System
Successfully retrieved enabled audit devices.
Bad request due to client error.
Unauthorized. Vault token is invalid or missing.
Forbidden. Caller lacks sufficient permission.
Internal server error.
The name of the audit backend. Cannot be delimited. Example: 'mysql'
Successfully calculated the hash of the input.
Bad request due to malformed or missing data.
Unauthorized. Vault token is invalid or missing.
Forbidden. Insufficient permissions.
Internal server error.
The name of the backend. Cannot be delimited. Example: 'mysql'
User-friendly description for this audit backend.
Mark the mount as a local mount, which is not replicated and is unaffected by replication.
falseConfiguration options for the audit backend.
The type of the backend. Example: "mysql"
Audit device successfully enabled. No content is returned.
Bad Request - The provided request body is invalid.
The name of the backend. Cannot be delimited. Example: 'mysql'
Audit device successfully disabled. No content is returned.
Bad Request - The provided path is invalid or the device cannot be disabled.
Unauthorized - Authentication failed or no access rights.
Not Found - The specified audit device path was not found.
The path to mount to. Cannot be delimited. Example: 'user'
Successfully read the auth configuration.
Bad Request - Invalid path or request format.
Unauthorized - Authentication failure.
Not Found - No auth engine found at this path.
The path to mount to. Cannot be delimited. Example: 'user'
Configuration for this mount, such as plugin_name.
User-friendly description for this credential backend.
Whether to give the mount access to Vault's external entropy.
falseMark the mount as a local mount, which is not replicated and is unaffected by replication.
falseThe options to pass into the backend. Should be a json object with string keys and values.
Name of the auth plugin to use based from the name in the plugin catalog.
The semantic version of the plugin to use.
Whether to turn on seal wrapping for the mount.
falseThe type of the backend. Example: "userpass"
Auth method successfully enabled. No content is returned.
Bad Request - Validation error or malformed input.
Unauthorized - Permission denied or token missing.
The path to mount to. Cannot be delimited. Example: 'user'
Auth method successfully disabled. No content is returned.
Bad Request - Invalid path or request format.
Unauthorized - Authentication or permission failure.
Not Found - The specified auth method path was not found.
Tune the configuration parameters for an auth path.
Successfully read tuning information.
Bad Request - Invalid request or path.
Unauthorized - Token missing or access denied.
Tune the configuration parameters for an auth path.
A list of headers to whitelist and allow a plugin to set on responses.
The list of keys in the request data object that will not be HMAC'ed by audit devices.
The list of keys in the response data object that will not be HMAC'ed by audit devices.
The default lease TTL for this mount.
User-friendly description for this credential backend.
Determines the visibility of the mount in the UI-specific listing endpoint. Accepted value are 'unauth' and 'hidden', with the empty default ('') behaving like 'hidden'.
The max lease TTL for this mount.
The options to pass into the backend. Should be a json object with string keys and values.
A list of headers to whitelist and pass from the request to the plugin.
The semantic version of the plugin to use.
The type of token to issue (service or batch).
The user lockout configuration to pass into the backend. Should be a json object with string keys and values.
Successfully updated tuning parameters. No content is returned.
Bad Request - Validation error in request.
Unauthorized - Missing or invalid token.
Use 'paths' instead.
Paths on which capabilities are being queried.
Token for which capabilities are being queried.
Successfully retrieved capabilities for the given paths.
Bad Request - Invalid request or missing fields.
Unauthorized - The token is invalid or expired.
Accessor of the token for which capabilities are being queried.
Use 'paths' instead.
Paths on which capabilities are being queried.
Successfully retrieved capabilities for the given paths.
Bad Request - Missing or invalid accessor or paths.
Unauthorized - Invalid credentials or insufficient permissions.
Use 'paths' instead.
Paths on which capabilities are being queried.
Token for which capabilities are being queried.
Successfully retrieved capabilities for the specified paths.
Bad Request - Missing or invalid paths field.
Unauthorized - Token is missing, invalid, or lacks necessary permissions.
Successfully listed the configured audited request headers.
Bad Request - Server failed to process the request.
Unauthorized - Token is missing or does not have sufficient privileges.
