openapi: 3.0.2 info: title: HashiCorp Vault API description: HTTP API that gives you full access to Vault. All API routes are prefixed with `/v1/`. version: 1.9.3 license: name: Mozilla Public License 2.0 url: https://www.mozilla.org/en-US/MPL/2.0 paths: "/auth/token/accessors/": description: List token accessors, which can then be be used to iterate and discover their properties or revoke them. Because this can be used to cause a denial of service, this endpoint requires 'sudo' capability in addition to 'list'. x-vault-sudo: true get: summary: |- HashiCorp List token accessors, which can then be be used to iterate and discover their properties or revoke them. Because this can be used to cause a denial of service, this endpoint requires 'sudo' capability in addition to 'list'. operationId: getAuthTokenAccessors tags: - Auth parameters: - name: list description: Return a list if `true` in: query schema: type: string responses: '200': description: OK "/auth/token/create": description: The token create path is used to create new tokens. post: summary: HashiCorp The token create path is used to create new tokens. operationId: postAuthTokenCreate tags: - Auth responses: '200': description: OK "/auth/token/create-orphan": description: The token create path is used to create new orphan tokens. post: summary: HashiCorp The token create path is used to create new orphan tokens. operationId: postAuthTokenCreateOrphan tags: - Auth responses: '200': description: OK "/auth/token/create/{role_name}": description: This token create path is used to create new tokens adhering to the given role. parameters: - name: role_name description: Name of the role in: path schema: type: string required: true post: summary: HashiCorp This token create path is used to create new tokens adhering to the given role. operationId: postAuthTokenCreateRole_name tags: - Auth responses: '200': description: OK "/auth/token/lookup": description: This endpoint will lookup a token and its properties. get: summary: HashiCorp This endpoint will lookup a token and its properties. operationId: getAuthTokenLookup tags: - Auth responses: '200': description: OK post: summary: HashiCorp This endpoint will lookup a token and its properties. operationId: postAuthTokenLookup tags: - Auth requestBody: content: application/json: schema: type: object properties: token: type: string description: Token to lookup (POST request body) responses: '200': description: OK "/auth/token/lookup-accessor": description: This endpoint will lookup a token associated with the given accessor and its properties. Response will not contain the token ID. post: summary: HashiCorp This endpoint will lookup a token associated with the given accessor and its properties. Response will not contain the token ID. operationId: postAuthTokenLookupAccessor tags: - Auth requestBody: content: application/json: schema: type: object properties: accessor: type: string description: Accessor of the token to look up (request body) responses: '200': description: OK "/auth/token/lookup-self": description: This endpoint will lookup a token and its properties. get: summary: HashiCorp This endpoint will lookup a token and its properties. operationId: getAuthTokenLookupSelf tags: - Auth responses: '200': description: OK post: summary: HashiCorp This endpoint will lookup a token and its properties. operationId: postAuthTokenLookupSelf tags: - Auth requestBody: content: application/json: schema: type: object properties: token: type: string description: Token to look up (unused, does not need to be set) responses: '200': description: OK "/auth/token/renew": description: This endpoint will renew the given token and prevent expiration. post: summary: HashiCorp This endpoint will renew the given token and prevent expiration. operationId: postAuthTokenRenew tags: - Auth requestBody: content: application/json: schema: type: object properties: increment: type: integer description: The desired increment in seconds to the token expiration format: seconds default: 0 token: type: string description: Token to renew (request body) responses: '200': description: OK "/auth/token/renew-accessor": description: This endpoint will renew a token associated with the given accessor and its properties. Response will not contain the token ID. post: summary: HashiCorp This endpoint will renew a token associated with the given accessor and its properties. Response will not contain the token ID. operationId: postAuthTokenRenewAccessor tags: - Auth requestBody: content: application/json: schema: type: object properties: accessor: type: string description: Accessor of the token to renew (request body) increment: type: integer description: The desired increment in seconds to the token expiration format: seconds default: 0 responses: '200': description: OK "/auth/token/renew-self": description: This endpoint will renew the token used to call it and prevent expiration. post: summary: HashiCorp This endpoint will renew the token used to call it and prevent expiration. operationId: postAuthTokenRenewSelf tags: - Auth requestBody: content: application/json: schema: type: object properties: increment: type: integer description: The desired increment in seconds to the token expiration format: seconds default: 0 token: type: string description: Token to renew (unused, does not need to be set) responses: '200': description: OK "/auth/token/revoke": description: This endpoint will delete the given token and all of its child tokens. post: summary: HashiCorp This endpoint will delete the given token and all of its child tokens. operationId: postAuthTokenRevoke tags: - Auth requestBody: content: application/json: schema: type: object properties: token: type: string description: Token to revoke (request body) responses: '200': description: OK "/auth/token/revoke-accessor": description: This endpoint will delete the token associated with the accessor and all of its child tokens. post: summary: HashiCorp This endpoint will delete the token associated with the accessor and all of its child tokens. operationId: postAuthTokenRevokeAccessor tags: - Auth requestBody: content: application/json: schema: type: object properties: accessor: type: string description: Accessor of the token (request body) responses: '200': description: OK "/auth/token/revoke-orphan": description: This endpoint will delete the token and orphan its child tokens. post: summary: HashiCorp This endpoint will delete the token and orphan its child tokens. operationId: postAuthTokenRevokeOrphan tags: - Auth requestBody: content: application/json: schema: type: object properties: token: type: string description: Token to revoke (request body) responses: '200': description: OK "/auth/token/revoke-self": description: This endpoint will delete the token used to call it and all of its child tokens. post: summary: HashiCorp This endpoint will delete the token used to call it and all of its child tokens. operationId: postAuthTokenRevokeSelf tags: - Auth responses: '200': description: OK "/auth/token/roles": description: This endpoint lists configured roles. get: summary: HashiCorp This endpoint lists configured roles. operationId: getAuthTokenRoles tags: - Auth parameters: - name: list description: Return a list if `true` in: query schema: type: string responses: '200': description: OK "/auth/token/roles/{role_name}": parameters: - name: role_name description: Name of the role in: path schema: type: string required: true x-vault-createSupported: true get: operationId: getAuthTokenRolesRole_name tags: - Auth responses: '200': description: OK post: operationId: postAuthTokenRolesRole_name tags: - Auth requestBody: content: application/json: schema: type: object properties: allowed_entity_aliases: type: array description: String or JSON list of allowed entity aliases. If set, specifies the entity aliases which are allowed to be used during token generation. This field supports globbing. items: type: string allowed_policies: type: array description: If set, tokens can be created with any subset of the policies in this list, rather than the normal semantics of tokens being a subset of the calling token's policies. The parameter is a comma-delimited string of policy names. items: type: string allowed_policies_glob: type: array description: If set, tokens can be created with any subset of glob matched policies in this list, rather than the normal semantics of tokens being a subset of the calling token's policies. The parameter is a comma-delimited string of policy name globs. items: type: string bound_cidrs: type: array description: Use 'token_bound_cidrs' instead. items: type: string deprecated: true disallowed_policies: type: array description: If set, successful token creation via this role will require that no policies in the given list are requested. The parameter is a comma-delimited string of policy names. items: type: string disallowed_policies_glob: type: array description: If set, successful token creation via this role will require that no requested policies glob match any of policies in this list. The parameter is a comma-delimited string of policy name globs. items: type: string explicit_max_ttl: type: integer description: Use 'token_explicit_max_ttl' instead. format: seconds deprecated: true orphan: type: boolean description: If true, tokens created via this role will be orphan tokens (have no parent) path_suffix: type: string description: If set, tokens created via this role will contain the given suffix as a part of their path. This can be used to assist use of the 'revoke-prefix' endpoint later on. The given suffix must match the regular expression.