System
Was this helpful?
Was this helpful?
The name of the backend. Cannot be delimited. Example: 'mysql'
The path to mount to. Cannot be delimited. Example: 'user'
The path to mount to. Cannot be delimited. Example: 'user'
This endpoint requires sudo capability on the final path, but the same functionality can be achieved without sudo via sys/mounts/auth/[auth-path]/tune
.
Tune the configuration parameters for an auth path.
The name of the request header to audit.
X-Request-ID
The name of the request header to audit.
X-Request-ID
No content
The sanitized output strips configuration values in the storage, HA storage, and seals stanzas, which may contain sensitive values such as API tokens. It also removes any token or secret fields in other stanzas, such as the circonus_api_token
from telemetry.
The name of the header.
The name of the header.
No content
Returns the configuration and progress details of the ongoing root token generation process.
Cancels any in-progress root token generation attempt, allowing a new attempt to be started.
No content
Returns configuration and current progress details for an active root token generation attempt.
Cancels any in-progress root token generation attempt to allow a new one to begin.
No content
Retrieves detailed information regarding the HA cluster setup, including whether the node is active, standby, and information about the leader.
Returns different HTTP status codes depending on Vault's current state: - 200: Vault is initialized, unsealed, and active. - 429: Vault is unsealed and in standby mode. - 472: Vault is in data recovery mode, acting as replication secondary and active. - 501: Vault is not initialized. - 503: Vault is sealed and unavailable.
No content
Collects and returns host-level system information including hardware details, CPU utilization, disk usage, and memory statistics. Useful for monitoring the resource consumption of the Vault instance.
Returns a map of ongoing API requests ("in-flight requests") to assist with debugging and load monitoring. Each entry provides information such as client details, request path, and duration.
No content
Checks whether Vault has already been initialized. This endpoint returns the initialization status without making any modifications to the Vault state.
No content
Retrieves historical counts of unique clients that interacted with Vault, covering the current namespace and all child namespaces.
No content
Exports detailed raw historical client activity data for analysis and reporting outside of Vault.
No content
Returns the number of unique clients that have interacted with Vault during the current month for this namespace and all child namespaces.
No content
Returns the current configuration settings for client count collection, including status, retention period, and default reporting period.
No content
Retrieves the current number of active identity entities managed by the Vault server. Note: Backward compatibility is not guaranteed for this endpoint.
This endpoint is currently unsupported and deprecated. Previously, it provided a count of requests handled by the Vault cluster. Note: Backward compatibility is not guaranteed.
No content
Retrieves the current number of active authentication tokens managed by Vault. Note: Backward compatibility is not guaranteed for this endpoint.
Retrieves the entries in the router for the specified subtree (uuid, accessor, storage, root). The tag
path parameter must be one of the inspectable subtrees. This endpoint provides information about the structure and entries in the router trees.
Name of the subtree being observed (e.g., uuid, accessor, storage, root).
No content
The path to list leases under. Example: "aws/creds/deploy"
Must be set to 'true'
Unlike /sys/leases/revoke-prefix
, this path ignores backend errors encountered during revocation. This is potentially very dangerous and should only be used in specific emergency situations where errors in the backend or the connected backend service prevent normal revocation.
By ignoring these errors, Vault abdicates responsibility for ensuring that the issued credentials or secrets are properly revoked and/or cleaned up. Access to this endpoint should be tightly controlled.
The path to revoke keys under. Example: "prod/aws/ops"
OK
No content
Identifier of the alias (e.g., username or RoleID).
Identifier of the mount entry associated with the user.
The unique name of the Okta MFA method.
The unique name of the Okta MFA method.
No content
The name of the PingID MFA method configuration.
The name of the PingID MFA method configuration.
No content
The name of the TOTP MFA method configuration.
The name of the TOTP MFA method configuration.
No content
The name of the TOTP MFA method configuration to destroy.
Name of the TOTP MFA method configuration to generate a key for.
Fetch system logs based on the selected output format and log level.
Output format of logs. Supported values are "standard" and "json". The default is "standard".
standard
Possible values: Log level to view system logs at. Currently supported values are "trace", "debug", "info", "warn", "error".
OK
This clears the rekey settings as well as any progress made. This must be called to change the parameters of the rekey. Note: verification is still a part of a rekey. If rekeying is canceled during the verification flow, the current unseal keys remain valid.