The name of the request header to audit.
X-Request-IDSuccessfully retrieved the request header auditing information.
Bad Request - Invalid header format.
Unauthorized - Insufficient permissions.
The name of the request header to audit.
X-Request-IDAuditing for the header enabled successfully.
Bad Request - Could not enable auditing for header.
Unauthorized - Insufficient permissions.
No content
The name of the request header to audit.
X-Request-IDAuditing for the header disabled successfully.
Bad Request - Header not found.
Unauthorized - Insufficient permissions.
No content
A comma-separated string or array of strings indicating headers that are allowed on cross-origin requests.
A comma-separated string or array of strings indicating origins that may make cross-origin requests.
Enables or disables CORS headers on requests.
CORS settings successfully updated.
Invalid CORS configuration.
Not authorized.
No content
Group policy application configuration retrieved successfully.
Invalid request.
Forbidden. The client does not have permission.
Internal server error.
The name of the subsystem to reload.
plugin-catalogSubsystem reloaded successfully.
Invalid request.
Forbidden. The client does not have permission to reload the subsystem.
Subsystem not found.
Internal server error while reloading subsystem.
No content
Must be set to true
Must be set to true
Returns a list of configured UI headers.
Bad request. The request is malformed or missing required parameters.
Unauthorized. The request lacks valid authentication credentials.
Forbidden. The client does not have permission to access the requested resource.
Not Found. The requested resource does not exist.
Internal Server Error. A server-side error occurred.
The name of the header.
Returns the configuration of the specified UI header.
Not Found. The requested header does not exist.
Internal Server Error. A server-side error occurred.
The name of the header.
Returns multiple values if true
The values to set the header.
Header value successfully configured.
No content
Bad request. The request is malformed or missing required parameters.
Not Found. The requested header does not exist.
Internal Server Error. A server-side error occurred.
No content
The name of the header.
Header successfully removed.
Bad request. The request is malformed or missing required parameters.
Not Found. The requested header does not exist.
Internal Server Error. A server-side error occurred.
No content
The control group ID to authorize.
Authorization successful.
No content
Bad request. The request is malformed or missing required parameters.
Unauthorized. The request lacks valid authentication credentials.
Forbidden. The client does not have permission to perform this action.
Internal Server Error. A server-side error occurred.
No content
Unique identifier for the control group request.
Request processed successfully.
Bad Request - The request is malformed or missing required parameters.
Unauthorized - Authentication credentials were missing or invalid.
Forbidden - You do not have permission to perform this action.
Not Found - The control group or requested resource does not exist.
Internal Server Error - An unexpected error occurred on the server.
Specifies the encoded token (result from generate-root).
Specifies the otp code for decode.
Successfully decoded the token.
Bad Request - The request is malformed or missing required parameters.
Unauthorized - Authentication credentials are missing or invalid.
Forbidden - The provided credentials are valid but insufficient.
Not Found - The token or associated resources could not be found.
Internal Server Error - An unexpected server-side error occurred.
Successfully returned the list of experimental features.
Bad Request - The request is malformed or missing required parameters.
Unauthorized - Authentication credentials are missing or invalid.
Forbidden - You do not have permission to access experimental features.
Not Found - The resource for experimental features could not be located.
Internal Server Error - An unexpected error occurred on the server.
Successfully retrieved the root generation progress.
Bad Request - The request is malformed or invalid.
Unauthorized - Authentication credentials are missing or invalid.
Forbidden - Insufficient permissions to read root generation progress.
Not Found - No active root generation attempt found.
Internal Server Error - Unexpected server-side error.
Specifies a base64-encoded PGP public key.
Successfully initialized the root generation attempt.
Bad Request - Missing required parameters or invalid input.
Unauthorized - Authentication credentials are missing or invalid.
Forbidden - Insufficient permissions to initialize root generation.
Conflict - A root generation attempt is already in progress.
Internal Server Error - Unexpected server-side error.
Successfully canceled the root generation attempt.
Bad Request - The request is malformed or invalid.
Unauthorized - Authentication credentials are missing or invalid.
Forbidden - Insufficient permissions to cancel the root generation.
Internal Server Error - Unexpected server-side error.