\w[\w-.]+\w period: type: integer description: Use 'token_period' instead. format: seconds deprecated: true renewable: type: boolean description: Tokens created via this role will be renewable or not according to this value. Defaults to "true". default: true token_bound_cidrs: type: array description: Comma separated string or JSON list of CIDR blocks. If set, specifies the blocks of IP addresses which are allowed to use the generated token. items: type: string x-vault-displayAttrs: name: Generated Token's Bound CIDRs group: Tokens token_explicit_max_ttl: type: integer description: If set, tokens created via this role carry an explicit maximum TTL. During renewal, the current maximum TTL values of the role and the mount are not checked for changes, and any updates to these values will have no effect on the token being renewed. format: seconds x-vault-displayAttrs: name: Generated Token's Explicit Maximum TTL group: Tokens token_no_default_policy: type: boolean description: If true, the 'default' policy will not automatically be added to generated tokens x-vault-displayAttrs: name: Do Not Attach 'default' Policy To Generated Tokens group: Tokens token_num_uses: type: integer description: The maximum number of times a token may be used, a value of zero means unlimited x-vault-displayAttrs: name: Maximum Uses of Generated Tokens group: Tokens token_period: type: integer description: If set, tokens created via this role will have no max lifetime; instead, their renewal period will be fixed to this value. This takes an integer number of seconds, or a string duration (e.g. "24h"). format: seconds x-vault-displayAttrs: name: Generated Token's Period group: Tokens token_type: type: string description: The type of token to generate, service or batch default: default-service x-vault-displayAttrs: name: Generated Token's Type group: Tokens responses: '200': description: OK delete: operationId: deleteAuthTokenRolesRole_name tags: - Auth responses: '204': description: empty body "/auth/token/tidy": description: This endpoint performs cleanup tasks that can be run if certain error conditions have occurred. post: summary: |- HashiCorp This endpoint performs cleanup tasks that can be run if certain error conditions have occurred. operationId: postAuthTokenTidy tags: - Auth responses: '200': description: OK "/cubbyhole/{path}": description: Pass-through secret storage to a token-specific cubbyhole in the storage backend, allowing you to read/write arbitrary data into secret storage. parameters: - name: path description: Specifies the path of the secret. in: path schema: type: string required: true x-vault-createSupported: true get: summary: HashiCorp Retrieve the secret at the specified location. operationId: getCubbyholePath tags: - Secrets parameters: - name: list description: Return a list if `true` in: query schema: type: string responses: '200': description: OK post: summary: HashiCorp Store a secret at the specified location. operationId: postCubbyholePath tags: - Secrets responses: '200': description: OK delete: summary: HashiCorp Deletes the secret at the specified location. operationId: deleteCubbyholePath tags: - Secrets responses: '204': description: empty body "/identity/alias": description: Create a new alias. post: summary: HashiCorp Create a new alias. operationId: postIdentityAlias tags: - Identity requestBody: content: application/json: schema: type: object properties: canonical_id: type: string description: Entity ID to which this alias belongs to entity_id: type: string description: Entity ID to which this alias belongs to. This field is deprecated in favor of 'canonical_id'. id: type: string description: ID of the alias mount_accessor: type: string description: Mount accessor to which this alias belongs to name: type: string description: Name of the alias responses: '200': description: OK "/identity/alias/id": description: List all the alias IDs. get: summary: HashiCorp List all the alias IDs. operationId: getIdentityAliasId tags: - Identity parameters: - name: list description: Return a list if `true` in: query schema: type: string responses: '200': description: OK "/identity/alias/id/{id}": description: Update, read or delete an alias ID. parameters: - name: id description: ID of the alias in: path schema: type: string required: true get: summary: HashiCorp Update, read or delete an alias ID. operationId: getIdentityAliasIdId tags: - Identity responses: '200': description: OK post: summary: HashiCorp Update, read or delete an alias ID. operationId: postIdentityAliasIdId tags: - Identity requestBody: content: application/json: schema: type: object properties: canonical_id: type: string description: Entity ID to which this alias should be tied to entity_id: type: string description: Entity ID to which this alias should be tied to. This field is deprecated in favor of 'canonical_id'. mount_accessor: type: string description: Mount accessor to which this alias belongs to name: type: string description: Name of the alias responses: '200': description: OK delete: summary: HashiCorp Update, read or delete an alias ID. operationId: deleteIdentityAliasIdId tags: - Identity responses: '204': description: empty body "/identity/entity": description: Create a new entity post: summary: HashiCorp Create a new entity operationId: postIdentityEntity tags: - Identity requestBody: content: application/json: schema: type: object properties: disabled: type: boolean description: If set true, tokens tied to this identity will not be able to be used (but will not be revoked). id: type: string description: ID of the entity. If set, updates the corresponding existing entity. metadata: type: object description: 'Metadata to be associated with the entity. In CLI, this parameter can be repeated multiple times, and it all gets merged together. For example: vault metadata=key1=value1 metadata=key2=value2' format: kvpairs name: type: string description: Name of the entity policies: type: array description: Policies to be tied to the entity. items: type: string responses: '200': description: OK "/identity/entity-alias": description: Create a new alias. post: summary: HashiCorp Create a new alias. operationId: postIdentityEntityAlias tags: - Identity requestBody: content: application/json: schema: type: object properties: canonical_id: type: string description: Entity ID to which this alias belongs custom_metadata: type: object description: User provided key-value pairs format: kvpairs entity_id: type: string description: Entity ID to which this alias belongs. This field is deprecated, use canonical_id. id: type: string description: ID of the entity alias. If set, updates the corresponding entity alias. mount_accessor: type: string description: Mount accessor to which this alias belongs to; unused for a modify name: type: string description: Name of the alias; unused for a modify responses: '200': description: OK "/identity/entity-alias/id": description: List all the alias IDs. get: summary: HashiCorp List all the alias IDs. operationId: getIdentityEntityAliasId tags: - Identity parameters: - name: list description: Return a list if `true` in: query schema: type: string responses: '200': description: OK "/identity/entity-alias/id/{id}": description: Update, read or delete an alias ID. parameters: - name: id description: ID of the alias in: path schema: type: string required: true get: summary: HashiCorp Update, read or delete an alias ID. operationId: getIdentityEntityAliasIdId tags: - Identity responses: '200': description: OK post: summary: HashiCorp Update, read or delete an alias ID. operationId: postIdentityEntityAliasIdId tags: - Identity requestBody: content: application/json: schema: type: object properties: canonical_id: type: string description: Entity ID to which this alias should be tied to custom_metadata: type: object description: User provided key-value pairs format: kvpairs entity_id: type: string description: Entity ID to which this alias belongs to. This field is deprecated, use canonical_id. mount_accessor: type: string description: "(Unused)" name: type: string description: "(Unused)" responses: '200': description: OK delete: summary: HashiCorp Update, read or delete an alias ID. operationId: deleteIdentityEntityAliasIdId tags: - Identity responses: '204': description: empty body "/identity/entity/batch-delete": description: Delete all of the entities provided post: summary: HashiCorp Delete all of the entities provided operationId: postIdentityEntityBatchDelete tags: - Identity requestBody: content: application/json: schema: type: object properties: entity_ids: type: array description: Entity IDs to delete items: type: string responses: '200': description: OK "/identity/entity/id": description: List all the entity IDs get: summary: HashiCorp List all the entity IDs operationId: getIdentityEntityId tags: - Identity parameters: - name: list description: Return a list if `true` in: query schema: type: string responses: '200': description: OK "/identity/entity/id/{id}": description: Update, read or delete an entity using entity ID parameters: - name: id description: ID of the entity. If set, updates the corresponding existing entity. in: path schema: type: string required: true get: summary: HashiCorp Update, read or delete an entity using entity ID operationId: getIdentityEntityIdId tags: - Identity responses: '200': description: OK post: summary: HashiCorp Update, read or delete an entity using entity ID operationId: postIdentityEntityIdId tags: - Identity requestBody: content: application/json: schema: type: object properties: disabled: type: boolean description: If set true, tokens tied to this identity will not be able to be used (but will not be revoked). metadata: type: object description: 'Metadata to be associated with the entity. In CLI, this parameter can be repeated multiple times, and it all gets merged together. For example: vault metadata=key1=value1 metadata=key2=value2' format: kvpairs name: type: string description: Name of the entity policies: type: array description: Policies to be tied to the entity. items: type: string responses: '200': description: OK delete: summary: HashiCorp Update, read or delete an entity using entity ID operationId: deleteIdentityEntityIdId tags: - Identity responses: '204': description: empty body "/identity/entity/merge": description: Merge two or more entities together post: summary: HashiCorp Merge two or more entities together operationId: postIdentityEntityMerge tags: - Identity requestBody: content: application/json: schema: type: object properties: force: type: boolean description: Setting this will follow the 'mine' strategy for merging MFA secrets. If there are secrets of the same type both in entities that are merged from and in entity into which all others are getting merged, secrets in the destination will be unaltered. If not set, this API will throw an error containing all the conflicts. from_entity_ids: type: array description: Entity IDs which needs to get merged items: type: string to_entity_id: type: string description: Entity ID into which all the other entities need to get merged responses: '200': description: OK "/identity/entity/name": description: List all the entity names get: summary: HashiCorp List all the entity names operationId: getIdentityEntityName tags: - Identity parameters: - name: list description: Return a list if `true` in: query schema: type: string responses: '200': description: OK "/identity/entity/name/{name}": description: Update, read or delete an entity using entity name parameters: - name: name description: Name of the entity in: path schema: type: string required: true get: summary: HashiCorp Update, read or delete an entity using entity name operationId: getIdentityEntityNameName tags: - Identity responses: '200': description: OK post: summary: HashiCorp Update, read or delete an entity using entity name operationId: postIdentityEntityNameName tags: - Identity requestBody: content: application/json: schema: type: object properties: disabled: type: boolean description: If set true, tokens tied to this identity will not be able to be used (but will not be revoked). id: type: string description: ID of the entity. If set, updates the corresponding existing entity. metadata: type: object description: 'Metadata to be associated with the entity. In CLI, this parameter can be repeated multiple times, and it all gets merged together. For example: vault metadata=key1=value1 metadata=key2=value2' format: kvpairs policies: type: array description: Policies to be tied to the entity. items: type: string responses: '200': description: OK delete: summary: HashiCorp Update, read or delete an entity using entity name operationId: deleteIdentityEntityNameName tags: - Identity responses: '204': description: empty body "/identity/group": description: Create a new group. post: summary: HashiCorp Create a new group. operationId: postIdentityGroup tags: - Identity requestBody: content: application/json: schema: type: object properties: id: type: string description: ID of the group. If set, updates the corresponding existing group. member_entity_ids: type: array description: Entity IDs to be assigned as group members. items: type: string member_group_ids: type: array description: Group IDs to be assigned as group members. items: type: string metadata: type: object description: 'Metadata to be associated with the group. In CLI, this parameter can be repeated multiple times, and it all gets merged together. For example: vault metadata=key1=value1 metadata=key2=value2' format: kvpairs name: type: string description: Name of the group. policies: type: array description: Policies to be tied to the group. items: type: string type: type: string description: Type of the group, 'internal' or 'external'. Defaults to 'internal' responses: '200': description: OK "/identity/group-alias": description: Creates a new group alias, or updates an existing one. post: summary: HashiCorp Creates a new group alias, or updates an existing one. operationId: postIdentityGroupAlias tags: - Identity requestBody: content: application/json: schema: type: object properties: canonical_id: type: string description: ID of the group to which this is an alias. id: type: string description: ID of the group alias. mount_accessor: type: string description: Mount accessor to which this alias belongs to. name: type: string description: Alias of the group. responses: '200': description: OK "/identity/group-alias/id": description: List all the group alias IDs. get: summary: HashiCorp List all the group alias IDs. operationId: getIdentityGroupAliasId tags: - Identity parameters: - name: list description: Return a list if `true` in: query schema: type: string responses: '200': description: OK "/identity/group-alias/id/{id}": parameters: - name: id description: ID of the group alias. in: path schema: type: string required: true get: operationId: getIdentityGroupAliasIdId tags: - Identity responses: '200': description: OK post: operationId: postIdentityGroupAliasIdId tags: - Identity requestBody: content: application/json: schema: type: object properties: canonical_id: type: string description: ID of the group to which this is an alias. mount_accessor: type: string description: Mount accessor to which this alias belongs to. name: type: string description: Alias of the group. responses: '200': description: OK delete: operationId: deleteIdentityGroupAliasIdId tags: - Identity responses: '204': description: empty body "/identity/group/id": description: List all the group IDs. get: summary: HashiCorp List all the group IDs. operationId: getIdentityGroupId tags: - Identity parameters: - name: list description: Return a list if `true` in: query schema: type: string responses: '200': description: OK "/identity/group/id/{id}": description: Update or delete an existing group using its ID. parameters: - name: id description: ID of the group. If set, updates the corresponding existing group. in: path schema: type: string required: true get: summary: HashiCorp Update or delete an existing group using its ID. operationId: getIdentityGroupIdId tags: - Identity responses: '200': description: OK post: summary: HashiCorp Update or delete an existing group using its ID. operationId: postIdentityGroupIdId tags: - Identity requestBody: content: application/json: schema: type: object properties: member_entity_ids: type: array description: Entity IDs to be assigned as group members. items: type: string member_group_ids: type: array description: Group IDs to be assigned as group members. items: type: string metadata: type: object description: 'Metadata to be associated with the group. In CLI, this parameter can be repeated multiple times, and it all gets merged together. For example: vault metadata=key1=value1 metadata=key2=value2' format: kvpairs name: type: string description: Name of the group. policies: type: array description: Policies to be tied to the group. items: type: string type: type: string description: Type of the group, 'internal' or 'external'. Defaults to 'internal' responses: '200': description: OK delete: summary: HashiCorp Update or delete an existing group using its ID. operationId: deleteIdentityGroupIdId tags: - Identity responses: '204': description: empty body "/identity/group/name": get: