HTTP/1.1
Host: localhost:8200
Accept: */*
{
"build_date": "text",
"cluster_id": "text",
"cluster_name": "text",
"hcp_link_resource_ID": "text",
"hcp_link_status": "text",
"initialized": true,
"migration": true,
"n": 1,
"nonce": "text",
"progress": 1,
"recovery_seal": true,
"sealed": true,
"storage_type": "text",
"t": 1,
"type": "text",
"version": "text"
}
Returns information about keys or values that require rewrap due to changes in the underlying seal configuration.
GET /v1/sys/sealwrap/rewrap HTTP/1.1
Host: localhost:8200
Accept: */*
{
"data": {
"keys_to_rewrap": [
"sys/policy/foo",
"auth/token/accessor/bar"
],
"total": 2
}
}
Triggers rewrap for keys encrypted with an old seal configuration. This may take time depending on the size of the data.
POST /v1/sys/sealwrap/rewrap HTTP/1.1
Host: localhost:8200
Content-Type: application/json
Accept: */*
Content-Length: 54
{
"paths": [
"sys/policy/foo",
"auth/token/accessor/bar"
]
}
{
"data": {
"rewrapped_paths": [
"sys/policy/foo",
"auth/token/accessor/bar"
]
}
}
This endpoint forces the node to give up active status. If the node does not have active status, this endpoint does nothing. Note that the node will sleep for ten seconds before attempting to grab the active lock again, but if no standby nodes grab the active lock in the interim, the same node may become the active node again.
POST /v1/sys/step-down HTTP/1.1
Host: localhost:8200
Accept: */*
empty body
No content
Must be set to true
GET /v1/sys/storage/raft/snapshot-auto/config/ HTTP/1.1
Host: localhost:8200
Accept: */*
{
"data": {
"keys": [
"daily",
"hourly"
]
}
}
The name of the snapshot job configuration.
GET /v1/sys/storage/raft/snapshot-auto/config/{name} HTTP/1.1
Host: localhost:8200
Accept: */*
{
"data": {
"interval": "1h",
"retain": 5,
"storage_path_prefix": "snapshots/hourly"
}
}
The name of the snapshot job configuration.
POST /v1/sys/storage/raft/snapshot-auto/config/{name} HTTP/1.1
Host: localhost:8200
Content-Type: application/json
Accept: */*
Content-Length: 69
{
"interval": "1h",
"retain": 5,
"storage_path_prefix": "snapshots/hourly"
}
{
"data": {
"interval": "1h",
"retain": 5,
"storage_path_prefix": "snapshots/hourly"
}
}
The name of the snapshot job configuration.
DELETE /v1/sys/storage/raft/snapshot-auto/config/{name} HTTP/1.1
Host: localhost:8200
Accept: */*
No content
The name of the snapshot job
GET /v1/sys/storage/raft/snapshot-auto/status/{name} HTTP/1.1
Host: localhost:8200
Accept: */*
{
"data": {
"last_snapshot": "2025-05-01T10:00:00Z",
"next_snapshot_due": "2025-05-01T11:00:00Z",
"state": "active"
}
}
Accepts raw input data and returns its hash digest using Vault's configured default hash algorithm.
Algorithm to use (POST body parameter). Valid values are: * sha2-224 * sha2-256 * sha2-384 * sha2-512 Defaults to "sha2-256".
sha2-256
Encoding format to use. Can be "hex" or "base64". Defaults to "hex".
hex
The base64-encoded input data
Algorithm to use (POST URL parameter)
POST /v1/sys/tools/hash HTTP/1.1
Host: localhost:8200
Content-Type: application/json
Accept: */*
Content-Length: 24
{
"input": "Hello, Vault"
}
{
"data": {
"sum": "a830d7beb04eb7549ce990fb7dc962e499a27230"
}
}
Accepts raw input data and returns its hash digest using the algorithm specified in the URL.
The hash algorithm to use (e.g., sha2-256, sha2-512)
Algorithm to use (POST body parameter). Valid values are: * sha2-224 * sha2-256 * sha2-384 * sha2-512 Defaults to "sha2-256".
sha2-256
Encoding format to use. Can be "hex" or "base64". Defaults to "hex".
hex
The base64-encoded input data
POST /v1/sys/tools/hash/{urlalgorithm} HTTP/1.1
Host: localhost:8200
Content-Type: application/json
Accept: */*
Content-Length: 24
{
"input": "Hello, Vault"
}
{
"data": {
"sum": "2cf24dba5fb0a030e..."