No content
Successfully retrieved root generation progress.
Bad Request - The request is malformed or invalid.
Unauthorized - Missing or invalid authentication credentials.
Forbidden - You do not have permission to read the root generation progress.
Not Found - No active root generation attempt found.
Internal Server Error - An unexpected server-side error occurred.
Specifies a base64-encoded PGP public key.
Successfully initialized the root generation attempt.
Bad Request - Missing required parameters or invalid input.
Unauthorized - Missing or invalid authentication credentials.
Forbidden - You do not have permission to initiate root generation.
Conflict - A root generation attempt is already in progress.
Internal Server Error - An unexpected server-side error occurred.
Successfully canceled the root generation attempt.
Bad Request - The request is malformed or invalid.
Unauthorized - Missing or invalid authentication credentials.
Forbidden - You do not have permission to cancel the root generation.
Internal Server Error - An unexpected server-side error occurred.
No content
Specifies a single unseal key share.
Specifies the nonce of the attempt.
Successfully submitted the key share. Progress updated.
Bad Request - The request is malformed or missing required parameters.
Unauthorized - Missing or invalid authentication credentials.
Forbidden - You do not have permission to submit key shares.
Not Found - No active root generation attempt was found.
Conflict - The root generation attempt is already completed or invalid.
Internal Server Error - A server-side error occurred.
Initialized, unsealed, and active.
No content
Bad Request - Invalid request parameters or format.
Unauthorized - Missing or invalid authentication credentials.
Unsealed and standby.
Data recovery mode replication secondary and active.
Internal Server Error - An unexpected error occurred.
Not initialized.
Sealed.
No content
Successfully retrieved host information.
Bad Request - Malformed request or invalid parameters.
Unauthorized - Authentication credentials missing or invalid.
Internal Server Error - Failed to retrieve host information.
Successfully retrieved in-flight request information.
Bad Request - Malformed request or invalid parameters.
Unauthorized - Authentication credentials missing or invalid.
Internal Server Error - Failed to retrieve in-flight request information.
No content
Specifies an array of PGP public keys used to encrypt the output unseal keys. Ordering is preserved. The keys must be base64-encoded from their original binary representation. The size of this array must be the same as secret_shares.
Specifies an array of PGP public keys used to encrypt the output recovery keys. Ordering is preserved. The keys must be base64-encoded from their original binary representation. The size of this array must be the same as recovery_shares.
Specifies the number of shares to split the recovery key into.
Specifies the number of shares required to reconstruct the recovery key. This must be less than or equal to recovery_shares.
Specifies a PGP public key used to encrypt the initial root token. The key must be base64-encoded from its original binary representation.
Specifies the number of shares to split the unseal key into.
Specifies the number of shares required to reconstruct the unseal key. This must be less than or equal secret_shares. If using Vault HSM with auto-unsealing, this value must be the same as secret_shares.
Specifies the number of shares that should be encrypted by the HSM and stored for auto-unsealing. Currently must be the same as secret_shares.
Successfully initialized Vault.
Bad Request - Vault is already initialized or request parameters are invalid.
Conflict - Vault is already initialized.
Internal Server Error - Failed to initialize Vault.
No content
Successfully exported client activity data.
Bad Request - Malformed request.
Internal Server Error - Failed to export activity data.
No content
Successfully retrieved monthly client counts.
Bad Request - Malformed request.
Internal Server Error - Failed to retrieve monthly counts.
No content
Successfully retrieved client count configuration.
Bad Request - Malformed request.
Internal Server Error - Failed to retrieve configuration.
No content
Number of months to report if no start date specified.
12Enable or disable collection of client count: enable, disable, or default.
defaultNumber of months of client data to retain. Setting to 0 will clear all existing data.
24Successfully updated client count tracking configuration.
Bad Request - Invalid configuration settings provided.
Internal Server Error - Failed to update configuration.
No content
Successfully retrieved entity count.
Bad Request - Malformed or invalid request.
Internal Server Error - Failed to retrieve entity count.
Deprecated API call successful (no useful output).
No content
Bad Request - Invalid call to deprecated API.
Internal Server Error - Deprecated API failure.