operationId: getIdentityGroupName tags: - Identity parameters: - name: list description: Return a list if `true` in: query schema: type: string responses: '200': description: OK "/identity/group/name/{name}": parameters: - name: name description: Name of the group. in: path schema: type: string required: true get: operationId: getIdentityGroupNameName tags: - Identity responses: '200': description: OK post: operationId: postIdentityGroupNameName tags: - Identity requestBody: content: application/json: schema: type: object properties: id: type: string description: ID of the group. If set, updates the corresponding existing group. member_entity_ids: type: array description: Entity IDs to be assigned as group members. items: type: string member_group_ids: type: array description: Group IDs to be assigned as group members. items: type: string metadata: type: object description: 'Metadata to be associated with the group. In CLI, this parameter can be repeated multiple times, and it all gets merged together. For example: vault metadata=key1=value1 metadata=key2=value2' format: kvpairs policies: type: array description: Policies to be tied to the group. items: type: string type: type: string description: Type of the group, 'internal' or 'external'. Defaults to 'internal' responses: '200': description: OK delete: operationId: deleteIdentityGroupNameName tags: - Identity responses: '204': description: empty body "/identity/lookup/entity": description: Query entities based on various properties. post: summary: HashiCorp Query entities based on various properties. operationId: postIdentityLookupEntity tags: - Identity requestBody: content: application/json: schema: type: object properties: alias_id: type: string description: ID of the alias. alias_mount_accessor: type: string description: Accessor of the mount to which the alias belongs to. This should be supplied in conjunction with 'alias_name'. alias_name: type: string description: Name of the alias. This should be supplied in conjunction with 'alias_mount_accessor'. id: type: string description: ID of the entity. name: type: string description: Name of the entity. responses: '200': description: OK "/identity/lookup/group": description: Query groups based on various properties. post: summary: HashiCorp Query groups based on various properties. operationId: postIdentityLookupGroup tags: - Identity requestBody: content: application/json: schema: type: object properties: alias_id: type: string description: ID of the alias. alias_mount_accessor: type: string description: Accessor of the mount to which the alias belongs to. This should be supplied in conjunction with 'alias_name'. alias_name: type: string description: Name of the alias. This should be supplied in conjunction with 'alias_mount_accessor'. id: type: string description: ID of the group. name: type: string description: Name of the group. responses: '200': description: OK "/identity/oidc/.well-known/keys": description: Retrieve public keys x-vault-unauthenticated: true get: summary: HashiCorp Retrieve public keys operationId: getIdentityOidcWellKnownKeys tags: - Identity responses: '200': description: OK "/identity/oidc/.well-known/openid-configuration": description: Query OIDC configurations x-vault-unauthenticated: true get: summary: HashiCorp Query OIDC configurations operationId: getIdentityOidcWellKnownOpenidConfiguration tags: - Identity responses: '200': description: OK "/identity/oidc/assignment": description: List OIDC assignments get: operationId: getIdentityOidcAssignment tags: - Identity parameters: - name: list description: Return a list if `true` in: query schema: type: string responses: '200': description: OK "/identity/oidc/assignment/{name}": description: CRUD operations for OIDC assignments. parameters: - name: name description: Name of the assignment in: path schema: type: string required: true x-vault-createSupported: true get: operationId: getIdentityOidcAssignmentName tags: - Identity responses: '200': description: OK post: operationId: postIdentityOidcAssignmentName tags: - Identity requestBody: content: application/json: schema: type: object properties: entity_ids: type: array description: Comma separated string or array of identity entity IDs items: type: string group_ids: type: array description: Comma separated string or array of identity group IDs items: type: string responses: '200': description: OK delete: operationId: deleteIdentityOidcAssignmentName tags: - Identity responses: '204': description: empty body "/identity/oidc/client": description: List OIDC clients get: operationId: getIdentityOidcClient tags: - Identity parameters: - name: list description: Return a list if `true` in: query schema: type: string responses: '200': description: OK "/identity/oidc/client/{name}": description: CRUD operations for OIDC clients. parameters: - name: name description: Name of the client. in: path schema: type: string required: true x-vault-createSupported: true get: operationId: getIdentityOidcClientName tags: - Identity responses: '200': description: OK post: operationId: postIdentityOidcClientName tags: - Identity requestBody: content: application/json: schema: type: object properties: access_token_ttl: type: integer description: The time-to-live for access tokens obtained by the client. format: seconds default: 24h assignments: type: array description: Comma separated string or array of assignment resources. items: type: string id_token_ttl: type: integer description: The time-to-live for ID tokens obtained by the client. format: seconds default: 24h key: type: string description: A reference to a named key resource. Cannot be modified after creation. redirect_uris: type: array description: Comma separated string or array of redirect URIs used by the client. One of these values must exactly match the redirect_uri parameter value used in each authentication request. items: type: string required: - key responses: '200': description: OK delete: operationId: deleteIdentityOidcClientName tags: - Identity responses: '204': description: empty body "/identity/oidc/config": description: OIDC configuration get: summary: HashiCorp OIDC configuration operationId: getIdentityOidcConfig tags: - Identity responses: '200': description: OK post: summary: HashiCorp OIDC configuration operationId: postIdentityOidcConfig tags: - Identity requestBody: content: application/json: schema: type: object properties: issuer: type: string description: Issuer URL to be used in the iss claim of the token. If not set, Vault's app_addr will be used. responses: '200': description: OK "/identity/oidc/introspect": description: Verify the authenticity of an OIDC token post: summary: HashiCorp Verify the authenticity of an OIDC token operationId: postIdentityOidcIntrospect tags: - Identity requestBody: content: application/json: schema: type: object properties: client_id: type: string description: Optional client_id to verify token: type: string description: Token to verify responses: '200': description: OK "/identity/oidc/key": description: List OIDC keys get: summary: HashiCorp List OIDC keys operationId: getIdentityOidcKey tags: - Identity parameters: - name: list description: Return a list if `true` in: query schema: type: string responses: '200': description: OK "/identity/oidc/key/{name}": description: CRUD operations for OIDC keys. parameters: - name: name description: Name of the key in: path schema: type: string required: true x-vault-createSupported: true get: summary: HashiCorp CRUD operations for OIDC keys. operationId: getIdentityOidcKeyName tags: - Identity responses: '200': description: OK post: summary: HashiCorp CRUD operations for OIDC keys. operationId: postIdentityOidcKeyName tags: - Identity requestBody: content: application/json: schema: type: object properties: algorithm: type: string description: Signing algorithm to use. This will default to RS256. default: RS256 allowed_client_ids: type: array description: Comma separated string or array of role client ids allowed to use this key for signing. If empty no roles are allowed. If "*" all roles are allowed. items: type: string rotation_period: type: integer description: How often to generate a new keypair. format: seconds default: 24h verification_ttl: type: integer description: Controls how long the public portion of a key will be available for verification after being rotated. format: seconds default: 24h responses: '200': description: OK delete: summary: HashiCorp CRUD operations for OIDC keys. operationId: deleteIdentityOidcKeyName tags: - Identity responses: '204': description: empty body "/identity/oidc/key/{name}/rotate": description: Rotate a named OIDC key. parameters: - name: name description: Name of the key in: path schema: type: string required: true post: summary: HashiCorp Rotate a named OIDC key. operationId: postIdentityOidcKeyNameRotate tags: - Identity requestBody: content: application/json: schema: type: object properties: verification_ttl: type: integer description: Controls how long the public portion of a key will be available for verification after being rotated. Setting verification_ttl here will override the verification_ttl set on the key. format: seconds responses: '200': description: OK "/identity/oidc/provider": description: List OIDC providers get: operationId: getIdentityOidcProvider tags: - Identity parameters: - name: list description: Return a list if `true` in: query schema: type: string responses: '200': description: OK "/identity/oidc/provider/{name}": description: CRUD operations for OIDC providers. parameters: - name: name description: Name of the provider in: path schema: type: string required: true x-vault-createSupported: true get: operationId: getIdentityOidcProviderName tags: - Identity responses: '200': description: OK post: operationId: postIdentityOidcProviderName tags: - Identity requestBody: content: application/json: schema: type: object properties: allowed_client_ids: type: array description: The client IDs that are permitted to use the provider items: type: string issuer: type: string description: Specifies what will be used for the iss claim of ID tokens. scopes_supported: type: array description: The scopes supported for requesting on the provider items: type: string responses: '200': description: OK delete: operationId: deleteIdentityOidcProviderName tags: - Identity responses: '204': description: empty body "/identity/oidc/provider/{name}/.well-known/keys": description: Retrieve public keys parameters: - name: name description: Name of the provider in: path schema: type: string required: true get: operationId: getIdentityOidcProviderNameWellKnownKeys tags: - Identity responses: '200': description: OK "/identity/oidc/provider/{name}/.well-known/openid-configuration": description: Query OIDC configurations parameters: - name: name description: Name of the provider in: path schema: type: string required: true get: operationId: getIdentityOidcProviderNameWellKnownOpenidConfiguration tags: - Identity responses: '200': description: OK "/identity/oidc/provider/{name}/authorize": description: Provides the OIDC Authorization Endpoint. parameters: - name: name description: Name of the provider in: path schema: type: string required: true get: operationId: getIdentityOidcProviderNameAuthorize tags: - Identity responses: '200': description: OK post: operationId: postIdentityOidcProviderNameAuthorize tags: - Identity requestBody: content: application/json: schema: type: object properties: client_id: type: string description: The ID of the requesting client. max_age: type: integer description: The allowable elapsed time in seconds since the last time the end-user was actively authenticated. nonce: type: string description: The value that will be returned in the ID token nonce claim after a token exchange. redirect_uri: type: string description: The redirection URI to which the response will be sent. response_type: type: string description: 'The OIDC authentication flow to be used. The following response types are supported: ''code''' scope: type: string description: A space-delimited, case-sensitive list of scopes to be requested. The 'openid' scope is required. state: type: string description: The value used to maintain state between the authentication request and client. required: - state - client_id - scope - redirect_uri - response_type responses: '200': description: OK "/identity/oidc/provider/{name}/token": description: Provides the OIDC Token Endpoint. parameters: - name: name description: Name of the provider in: path schema: type: string required: true post: operationId: postIdentityOidcProviderNameToken tags: - Identity requestBody: content: application/json: schema: type: object properties: code: type: string description: The authorization code received from the provider's authorization endpoint. grant_type: type: string description: 'The authorization grant type. The following grant types are supported: ''authorization_code''.' redirect_uri: type: string description: The callback location where the authentication response was sent. required: - code - grant_type - redirect_uri responses: '200': description: OK "/identity/oidc/provider/{name}/userinfo": description: Provides the OIDC UserInfo Endpoint. parameters: - name: name description: Name of the provider in: path schema: type: string required: true get: operationId: getIdentityOidcProviderNameUserinfo tags: - Identity responses: '200': description: OK post: operationId: postIdentityOidcProviderNameUserinfo tags: - Identity responses: '200': description: OK "/identity/oidc/role": description: List configured OIDC roles get: summary: HashiCorp List configured OIDC roles operationId: getIdentityOidcRole tags: - Identity parameters: - name: list description: Return a list if `true` in: query schema: type: string responses: '200': description: OK "/identity/oidc/role/{name}": description: CRUD operations on OIDC Roles parameters: - name: name description: Name of the role in: path schema: type: string required: true x-vault-createSupported: true get: summary: HashiCorp CRUD operations on OIDC Roles operationId: getIdentityOidcRoleName tags: - Identity responses: '200': description: OK post: summary: HashiCorp CRUD operations on OIDC Roles operationId: postIdentityOidcRoleName tags: - Identity requestBody: content: application/json: schema: type: object properties: client_id: type: string description: Optional client_id key: type: string description: The OIDC key to use for generating tokens. The specified key must already exist. template: type: string description: The template string to use for generating tokens. This may be in string-ified JSON or base64 format. ttl: type: integer description: TTL of the tokens generated against the role. format: seconds default: 24h required: - key responses: '200': description: OK delete: summary: HashiCorp CRUD operations on OIDC Roles operationId: deleteIdentityOidcRoleName tags: - Identity responses: '204': description: empty body "/identity/oidc/scope": description: List OIDC scopes get: operationId: getIdentityOidcScope tags: - Identity parameters: - name: list description: Return a list if `true` in: query schema: type: string responses: '200': description: OK "/identity/oidc/scope/{name}": description: CRUD operations for OIDC scopes. parameters: - name: name description: Name of the scope in: path schema: type: string required: true x-vault-createSupported: true get: operationId: getIdentityOidcScopeName tags: - Identity responses: '200': description: OK post: operationId: postIdentityOidcScopeName tags: - Identity requestBody: content: application/json: schema: type: object properties: description: type: string description: The description of the scope template: type: string description: The template string to use for the scope. This may be in string-ified JSON or base64 format. responses: '200': description: OK delete: operationId: deleteIdentityOidcScopeName tags: - Identity responses: '204': description: empty body "/identity/oidc/token/{name}": description: Generate an OIDC token parameters: - name: name description: Name of the role in: path schema: type: string required: true get: summary: HashiCorp Generate an OIDC token operationId: getIdentityOidcTokenName tags: - Identity responses: '200': description: OK "/identity/persona": description: Create a new alias. post: summary: HashiCorp Create a new alias. operationId: postIdentityPersona tags: - Identity requestBody: content: application/json: schema: type: object properties: entity_id: type: string description: Entity ID to which this persona belongs to id: type: string description: ID of the persona metadata: type: object description: 'Metadata to be associated with the persona. In CLI, this parameter can be repeated multiple times, and it all gets merged together. For example: vault metadata=key1=value1 metadata=key2=value2' format: kvpairs mount_accessor: type: string description: Mount accessor to which this persona belongs to name: type: string description: Name of the persona responses: '200': description: OK "/identity/persona/id": description: List all the alias IDs. get: summary: HashiCorp List all the alias IDs. operationId: getIdentityPersonaId tags: - Identity parameters: - name: list description: Return a list if `true` in: query schema: type: string responses: '200': description: OK "/identity/persona/id/{id}": description: Update, read or delete an alias ID. parameters: - name: id description: ID of the persona in: path schema: type: string required: true get: summary: HashiCorp Update, read or delete an alias ID. operationId: getIdentityPersonaIdId tags: - Identity responses: '200': description: OK post: summary: HashiCorp Update, read or delete an alias ID. operationId: postIdentityPersonaIdId tags: - Identity requestBody: content: application/json: schema: type: object properties: entity_id: type: string description: Entity ID to which this persona should be tied to metadata: type: object description: 'Metadata to be associated with the persona. In CLI, this parameter can be repeated multiple times, and it all gets merged together. For example: vault metadata=key1=value1 metadata=key2=value2' format: kvpairs mount_accessor: type: string description: Mount accessor to which this persona belongs to name: type: string description: Name of the persona responses: '200': description: OK delete: summary: HashiCorp Update, read or delete an alias ID. operationId: deleteIdentityPersonaIdId tags: - Identity responses: '204': description: empty body "/secret/.