OK
No content
Unlike /sys/leases/revoke-prefix
, this path ignores backend errors encountered during revocation. This is potentially very dangerous and should only be used in specific emergency situations where errors in the backend or the connected backend service prevent normal revocation.
By ignoring these errors, Vault abdicates responsibility for ensuring that the issued credentials or secrets are properly revoked and/or cleaned up. Access to this endpoint should be tightly controlled.
The path to revoke keys under. Example: "prod/aws/ops"
OK
No content
Rotates the backend encryption key used to persist Vault data. This operation is a no-op if key rotation is disabled.
No content
This endpoint forces the node to give up active status. If the node does not have active status, this endpoint does nothing. Note that the node will sleep for ten seconds before attempting to grab the active lock again, but if no standby nodes grab the active lock in the interim, the same node may become the active node again.
empty body
No content
The name of the audit backend. Cannot be delimited. Example: 'mysql'
The name of the backend. Cannot be delimited. Example: 'mysql'
User-friendly description for this audit backend.
Mark the mount as a local mount, which is not replicated and is unaffected by replication.
false
Configuration options for the audit backend.
The type of the backend. Example: "mysql"
After enabling, the auth method can be accessed and configured via the auth path specified as part of the URL. For example, enabling the "userpass" auth method at "user" will make it accessible at /auth/user
.
The path to mount to. Cannot be delimited. Example: 'user'
Configuration for this mount, such as plugin_name.
User-friendly description for this credential backend.
Whether to give the mount access to Vault's external entropy.
false
Mark the mount as a local mount, which is not replicated and is unaffected by replication.
false
The options to pass into the backend. Should be a json object with string keys and values.
Name of the auth plugin to use based from the name in the plugin catalog.
The semantic version of the plugin to use.
Whether to turn on seal wrapping for the mount.
false
The type of the backend. Example: "userpass"
This endpoint requires sudo capability on the final path, but the same functionality can be achieved without sudo via sys/mounts/auth/[auth-path]/tune
.
Tune the configuration parameters for an auth path.
A list of headers to whitelist and allow a plugin to set on responses.
The list of keys in the request data object that will not be HMAC'ed by audit devices.
The list of keys in the response data object that will not be HMAC'ed by audit devices.
The default lease TTL for this mount.
User-friendly description for this credential backend.
Determines the visibility of the mount in the UI-specific listing endpoint. Accepted value are 'unauth' and 'hidden', with the empty default ('') behaving like 'hidden'.
The max lease TTL for this mount.
The options to pass into the backend. Should be a json object with string keys and values.
A list of headers to whitelist and pass from the request to the plugin.
The semantic version of the plugin to use.
The type of token to issue (service or batch).
The user lockout configuration to pass into the backend. Should be a json object with string keys and values.
Use 'paths' instead.
Paths on which capabilities are being queried.
Token for which capabilities are being queried.
Accessor of the token for which capabilities are being queried.
Use 'paths' instead.
Paths on which capabilities are being queried.
Use 'paths' instead.
Paths on which capabilities are being queried.
Token for which capabilities are being queried.
The name of the request header to audit.
X-Request-ID
No content
A comma-separated string or array of strings indicating headers that are allowed on cross-origin requests.
A comma-separated string or array of strings indicating origins that may make cross-origin requests.
Enables or disables CORS headers on requests.
No content
The name of the subsystem to reload.
plugin-catalog
No content
Must be set to true
Must be set to true
The name of the header.
Returns multiple values if true
The values to set the header.
No content
The control group ID to authorize.
No content
Unique identifier for the control group request.
This endpoint decodes an encoded token using the provided one-time password (OTP). It can be used in unauthenticated contexts.
Specifies the encoded token (result from generate-root).
Specifies the otp code for decode.
Starts a new root generation attempt. Only one attempt can be active at a time. Either otp
or pgp_key
must be provided.
Specifies a base64-encoded PGP public key.
Starts a new root generation attempt. Only one attempt can be active at a time. Either otp
or pgp_key
must be provided.
Specifies a base64-encoded PGP public key.
Submits a single unseal key share for the active root generation attempt. If the required threshold of key shares is reached, Vault completes the root token generation and issues the new token. The attempt nonce must be provided with each call.
Specifies a single unseal key share.
Specifies the nonce of the attempt.
Initializes the Vault server. Initialization is a one-time operation. After successful initialization, Vault will generate a set of unseal keys and an initial root token. If using HSM, recovery and stored shares options can be configured during this process.
Specifies an array of PGP public keys used to encrypt the output unseal keys. Ordering is preserved. The keys must be base64-encoded from their original binary representation. The size of this array must be the same as secret_shares
.