No content
Name of the subtree being observed (e.g., uuid, accessor, storage, root).
Successfully retrieved the entries in the router for the specified tag.
Bad Request - Invalid or malformed tag or missing required parameters.
Not Found - The specified tag does not exist in the router.
Internal Server Error - Failed to retrieve router entries.
No content
Context string appended to every operationId
Successfully generated OpenAPI document
Invalid request
Internal server error
The lease identifier to renew. This is included with a lease.
Successfully retrieved lease metadata
Bad request
Lease not found
Internal server error
The path to list leases under. Example: "aws/creds/deploy"
Must be set to 'true'
Successfully listed leases for the prefix
Invalid input
Prefix not found
Internal server error
The desired increment in seconds to the lease
The lease identifier to renew. This is included with a lease.
The lease identifier to renew. This is included with a lease.
Lease renewed successfully (no content)
Bad request
Lease not found
Internal server error
No content
The lease ID to renew. Example: "database/creds/my-role/Y7sGbfd9"
The desired increment in seconds to the lease
The lease identifier to renew. This is included with a lease.
Lease renewed successfully (no content)
Bad request
Lease not found
Internal server error
No content
The lease identifier to renew. This is included with a lease.
Whether or not to perform the revocation synchronously
trueThe lease identifier to renew. This is included with a lease.
Lease revoked successfully (no content)
Bad request
Lease not found
Internal server error
No content
Revokes all secrets (via a lease ID prefix) or tokens (via the tokens' path property) generated under a given prefix immediately.
The path to revoke keys under. Example: "prod/aws/ops"
Whether or not to perform the revocation synchronously
trueOK
OK
No content
The lease identifier to renew. This is included with a lease.
The lease identifier to renew. This is included with a lease.
Whether or not to perform the revocation synchronously
trueOK
OK
No content
Identifier of the alias (e.g., username or RoleID).
Identifier of the mount entry associated with the user.
User successfully unlocked.
User or mount not found.
Internal server error.
Name of the logger to modify.
Log verbosity level. Supported values (in order of detail) are "trace", "debug", "info", "warn", and "error".
Logger level updated.
Invalid log level.
No content
Must be set to "true" to list keys.
Managed keys listed.
Missing or incorrect query parameter.
The type of the managed key (e.g., "transit", "pkcs11").
The name of the managed key to use for the test signing operation.
Test signing successful.
Invalid input data for signing.
Managed key not found.
Internal server error during test sign.
The output format for the metrics. Currently, only prometheus is supported.
Metrics exported successfully.
Bad request. The format parameter is invalid or missing.
Internal server error while exporting metrics.
A required parameter that must be set to true to retrieve the list of MFA methods.
Successfully retrieved the list of configured MFA methods.
Bad request. The list parameter was missing or invalid.
Internal server error while retrieving MFA methods.
The unique name of the Okta MFA method.
Successfully retrieved the Okta MFA configuration.
Invalid request syntax or parameters.
Forbidden – insufficient access rights.
The specified MFA method was not found.
Unexpected internal server error.
The unique name of the Okta MFA method.
Successfully created or updated the Okta MFA method.
Bad request – invalid payload or missing fields.
Forbidden – access denied.
Internal server error.
The unique name of the Okta MFA method.
The method was successfully deleted; no content returned.
Invalid request syntax or missing required fields.
Forbidden – client lacks necessary permissions.
The requested MFA method was not found.
Internal server error.
No content
The name of the PingID MFA method configuration.
Successfully retrieved the PingID configuration.
Invalid input.
Forbidden.
Method not found.
Server error.
The name of the PingID MFA method configuration.
PingID method created or updated successfully.
Bad request.
Forbidden.
Internal server error.
The name of the PingID MFA method configuration.
PingID method configuration deleted successfully. No content returned.
Invalid request or parameters.
Forbidden. Client lacks necessary permissions.
PingID method configuration not found.
Internal server error.
No content
The name of the TOTP MFA method configuration.
Successfully retrieved the TOTP method configuration.
Invalid input or missing parameters.
Forbidden.
Method not found.
Server error.
The name of the TOTP MFA method configuration.