*": {} "/secret/config": description: Configures settings for the KV store x-vault-createSupported: true get: summary: HashiCorp Read the backend level settings. operationId: getSecretConfig tags: - Secrets responses: '200': description: OK post: summary: HashiCorp Configure backend level settings that are applied to every key in the key-value store. operationId: postSecretConfig tags: - Secrets requestBody: content: application/json: schema: type: object properties: cas_required: type: boolean description: If true, the backend will require the cas parameter to be set for each write delete_version_after: type: integer description: If set, the length of time before a version is deleted. A negative duration disables the use of delete_version_after on all keys. A zero duration clears the current setting. Accepts a Go duration format string. format: seconds max_versions: type: integer description: The number of versions to keep for each key. Defaults to 10 responses: '200': description: OK "/secret/data/{path}": description: Write, Patch, Read, and Delete data in the Key-Value Store. parameters: - name: path description: Location of the secret. in: path schema: type: string required: true x-vault-createSupported: true get: summary: HashiCorp Write, Patch, Read, and Delete data in the Key-Value Store. operationId: getSecretDataPath tags: - Secrets responses: '200': description: OK post: summary: HashiCorp Write, Patch, Read, and Delete data in the Key-Value Store. operationId: postSecretDataPath tags: - Secrets requestBody: content: application/json: schema: type: object properties: data: type: object description: The contents of the data map will be stored and returned on read. format: map options: type: object description: Options for writing a KV entry. Set the "cas" value to use a Check-And-Set operation. If not set the write will be allowed. If set to 0 a write will only be allowed if the key doesn’t exist. If the index is non-zero the write will only be allowed if the key’s current version matches the version specified in the cas parameter. format: map version: type: integer description: If provided during a read, the value at the version number will be returned responses: '200': description: OK delete: summary: HashiCorp Write, Patch, Read, and Delete data in the Key-Value Store. operationId: deleteSecretDataPath tags: - Secrets responses: '204': description: empty body "/secret/delete/{path}": description: Marks one or more versions as deleted in the KV store. parameters: - name: path description: Location of the secret. in: path schema: type: string required: true x-vault-createSupported: true post: summary: HashiCorp Marks one or more versions as deleted in the KV store. operationId: postSecretDeletePath tags: - Secrets requestBody: content: application/json: schema: type: object properties: versions: type: array description: The versions to be archived. The versioned data will not be deleted, but it will no longer be returned in normal get requests. items: type: integer responses: '200': description: OK "/secret/destroy/{path}": description: Permanently removes one or more versions in the KV store parameters: - name: path description: Location of the secret. in: path schema: type: string required: true x-vault-createSupported: true post: summary: HashiCorp Permanently removes one or more versions in the KV store operationId: postSecretDestroyPath tags: - Secrets requestBody: content: application/json: schema: type: object properties: versions: type: array description: The versions to destroy. Their data will be permanently deleted. items: type: integer responses: '200': description: OK "/secret/metadata/{path}": description: Configures settings for the KV store parameters: - name: path description: Location of the secret. in: path schema: type: string required: true x-vault-createSupported: true get: summary: HashiCorp Configures settings for the KV store operationId: getSecretMetadataPath tags: - Secrets parameters: - name: list description: Return a list if `true` in: query schema: type: string responses: '200': description: OK post: summary: HashiCorp Configures settings for the KV store operationId: postSecretMetadataPath tags: - Secrets requestBody: content: application/json: schema: type: object properties: cas_required: type: boolean description: If true the key will require the cas parameter to be set on all write requests. If false, the backend’s configuration will be used. custom_metadata: type: object description: User-provided key-value pairs that are used to describe arbitrary and version-agnostic information about a secret. format: kvpairs delete_version_after: type: integer description: The length of time before a version is deleted. If not set, the backend's configured delete_version_after is used. Cannot be greater than the backend's delete_version_after. A zero duration clears the current setting. A negative duration will cause an error. format: seconds max_versions: type: integer description: The number of versions to keep. If not set, the backend’s configured max version is used. responses: '200': description: OK delete: summary: HashiCorp Configures settings for the KV store operationId: deleteSecretMetadataPath tags: - Secrets responses: '204': description: empty body "/secret/undelete/{path}": description: Undeletes one or more versions from the KV store. parameters: - name: path description: Location of the secret. in: path schema: type: string required: true x-vault-createSupported: true post: summary: HashiCorp Undeletes one or more versions from the KV store. operationId: postSecretUndeletePath tags: - Secrets requestBody: content: application/json: schema: type: object properties: versions: type: array description: The versions to unarchive. The versions will be restored and their data will be returned on normal get requests. items: type: integer responses: '200': description: OK "/sys/audit": description: List the currently enabled audit backends. x-vault-sudo: true get: summary: HashiCorp List the enabled audit devices. operationId: getSysAudit tags: - System responses: '200': description: OK "/sys/audit-hash/{path}": description: The hash of the given string via the given audit backend parameters: - name: path description: 'The name of the backend. Cannot be delimited. Example: "mysql"' in: path schema: type: string required: true post: summary: HashiCorp The hash of the given string via the given audit backend operationId: postSysAuditHashPath tags: - System requestBody: content: application/json: schema: type: object properties: input: type: string responses: '200': description: OK "/sys/audit/{path}": description: Enable or disable audit backends. parameters: - name: path description: 'The name of the backend. Cannot be delimited. Example: "mysql"' in: path schema: type: string required: true x-vault-sudo: true post: summary: HashiCorp Enable a new audit device at the supplied path. operationId: postSysAuditPath tags: - System requestBody: content: application/json: schema: type: object properties: description: type: string description: User-friendly description for this audit backend. local: type: boolean description: Mark the mount as a local mount, which is not replicated and is unaffected by replication. default: false options: type: object description: Configuration options for the audit backend. format: kvpairs type: type: string description: 'The type of the backend. Example: "mysql"' responses: '200': description: OK delete: summary: HashiCorp Disable the audit device at the given path. operationId: deleteSysAuditPath tags: - System responses: '204': description: empty body "/sys/auth": description: List the currently enabled credential backends. get: summary: HashiCorp List the currently enabled credential backends. operationId: getSysAuth tags: - System responses: '200': description: OK "/sys/auth/{path}": description: Enable a new credential backend with a name. parameters: - name: path description: 'The path to mount to. Cannot be delimited. Example: "user"' in: path schema: type: string required: true x-vault-sudo: true post: summary: HashiCorp Enables a new auth method. description: |- After enabling, the auth method can be accessed and configured via the auth path specified as part of the URL. This auth path will be nested under the auth prefix. For example, enable the "foo" auth method will make it accessible at /auth/foo. operationId: postSysAuthPath tags: - System requestBody: content: application/json: schema: type: object properties: config: type: object description: Configuration for this mount, such as plugin_name. format: map description: type: string description: User-friendly description for this credential backend. external_entropy_access: type: boolean description: Whether to give the mount access to Vault's external entropy. default: false local: type: boolean description: Mark the mount as a local mount, which is not replicated and is unaffected by replication. default: false options: type: object description: The options to pass into the backend. Should be a json object with string keys and values. format: kvpairs plugin_name: type: string description: Name of the auth plugin to use based from the name in the plugin catalog. seal_wrap: type: boolean description: Whether to turn on seal wrapping for the mount. default: false type: type: string description: 'The type of the backend. Example: "userpass"' responses: '200': description: OK delete: summary: HashiCorp Disable the auth method at the given auth path operationId: deleteSysAuthPath tags: - System responses: '204': description: empty body "/sys/auth/{path}/tune": description: Tune the configuration parameters for an auth path. parameters: - name: path description: Tune the configuration parameters for an auth path. in: path schema: type: string required: true x-vault-sudo: true get: summary: HashiCorp Reads the given auth path's configuration. description: This endpoint requires sudo capability on the final path, but the same functionality can be achieved without sudo via `sys/mounts/auth/[auth-path]/tune`. operationId: getSysAuthPathTune tags: - System responses: '200': description: OK post: summary: HashiCorp Tune configuration parameters for a given auth path. description: This endpoint requires sudo capability on the final path, but the same functionality can be achieved without sudo via `sys/mounts/auth/[auth-path]/tune`. operationId: postSysAuthPathTune tags: - System requestBody: content: application/json: schema: type: object properties: allowed_response_headers: type: array description: A list of headers to whitelist and allow a plugin to set on responses. items: type: string audit_non_hmac_request_keys: type: array description: The list of keys in the request data object that will not be HMAC'ed by audit devices. items: type: string audit_non_hmac_response_keys: type: array description: The list of keys in the response data object that will not be HMAC'ed by audit devices. items: type: string default_lease_ttl: type: string description: The default lease TTL for this mount. description: type: string description: User-friendly description for this credential backend. listing_visibility: type: string description: Determines the visibility of the mount in the UI-specific listing endpoint. Accepted value are 'unauth' and ''. max_lease_ttl: type: string description: The max lease TTL for this mount. options: type: object description: The options to pass into the backend. Should be a json object with string keys and values. format: kvpairs passthrough_request_headers: type: array description: A list of headers to whitelist and pass from the request to the plugin. items: type: string token_type: type: string description: The type of token to issue (service or batch). responses: '200': description: OK "/sys/capabilities": description: Fetches the capabilities of the given token on the given path. post: summary: HashiCorp Fetches the capabilities of the given token on the given path. operationId: postSysCapabilities tags: - System requestBody: content: application/json: schema: type: object properties: path: type: array description: Use 'paths' instead. items: type: string deprecated: true paths: type: array description: Paths on which capabilities are being queried. items: type: string token: type: string description: Token for which capabilities are being queried. responses: '200': description: OK "/sys/capabilities-accessor": description: Fetches the capabilities of the token associated with the given token, on the given path. post: summary: HashiCorp Fetches the capabilities of the token associated with the given token, on the given path. operationId: postSysCapabilitiesAccessor tags: - System requestBody: content: application/json: schema: type: object properties: accessor: type: string description: Accessor of the token for which capabilities are being queried. path: type: array description: Use 'paths' instead. items: type: string deprecated: true paths: type: array description: Paths on which capabilities are being queried. items: type: string responses: '200': description: OK "/sys/capabilities-self": description: Fetches the capabilities of the given token on the given path. post: summary: HashiCorp Fetches the capabilities of the given token on the given path. operationId: postSysCapabilitiesSelf tags: - System requestBody: content: application/json: schema: type: object properties: path: type: array description: Use 'paths' instead. items: type: string deprecated: true paths: type: array description: Paths on which capabilities are being queried. items: type: string token: type: string description: Token for which capabilities are being queried. responses: '200': description: OK "/sys/config/auditing/request-headers": description: Lists the headers configured to be audited. x-vault-sudo: true get: summary: HashiCorp List the request headers that are configured to be audited. operationId: getSysConfigAuditingRequestHeaders tags: - System responses: '200': description: OK "/sys/config/auditing/request-headers/{header}": description: Configures the headers sent to the audit logs. parameters: - name: header in: path schema: type: string required: true x-vault-sudo: true get: summary: HashiCorp List the information for the given request header. operationId: getSysConfigAuditingRequestHeadersHeader tags: - System responses: '200': description: OK post: summary: HashiCorp Enable auditing of a header. operationId: postSysConfigAuditingRequestHeadersHeader tags: - System requestBody: content: application/json: schema: type: object properties: hmac: type: boolean responses: '200': description: OK delete: summary: HashiCorp Disable auditing of the given request header. operationId: deleteSysConfigAuditingRequestHeadersHeader tags: - System responses: '204': description: empty body "/sys/config/cors": description: This path responds to the following HTTP methods. GET / Returns the configuration of the CORS setting. POST / Sets the comma-separated list of origins that can make cross-origin requests. DELETE / Clears the CORS configuration and disables acceptance of CORS requests. x-vault-sudo: true get: summary: HashiCorp Return the current CORS settings. operationId: getSysConfigCors tags: - System responses: '200': description: OK post: summary: HashiCorp Configure the CORS settings. operationId: postSysConfigCors tags: - System requestBody: content: application/json: schema: type: object properties: allowed_headers: type: array description: A comma-separated string or array of strings indicating headers that are allowed on cross-origin requests. items: type: string allowed_origins: type: array description: A comma-separated string or array of strings indicating origins that may make cross-origin requests. items: type: string enable: type: boolean description: Enables or disables CORS headers on requests. responses: '200': description: OK delete: summary: HashiCorp Remove any CORS settings. operationId: deleteSysConfigCors tags: - System responses: '204': description: empty body "/sys/config/reload/{subsystem}": parameters: - name: subsystem in: path schema: type: string required: true post: summary: HashiCorp Reload the given subsystem operationId: postSysConfigReloadSubsystem tags: - System responses: '200': description: OK "/sys/config/state/sanitized": get: summary: HashiCorp Return a sanitized version of the Vault server configuration. description: The sanitized output strips configuration values in the storage, HA storage, and seals stanzas, which may contain sensitive values such as API tokens. It also removes any token or secret fields in other stanzas, such as the circonus_api_token from telemetry. operationId: getSysConfigStateSanitized tags: - System responses: '200': description: OK "/sys/config/ui/headers/": description: This path responds to the following HTTP methods. GET /
Returns the header value. POST /
Sets the header value for the UI. DELETE /
Clears the header value for UI. LIST / List the headers configured for the UI. x-vault-sudo: true get: summary: HashiCorp Return a list of configured UI headers. operationId: getSysConfigUiHeaders tags: - System parameters: - name: list description: Return a list if `true` in: query schema: type: string responses: '200': description: OK "/sys/config/ui/headers/{header}": description: This path responds to the following HTTP methods. GET /
