generated: '2026-07-15' method: generated source: openapi/hashicorp-vault-openapi.yml description: Recommended x-agentic-access execution contracts, classified heuristically from the OpenAPI. A governance starting point for exposing this API to AI agents — review and bind audience per deployment. See research/curity/agentic-governance/. summary: operations: 54 by_action_class: connected: 15 acting: 39 by_consequence: read: 15 write: 33 safety-critical: 6 human_in_the_loop_required: 6 operations: - path: /sys/init method: get operationId: getInitStatus x-agentic-access: action-class: connected consequence: read subject: optional token: max-ttl: 3600 audit: none - path: /sys/init method: put operationId: initialize x-agentic-access: action-class: acting consequence: write subject: required audience: null token: max-ttl: 900 escalation: human-in-the-loop: conditional triggers: - abnormal - high-value audit: required - path: /sys/seal-status method: get operationId: getSealStatus x-agentic-access: action-class: connected consequence: read subject: optional token: max-ttl: 3600 audit: none - path: /sys/seal method: put operationId: seal x-agentic-access: action-class: acting consequence: write subject: required audience: null token: max-ttl: 900 escalation: human-in-the-loop: conditional triggers: - abnormal - high-value audit: required - path: /sys/unseal method: put operationId: unseal x-agentic-access: action-class: acting consequence: write subject: required audience: null token: max-ttl: 900 escalation: human-in-the-loop: conditional triggers: - abnormal - high-value audit: required - path: /sys/health method: get operationId: getHealth x-agentic-access: action-class: connected consequence: read subject: optional token: max-ttl: 3600 audit: none - path: /sys/mounts method: get operationId: listSecretEngines x-agentic-access: action-class: connected consequence: read subject: optional token: max-ttl: 3600 audit: none - path: /sys/mounts/{path} method: post operationId: enableSecretEngine x-agentic-access: action-class: acting consequence: write subject: required audience: null token: max-ttl: 900 escalation: human-in-the-loop: conditional triggers: - abnormal - high-value audit: required - path: /sys/mounts/{path} method: delete operationId: disableSecretEngine x-agentic-access: action-class: acting consequence: safety-critical subject: required audience: null token: max-ttl: 120 exchange: true purpose-required: true proof-of-possession: true escalation: human-in-the-loop: required audit: required - path: /sys/auth method: get operationId: listAuthMethods x-agentic-access: action-class: connected consequence: read subject: optional token: max-ttl: 3600 audit: none - path: /sys/auth/{path} method: post operationId: enableAuthMethod x-agentic-access: action-class: acting consequence: write subject: required audience: null token: max-ttl: 900 escalation: human-in-the-loop: conditional triggers: - abnormal - high-value audit: required - path: /sys/auth/{path} method: delete operationId: disableAuthMethod x-agentic-access: action-class: acting consequence: safety-critical subject: required audience: null token: max-ttl: 120 exchange: true purpose-required: true proof-of-possession: true escalation: human-in-the-loop: required audit: required - path: /sys/policies/acl method: get operationId: listACLPolicies x-agentic-access: action-class: connected consequence: read subject: optional token: max-ttl: 3600 audit: none - path: /sys/policies/acl/{name} method: get operationId: getACLPolicy x-agentic-access: action-class: connected consequence: read subject: optional token: max-ttl: 3600 audit: none - path: /sys/policies/acl/{name} method: put operationId: createACLPolicy x-agentic-access: action-class: acting consequence: write subject: required audience: null token: max-ttl: 900 escalation: human-in-the-loop: conditional triggers: - abnormal - high-value audit: required - path: /sys/policies/acl/{name} method: delete operationId: deleteACLPolicy x-agentic-access: action-class: acting consequence: write subject: required audience: null token: max-ttl: 900 escalation: human-in-the-loop: conditional triggers: - abnormal - high-value audit: required - path: /sys/audit method: get operationId: listAuditDevices x-agentic-access: action-class: connected consequence: read subject: optional token: max-ttl: 3600 audit: none - path: /sys/audit/{path} method: put operationId: enableAuditDevice x-agentic-access: action-class: acting consequence: write subject: required audience: null token: max-ttl: 900 escalation: human-in-the-loop: conditional triggers: - abnormal - high-value audit: required - path: /sys/audit/{path} method: delete operationId: disableAuditDevice x-agentic-access: action-class: acting consequence: safety-critical subject: required audience: null token: max-ttl: 120 exchange: true purpose-required: true proof-of-possession: true escalation: human-in-the-loop: required audit: required - path: /sys/leases/lookup method: put operationId: lookupLease x-agentic-access: action-class: acting consequence: write subject: required audience: null token: max-ttl: 900 escalation: human-in-the-loop: conditional triggers: - abnormal - high-value audit: required - path: /sys/leases/renew method: put operationId: renewLease x-agentic-access: action-class: acting consequence: write subject: required audience: null token: max-ttl: 900 escalation: human-in-the-loop: conditional triggers: - abnormal - high-value audit: required - path: /sys/leases/revoke method: put operationId: revokeLease x-agentic-access: action-class: acting consequence: safety-critical subject: required audience: null token: max-ttl: 120 exchange: true purpose-required: true proof-of-possession: true escalation: human-in-the-loop: required audit: required - path: /auth/token/create method: post operationId: createToken x-agentic-access: action-class: acting consequence: write subject: required audience: null token: max-ttl: 900 escalation: human-in-the-loop: conditional triggers: - abnormal - high-value audit: required - path: /auth/token/lookup method: post operationId: lookupToken x-agentic-access: action-class: acting consequence: write subject: required audience: null token: max-ttl: 900 escalation: human-in-the-loop: conditional triggers: - abnormal - high-value audit: required - path: /auth/token/lookup-self method: get operationId: lookupSelfToken x-agentic-access: action-class: connected consequence: read subject: optional token: max-ttl: 3600 audit: none - path: /auth/token/renew method: post operationId: renewToken x-agentic-access: action-class: acting consequence: write subject: required audience: null token: max-ttl: 900 escalation: human-in-the-loop: conditional triggers: - abnormal - high-value audit: required - path: /auth/token/renew-self method: post operationId: renewSelfToken x-agentic-access: action-class: acting consequence: write subject: required audience: null token: max-ttl: 900 escalation: human-in-the-loop: conditional triggers: - abnormal - high-value audit: required - path: /auth/token/revoke method: post operationId: revokeToken x-agentic-access: action-class: acting consequence: safety-critical subject: required audience: null token: max-ttl: 120 exchange: true purpose-required: true proof-of-possession: true escalation: human-in-the-loop: required audit: required - path: /auth/token/revoke-self method: post operationId: revokeSelfToken x-agentic-access: action-class: acting consequence: safety-critical subject: required audience: null token: max-ttl: 120 exchange: true purpose-required: true proof-of-possession: true escalation: human-in-the-loop: required audit: required - path: /auth/userpass/login/{username} method: post operationId: loginUserpass x-agentic-access: action-class: acting consequence: write subject: required audience: null token: max-ttl: 900 escalation: human-in-the-loop: conditional triggers: - abnormal - high-value audit: required - path: /auth/approle/login method: post operationId: loginAppRole x-agentic-access: action-class: acting consequence: write subject: required audience: null token: max-ttl: 900 escalation: human-in-the-loop: conditional triggers: - abnormal - high-value audit: required - path: /secret/data/{path} method: get operationId: readKVSecret x-agentic-access: action-class: connected consequence: read subject: optional token: max-ttl: 3600 audit: none - path: /secret/data/{path} method: post operationId: createKVSecret x-agentic-access: action-class: acting consequence: write subject: required audience: null token: max-ttl: 900 escalation: human-in-the-loop: conditional triggers: - abnormal - high-value audit: required - path: /secret/data/{path} method: delete operationId: deleteKVSecretLatest x-agentic-access: action-class: acting consequence: write subject: required audience: null token: max-ttl: 900 escalation: human-in-the-loop: conditional triggers: - abnormal - high-value audit: required - path: /secret/metadata/{path} method: get operationId: getKVMetadata x-agentic-access: action-class: connected consequence: read subject: optional token: max-ttl: 3600 audit: none - path: /secret/metadata/{path} method: delete operationId: deleteKVMetadata x-agentic-access: action-class: acting consequence: write subject: required audience: null token: max-ttl: 900 escalation: human-in-the-loop: conditional triggers: - abnormal - high-value audit: required - path: /secret/delete/{path} method: post operationId: deleteKVSecretVersions x-agentic-access: action-class: acting consequence: write subject: required audience: null token: max-ttl: 900 escalation: human-in-the-loop: conditional triggers: - abnormal - high-value audit: required - path: /secret/undelete/{path} method: post operationId: undeleteKVSecretVersions x-agentic-access: action-class: acting consequence: write subject: required audience: null token: max-ttl: 900 escalation: human-in-the-loop: conditional triggers: - abnormal - high-value audit: required - path: /secret/destroy/{path} method: post operationId: destroyKVSecretVersions x-agentic-access: action-class: acting consequence: write subject: required audience: null token: max-ttl: 900 escalation: human-in-the-loop: conditional triggers: - abnormal - high-value audit: required - path: /transit/encrypt/{name} method: post operationId: transitEncrypt x-agentic-access: action-class: acting consequence: write subject: required audience: null token: max-ttl: 900 escalation: human-in-the-loop: conditional triggers: - abnormal - high-value audit: required - path: /transit/decrypt/{name} method: post operationId: transitDecrypt x-agentic-access: action-class: acting consequence: write subject: required audience: null token: max-ttl: 900 escalation: human-in-the-loop: conditional triggers: - abnormal - high-value audit: required - path: /transit/keys/{name} method: post operationId: createTransitKey x-agentic-access: action-class: acting consequence: write subject: required audience: null token: max-ttl: 900 escalation: human-in-the-loop: conditional triggers: - abnormal - high-value audit: required - path: /transit/keys/{name} method: get operationId: getTransitKey x-agentic-access: action-class: connected consequence: read subject: optional token: max-ttl: 3600 audit: none - path: /transit/keys/{name} method: delete operationId: deleteTransitKey x-agentic-access: action-class: acting consequence: write subject: required audience: null token: max-ttl: 900 escalation: human-in-the-loop: conditional triggers: - abnormal - high-value audit: required - path: /identity/entity method: post operationId: createEntity x-agentic-access: action-class: acting consequence: write subject: required audience: null token: max-ttl: 900 escalation: human-in-the-loop: conditional triggers: - abnormal - high-value audit: required - path: /identity/entity/id/{id} method: get operationId: getEntity x-agentic-access: action-class: connected consequence: read subject: optional token: max-ttl: 3600 audit: none - path: /identity/entity/id/{id} method: post operationId: updateEntity x-agentic-access: action-class: acting consequence: write subject: required audience: null token: max-ttl: 900 escalation: human-in-the-loop: conditional triggers: - abnormal - high-value audit: required - path: /identity/entity/id/{id} method: delete operationId: deleteEntity x-agentic-access: action-class: acting consequence: write subject: required audience: null token: max-ttl: 900 escalation: human-in-the-loop: conditional triggers: - abnormal - high-value audit: required - path: /sys/generate-root/attempt method: get operationId: getRootGenerationProgress x-agentic-access: action-class: connected consequence: read subject: optional token: max-ttl: 3600 audit: none - path: /sys/generate-root/attempt method: put operationId: startRootGeneration x-agentic-access: action-class: acting consequence: write subject: required audience: null token: max-ttl: 900 escalation: human-in-the-loop: conditional triggers: - abnormal - high-value audit: required - path: /sys/generate-root/attempt method: delete operationId: cancelRootGeneration x-agentic-access: action-class: acting consequence: write subject: required audience: null token: max-ttl: 900 escalation: human-in-the-loop: conditional triggers: - abnormal - high-value audit: required - path: /sys/leader method: get operationId: getLeader x-agentic-access: action-class: connected consequence: read subject: optional token: max-ttl: 3600 audit: none - path: /sys/wrapping/wrap method: post operationId: wrap x-agentic-access: action-class: acting consequence: write subject: required audience: null token: max-ttl: 900 escalation: human-in-the-loop: conditional triggers: - abnormal - high-value audit: required - path: /sys/wrapping/unwrap method: post operationId: unwrap x-agentic-access: action-class: acting consequence: write subject: required audience: null token: max-ttl: 900 escalation: human-in-the-loop: conditional triggers: - abnormal - high-value audit: required