TOTP method created or updated successfully.
Bad request or validation error.
Forbidden.
Internal server error.
The name of the TOTP MFA method configuration.
TOTP method deleted successfully. No content returned.
Bad request or invalid input.
Forbidden. Insufficient permissions.
The specified TOTP method configuration was not found.
Internal server error.
No content
The name of the TOTP MFA method configuration to destroy.
The TOTP method was successfully destroyed.
Invalid request format or parameters.
Forbidden. The user does not have the required permissions.
The specified TOTP method configuration was not found.
Internal server error.
The name of the TOTP MFA method configuration.
TOTP key successfully generated.
Bad request. Invalid input data.
Forbidden. Insufficient permissions to perform this operation.
The specified TOTP configuration was not found.
Internal server error.
Name of the TOTP MFA method configuration to generate a key for.
Successfully retrieved the TOTP key and OTP URL.
Bad request — invalid request parameters.
Forbidden — insufficient permissions to generate TOTP key.
Not found — specified TOTP method does not exist.
Internal server error — unexpected error occurred.
A map from MFA method ID to a slice of passcodes or an empty slice if the method does not use passcodes
ID for this MFA request
Successful MFA validation and authentication.
Bad request — missing or invalid fields in the request.
Forbidden — MFA validation failed or unauthorized access.
Not found — specified MFA method or user not found.
Internal server error — unexpected failure during validation.
Output format of logs. Supported values are "standard" and "json". The default is "standard".
standardPossible values: Log level to view system logs at. Currently supported values are "trace", "debug", "info", "warn", "error".
OK
OK
The path to mount to. Example: "aws/east"
Configuration for this mount, such as default_lease_ttl and max_lease_ttl.
User-friendly description for this mount.
Whether to give the mount access to Vault's external entropy.
falseMark the mount as a local mount, which is not replicated and is unaffected by replication.
falseThe options to pass into the backend. Should be a json object with string keys and values.
Name of the plugin to mount based from the name registered in the plugin catalog.
The semantic version of the plugin to use.
Whether to turn on seal wrapping for the mount.
falseThe type of the backend. Example: "passthrough"
OK
OK
No content
The path to mount to. Example: "aws/east"
OK
Bad Request
Internal Server Error
The name of the plugin
The args passed to plugin command.
The command used to start the plugin. The executable defined in this command must exist in vault's plugin directory.
The environment variables passed to plugin command. Each entry is of the form "key=value".
The SHA256 sum of the executable used in the command field. This should be HEX encoded.
The type of the plugin, may be auth, secret, or database
The semantic version of the plugin to use.
OK
No content
OK
No content
The name of the plugin
The type of the plugin, may be auth, secret, or database
The args passed to plugin command.
The command used to start the plugin. The executable defined in this command must exist in vault's plugin directory.
The environment variables passed to plugin command. Each entry is of the form "key=value".
The SHA256 sum of the executable used in the command field. This should be HEX encoded.
The semantic version of the plugin to use.
OK
No content
OK
No content
The mount paths of the plugin backends to reload.
The name of the plugin to reload, as registered in the plugin catalog.
OK
OK
The name of the EGP policy.
Policy created or updated successfully
No content
Invalid policy definition
Internal Server Error
No content
If set, starts audit logging of requests that get rejected due to rate limit quota rule violations.
If set, additional rate limit quota HTTP headers will be added to responses.
Specifies the list of exempt paths from all rate limit quotas. If empty no paths will be exempt.
Quota configuration updated successfully (empty body)
Invalid configuration request
Internal server error
No content
Name of the quota rule.
If set, when a client reaches a rate limit threshold, the client will be prohibited from any further requests until after the 'block_interval' has elapsed.
The duration to enforce rate limiting for (default '1s').
Path of the mount or namespace to apply the quota. A blank path configures a global quota. For example namespace1/ adds a quota to a full namespace, namespace1/auth/userpass adds a quota to userpass in namespace1.
The maximum number of requests in a given interval to be allowed by the quota rule. The 'rate' must be positive.
Login role to apply this quota to. Note that when set, path must be configured to a valid auth method with a concept of roles.
Type of the quota rule.