Specifies an array of PGP public keys used to encrypt the output recovery keys. Ordering is preserved. The keys must be base64-encoded from their original binary representation. The size of this array must be the same as recovery_shares
.
Specifies the number of shares to split the recovery key into.
Specifies the number of shares required to reconstruct the recovery key. This must be less than or equal to recovery_shares
.
Specifies a PGP public key used to encrypt the initial root token. The key must be base64-encoded from its original binary representation.
Specifies the number of shares to split the unseal key into.
Specifies the number of shares required to reconstruct the unseal key. This must be less than or equal secret_shares. If using Vault HSM with auto-unsealing, this value must be the same as secret_shares
.
Specifies the number of shares that should be encrypted by the HSM and stored for auto-unsealing. Currently must be the same as secret_shares
.
No content
Enables or disables the collection of client counts and configures the retention period and default reporting period for client activity data.
Number of months to report if no start date specified.
12
Enable or disable collection of client count: enable, disable, or default.
default
Number of months of client data to retain. Setting to 0 will clear all existing data.
24
No content
The lease identifier to renew. This is included with a lease.
The desired increment in seconds to the lease
The lease identifier to renew. This is included with a lease.
The lease identifier to renew. This is included with a lease.
No content
The lease ID to renew. Example: "database/creds/my-role/Y7sGbfd9"
The desired increment in seconds to the lease
The lease identifier to renew. This is included with a lease.
No content
The lease identifier to renew. This is included with a lease.
Whether or not to perform the revocation synchronously
true
The lease identifier to renew. This is included with a lease.
No content
The path to revoke keys under. Example: "prod/aws/ops"
Whether or not to perform the revocation synchronously
true
OK
No content
The lease identifier to renew. This is included with a lease.
The lease identifier to renew. This is included with a lease.
Whether or not to perform the revocation synchronously
true
OK
No content
Name of the logger to modify.
Log verbosity level. Supported values (in order of detail) are "trace", "debug", "info", "warn", and "error".
No content
The type of the managed key (e.g., "transit", "pkcs11").
The name of the managed key to use for the test signing operation.
The output format for the metrics. Currently, only prometheus
is supported.
A required parameter that must be set to true
to retrieve the list of MFA methods.
The unique name of the Okta MFA method.
The name of the PingID MFA method configuration.
The name of the TOTP MFA method configuration.
The name of the TOTP MFA method configuration.
Validates MFA credentials submitted by the user. Upon successful validation, it returns an authentication response that includes a client token. This endpoint is typically called after initial credentials are provided and MFA is required.
A map from MFA method ID to a slice of passcodes or an empty slice if the method does not use passcodes
ID for this MFA request
The path to mount to. Example: "aws/east"
Configuration for this mount, such as default_lease_ttl and max_lease_ttl.
User-friendly description for this mount.
Whether to give the mount access to Vault's external entropy.
false
Mark the mount as a local mount, which is not replicated and is unaffected by replication.
false
The options to pass into the backend. Should be a json object with string keys and values.
Name of the plugin to mount based from the name registered in the plugin catalog.
The semantic version of the plugin to use.
Whether to turn on seal wrapping for the mount.
false
The type of the backend. Example: "passthrough"
OK
No content
The path to mount to. Example: "aws/east"
The name of the plugin
The args passed to plugin command.
The command used to start the plugin. The executable defined in this command must exist in vault's plugin directory.
The environment variables passed to plugin command. Each entry is of the form "key=value".
The SHA256 sum of the executable used in the command field. This should be HEX encoded.
The type of the plugin, may be auth, secret, or database
The semantic version of the plugin to use.
OK
No content
The name of the plugin
The type of the plugin, may be auth, secret, or database
The args passed to plugin command.
The command used to start the plugin. The executable defined in this command must exist in vault's plugin directory.
The environment variables passed to plugin command. Each entry is of the form "key=value".
The SHA256 sum of the executable used in the command field. This should be HEX encoded.
The semantic version of the plugin to use.
OK
No content
Either the plugin name (plugin
) or the desired plugin backend mounts (mounts
) must be provided, but not both. In the case that the plugin name is provided, all mounted paths that use that plugin backend will be reloaded. If (scope
) is provided and is (global
), the plugin(s) are reloaded globally.
The mount paths of the plugin backends to reload.
The name of the plugin to reload, as registered in the plugin catalog.