}
}
The number of bytes to generate (POST body parameter). Defaults to 32 (256 bits).
32
Encoding format to use. Can be "hex" or "base64". Defaults to "base64".
base64
Which system to source random data from, ether "platform", "seal", or "all".
platform
The number of bytes to generate (POST URL parameter)
POST /v1/sys/tools/random HTTP/1.1
Host: localhost:8200
Content-Type: application/json
Accept: */*
Content-Length: 27
{
"bytes": 32,
"format": "hex"
}
{
"data": {
"random_bytes": "a1b2c3d4e5f67890"
}
}
Source to generate randomness from
platform
Possible values: The number of bytes to generate (POST body parameter). Defaults to 32 (256 bits).
32
Encoding format to use. Can be "hex" or "base64". Defaults to "base64".
base64
The number of bytes to generate (POST URL parameter)
POST /v1/sys/tools/random/{source} HTTP/1.1
Host: localhost:8200
Content-Type: application/json
Accept: */*
Content-Length: 30
{
"bytes": 16,
"format": "base64"
}
{
"data": {
"random_bytes": "QWxhZGRpbjpvcGVuIHNlc2FtZQ=="
}
}
Number of bytes to generate
The number of bytes to generate (POST body parameter). Defaults to 32 (256 bits).
32
Encoding format to use. Can be "hex" or "base64". Defaults to "base64".
base64
Which system to source random data from, ether "platform", "seal", or "all".
platform
POST /v1/sys/tools/random/{urlbytes} HTTP/1.1
Host: localhost:8200
Content-Type: application/json
Accept: */*
Content-Length: 16
{
"format": "hex"
}
{
"data": {
"random_bytes": "f4e9d..."
}
}
Source to generate randomness from
Number of bytes to generate
The number of bytes to generate (POST body parameter). Defaults to 32 (256 bits).
32
Encoding format to use. Can be "hex" or "base64". Defaults to "base64".
base64
POST /v1/sys/tools/random/{source}/{urlbytes} HTTP/1.1
Host: localhost:8200
Content-Type: application/json
Accept: */*
Content-Length: 19
{
"format": "base64"
}
{
"data": {
"random_bytes": "bW9yZSByYW5kb20gYnl0ZXM="
}
}
Specifies a single unseal key share. This is required unless reset is true.
Specifies if previously-provided unseal keys are discarded and the unseal process is reset.
POST /v1/sys/unseal HTTP/1.1
Host: localhost:8200
Content-Type: application/json
Accept: */*
Content-Length: 27
{
"key": "text",
"reset": true
}
{
"build_date": "text",
"cluster_id": "text",
"cluster_name": "text",
"hcp_link_resource_ID": "text",
"hcp_link_status": "text",
"initialized": true,
"migration": true,
"n": 1,
"nonce": "text",
"progress": 1,
"recovery_seal": true,
"sealed": true,
"storage_type": "text",
"t": 1,
"type": "text",
"version": "text"
}
POST /v1/sys/wrapping/lookup HTTP/1.1
Host: localhost:8200
Content-Type: application/json
Accept: */*
Content-Length: 16
{
"token": "text"
}
OK
{
"creation_path": "text",
"creation_time": "2025-06-26T08:53:25.381Z",
"creation_ttl": 1
}
Accepts a response-wrapped token and returns a new wrapped token.
POST /v1/sys/wrapping/rewrap HTTP/1.1
Host: localhost:8200
Content-Type: application/json
Accept: */*
Content-Length: 34
{
"token": "hvs.XYZwrappedtoken123"
}
{
"wrap_info": {
"token": "hvs.newwrappedtoken456",
"ttl": 300
}
}
Unwraps a token and returns the original payload.
POST /v1/sys/wrapping/unwrap HTTP/1.1
Host: localhost:8200
Content-Type: application/json
Accept: */*
Content-Length: 31
{
"token": "hvs.wrappedtoken123"
}
{
"data": {
"foo": "bar",
"secret": "vault"
}
}
Accepts a JSON object and returns it wrapped in a token.
POST /v1/sys/wrapping/wrap HTTP/1.1
Host: localhost:8200
Content-Type: application/json
Accept: */*
Content-Length: 29
{
"foo": "bar",
"user_id": "123"
}
{
"wrap_info": {
"token": "hvs.wrappedtoken789",
"ttl": 300
}
}
Was this helpful?