Quota created or updated successfully (no content)
Invalid quota configuration
No content
Specifies if using PGP-encrypted keys, whether Vault should also store a plaintext backup of the PGP-encrypted keys.
Specifies an array of PGP public keys used to encrypt the output unseal keys. Ordering is preserved. The keys must be base64-encoded from their original binary representation. The size of this array must be the same as secret_shares.
Turns on verification functionality
Specifies the number of shares to split the unseal key into.
Specifies the number of shares required to reconstruct the unseal key. This must be less than or equal secret_shares. If using Vault HSM with auto-unsealing, this value must be the same as secret_shares.
OK
OK
The desired increment in seconds to the lease
The lease identifier to renew. This is included with a lease.
The lease identifier to renew. This is included with a lease.
OK
OK
No content
The lease identifier to renew. This is included with a lease.
The desired increment in seconds to the lease
The lease identifier to renew. This is included with a lease.
OK
OK
No content
The lease identifier to renew. This is included with a lease.
Whether or not to perform the revocation synchronously
trueThe lease identifier to renew. This is included with a lease.
OK
OK
No content
Revokes all secrets (via a lease ID prefix) or tokens (via the tokens' path property) generated under a given prefix immediately.
The path to revoke keys under. Example: "prod/aws/ops"
Whether or not to perform the revocation synchronously
trueOK
OK
No content
The lease identifier to renew. This is included with a lease.
The lease identifier to renew. This is included with a lease.
Whether or not to perform the revocation synchronously
trueOK
OK
No content
Whether automatic rotation is enabled.
How long after installation of an active key term that the key will be automatically rotated.
The number of encryption operations performed before the barrier key is automatically rotated.
Configuration updated successfully.
Invalid input configuration.
Forbidden. Sudo permissions required.
No content
Must be set to true
Successfully listed configured snapshot jobs.
Missing or incorrect list=true query parameter.
The name of the snapshot job configuration.
Snapshot job configuration retrieved.
Snapshot configuration not found.
The name of the snapshot job configuration.
Snapshot configuration saved successfully.
Invalid configuration.
Algorithm to use (POST body parameter). Valid values are: * sha2-224 * sha2-256 * sha2-384 * sha2-512 Defaults to "sha2-256".
sha2-256Encoding format to use. Can be "hex" or "base64". Defaults to "hex".
hexThe base64-encoded input data
Algorithm to use (POST URL parameter)
Hash generated successfully.
Invalid input provided.
The hash algorithm to use (e.g., sha2-256, sha2-512)
Algorithm to use (POST body parameter). Valid values are: * sha2-224 * sha2-256 * sha2-384 * sha2-512 Defaults to "sha2-256".
sha2-256Encoding format to use. Can be "hex" or "base64". Defaults to "hex".
hexThe base64-encoded input data
Hash generated successfully using the specified algorithm.
Invalid algorithm or input provided.
The number of bytes to generate (POST body parameter). Defaults to 32 (256 bits).
32Encoding format to use. Can be "hex" or "base64". Defaults to "base64".
base64Which system to source random data from, ether "platform", "seal", or "all".
platformThe number of bytes to generate (POST URL parameter)
Random bytes generated successfully.
Invalid request parameters.
Source to generate randomness from
platformPossible values: The number of bytes to generate (POST body parameter). Defaults to 32 (256 bits).
32Encoding format to use. Can be "hex" or "base64". Defaults to "base64".
base64The number of bytes to generate (POST URL parameter)
Random bytes generated successfully from specified source.
Invalid request or unknown source.
Number of bytes to generate
The number of bytes to generate (POST body parameter). Defaults to 32 (256 bits).
32Encoding format to use. Can be "hex" or "base64". Defaults to "base64".
base64Which system to source random data from, ether "platform", "seal", or "all".
platformRandom bytes generated successfully.
Invalid byte count or input.
Source to generate randomness from
Number of bytes to generate
The number of bytes to generate (POST body parameter). Defaults to 32 (256 bits).
32Encoding format to use. Can be "hex" or "base64". Defaults to "base64".
base64Random bytes generated successfully.
Invalid input or unsupported source.
Last updated
Was this helpful?