If set, starts audit logging of requests that get rejected due to rate limit quota rule violations.
If set, additional rate limit quota HTTP headers will be added to responses.
Specifies the list of exempt paths from all rate limit quotas. If empty no paths will be exempt.
No content
Name of the quota rule.
If set, when a client reaches a rate limit threshold, the client will be prohibited from any further requests until after the 'block_interval' has elapsed.
The duration to enforce rate limiting for (default '1s').
Path of the mount or namespace to apply the quota. A blank path configures a global quota. For example namespace1/ adds a quota to a full namespace, namespace1/auth/userpass adds a quota to userpass in namespace1.
The maximum number of requests in a given interval to be allowed by the quota rule. The 'rate' must be positive.
Login role to apply this quota to. Note that when set, path must be configured to a valid auth method with a concept of roles.
Type of the quota rule.
No content
Only a single rekey attempt can take place at a time, and changing the parameters of a rekey requires canceling and starting a new rekey, which will also provide a new nonce.
Specifies if using PGP-encrypted keys, whether Vault should also store a plaintext backup of the PGP-encrypted keys.
Specifies an array of PGP public keys used to encrypt the output unseal keys. Ordering is preserved. The keys must be base64-encoded from their original binary representation. The size of this array must be the same as secret_shares.
Turns on verification functionality
Specifies the number of shares to split the unseal key into.
Specifies the number of shares required to reconstruct the unseal key. This must be less than or equal secret_shares. If using Vault HSM with auto-unsealing, this value must be the same as secret_shares.
OK
The desired increment in seconds to the lease
The lease identifier to renew. This is included with a lease.
The lease identifier to renew. This is included with a lease.
OK
No content
The lease identifier to renew. This is included with a lease.
The desired increment in seconds to the lease
The lease identifier to renew. This is included with a lease.
OK
No content
The lease identifier to renew. This is included with a lease.
Whether or not to perform the revocation synchronously
true
The lease identifier to renew. This is included with a lease.
OK
No content
The path to revoke keys under. Example: "prod/aws/ops"
Whether or not to perform the revocation synchronously
true
OK
No content
The lease identifier to renew. This is included with a lease.
The lease identifier to renew. This is included with a lease.
Whether or not to perform the revocation synchronously
true
OK
No content
Whether automatic rotation is enabled.
How long after installation of an active key term that the key will be automatically rotated.
The number of encryption operations performed before the barrier key is automatically rotated.
No content
Triggers rewrap for keys encrypted with an old seal configuration. This may take time depending on the size of the data.
Accepts raw input data and returns its hash digest using Vault's configured default hash algorithm.
Algorithm to use (POST body parameter). Valid values are: * sha2-224 * sha2-256 * sha2-384 * sha2-512 Defaults to "sha2-256".
sha2-256
Encoding format to use. Can be "hex" or "base64". Defaults to "hex".
hex
The base64-encoded input data
Algorithm to use (POST URL parameter)
Accepts raw input data and returns its hash digest using the algorithm specified in the URL.
The hash algorithm to use (e.g., sha2-256, sha2-512)
Algorithm to use (POST body parameter). Valid values are: * sha2-224 * sha2-256 * sha2-384 * sha2-512 Defaults to "sha2-256".
sha2-256
Encoding format to use. Can be "hex" or "base64". Defaults to "hex".
hex
The base64-encoded input data
The number of bytes to generate (POST body parameter). Defaults to 32 (256 bits).
32
Encoding format to use. Can be "hex" or "base64". Defaults to "base64".
base64
Which system to source random data from, ether "platform", "seal", or "all".
platform
The number of bytes to generate (POST URL parameter)
Source to generate randomness from
platform
Possible values: The number of bytes to generate (POST body parameter). Defaults to 32 (256 bits).
32
Encoding format to use. Can be "hex" or "base64". Defaults to "base64".
base64
The number of bytes to generate (POST URL parameter)
Number of bytes to generate
The number of bytes to generate (POST body parameter). Defaults to 32 (256 bits).
32
Encoding format to use. Can be "hex" or "base64". Defaults to "base64".
base64
Which system to source random data from, ether "platform", "seal", or "all".
platform
Source to generate randomness from
Number of bytes to generate
The number of bytes to generate (POST body parameter). Defaults to 32 (256 bits).
32
Encoding format to use. Can be "hex" or "base64". Defaults to "base64".
base64
Accepts a response-wrapped token and returns a new wrapped token.
Unwraps a token and returns the original payload.