Returns the header value. POST /
Sets the header value for the UI. DELETE /
Clears the header value for UI. LIST / List the headers configured for the UI. parameters: - name: header description: The name of the header. in: path schema: type: string required: true x-vault-sudo: true get: summary: HashiCorp Return the given UI header's configuration operationId: getSysConfigUiHeadersHeader tags: - System responses: '200': description: OK post: summary: HashiCorp Configure the values to be returned for the UI header. operationId: postSysConfigUiHeadersHeader tags: - System requestBody: content: application/json: schema: type: object properties: multivalue: type: boolean description: Returns multiple values if true values: type: array description: The values to set the header. items: type: string responses: '200': description: OK delete: summary: HashiCorp Remove a UI header. operationId: deleteSysConfigUiHeadersHeader tags: - System responses: '204': description: empty body "/sys/generate-root": description: Reads, generates, or deletes a root token regeneration process. get: summary: HashiCorp Read the configuration and progress of the current root generation attempt. operationId: getSysGenerateRoot tags: - System responses: '200': description: OK post: summary: HashiCorp Initializes a new root generation attempt. description: Only a single root generation attempt can take place at a time. One (and only one) of otp or pgp_key are required. operationId: postSysGenerateRoot tags: - System requestBody: content: application/json: schema: type: object properties: pgp_key: type: string description: Specifies a base64-encoded PGP public key. responses: '200': description: OK delete: summary: HashiCorp Cancels any in-progress root generation attempt. operationId: deleteSysGenerateRoot tags: - System responses: '204': description: empty body "/sys/generate-root/attempt": description: Reads, generates, or deletes a root token regeneration process. x-vault-unauthenticated: true get: summary: HashiCorp Read the configuration and progress of the current root generation attempt. operationId: getSysGenerateRootAttempt tags: - System responses: '200': description: OK post: summary: HashiCorp Initializes a new root generation attempt. description: Only a single root generation attempt can take place at a time. One (and only one) of otp or pgp_key are required. operationId: postSysGenerateRootAttempt tags: - System requestBody: content: application/json: schema: type: object properties: pgp_key: type: string description: Specifies a base64-encoded PGP public key. responses: '200': description: OK delete: summary: HashiCorp Cancels any in-progress root generation attempt. operationId: deleteSysGenerateRootAttempt tags: - System responses: '204': description: empty body "/sys/generate-root/update": description: Reads, generates, or deletes a root token regeneration process. x-vault-unauthenticated: true post: summary: HashiCorp Enter a single master key share to progress the root generation attempt. description: If the threshold number of master key shares is reached, Vault will complete the root generation and issue the new token. Otherwise, this API must be called multiple times until that threshold is met. The attempt nonce must be provided with each call. operationId: postSysGenerateRootUpdate tags: - System requestBody: content: application/json: schema: type: object properties: key: type: string description: Specifies a single master key share. nonce: type: string description: Specifies the nonce of the attempt. responses: '200': description: OK "/sys/health": description: Checks the health status of the Vault. x-vault-unauthenticated: true get: summary: HashiCorp Returns the health status of Vault. operationId: getSysHealth tags: - System responses: '200': description: initialized, unsealed, and active '429': description: unsealed and standby '472': description: data recovery mode replication secondary and active '501': description: not initialized '503': description: sealed "/sys/host-info": description: Information about the host instance that this Vault server is running on. get: summary: HashiCorp Information about the host instance that this Vault server is running on. description: "Information about the host instance that this Vault server is running on.\n\t\tThe information that gets collected includes host hardware information, and CPU,\n\t\tdisk, and memory utilization" operationId: getSysHostInfo tags: - System responses: '200': description: OK "/sys/init": description: Initializes or returns the initialization status of the Vault. x-vault-unauthenticated: true get: summary: HashiCorp Returns the initialization status of Vault. operationId: getSysInit tags: - System responses: '200': description: OK post: summary: HashiCorp Initialize a new Vault. description: The Vault must not have been previously initialized. The recovery options, as well as the stored shares option, are only available when using Vault HSM. operationId: postSysInit tags: - System requestBody: content: application/json: schema: type: object properties: pgp_keys: type: array description: Specifies an array of PGP public keys used to encrypt the output unseal keys. Ordering is preserved. The keys must be base64-encoded from their original binary representation. The size of this array must be the same as `secret_shares`. items: type: string recovery_pgp_keys: type: array description: Specifies an array of PGP public keys used to encrypt the output recovery keys. Ordering is preserved. The keys must be base64-encoded from their original binary representation. The size of this array must be the same as `recovery_shares`. items: type: string recovery_shares: type: integer description: Specifies the number of shares to split the recovery key into. recovery_threshold: type: integer description: Specifies the number of shares required to reconstruct the recovery key. This must be less than or equal to `recovery_shares`. root_token_pgp_key: type: string description: Specifies a PGP public key used to encrypt the initial root token. The key must be base64-encoded from its original binary representation. secret_shares: type: integer description: Specifies the number of shares to split the master key into. secret_threshold: type: integer description: Specifies the number of shares required to reconstruct the master key. This must be less than or equal secret_shares. If using Vault HSM with auto-unsealing, this value must be the same as `secret_shares`. stored_shares: type: integer description: Specifies the number of shares that should be encrypted by the HSM and stored for auto-unsealing. Currently must be the same as `secret_shares`. responses: '200': description: OK "/sys/internal/counters/activity": description: Query the historical count of clients. get: summary: HashiCorp Report the client count metrics, for this namespace and all child namespaces. operationId: getSysInternalCountersActivity tags: - System responses: '200': description: OK "/sys/internal/counters/activity/monthly": description: Count of active clients so far this month. get: summary: HashiCorp Report the number of clients for this month, for this namespace and all child namespaces. operationId: getSysInternalCountersActivityMonthly tags: - System responses: '200': description: OK "/sys/internal/counters/config": description: Control the collection and reporting of client counts. get: summary: HashiCorp Read the client count tracking configuration. operationId: getSysInternalCountersConfig tags: - System responses: '200': description: OK post: summary: HashiCorp Enable or disable collection of client count, set retention period, or set default reporting period. operationId: postSysInternalCountersConfig tags: - System requestBody: content: application/json: schema: type: object properties: default_report_months: type: integer description: Number of months to report if no start date specified. default: 12 enabled: type: string description: 'Enable or disable collection of client count: enable, disable, or default.' default: default retention_months: type: integer description: Number of months of client data to retain. Setting to 0 will clear all existing data. default: 24 responses: '200': description: OK "/sys/internal/counters/entities": description: Count of active entities in this Vault cluster. get: summary: HashiCorp Backwards compatibility is not guaranteed for this API operationId: getSysInternalCountersEntities tags: - System responses: '200': description: OK "/sys/internal/counters/requests": description: Currently unsupported. Previously, count of requests seen by this Vault cluster over time. get: summary: HashiCorp Backwards compatibility is not guaranteed for this API operationId: getSysInternalCountersRequests tags: - System responses: '200': description: OK "/sys/internal/counters/tokens": description: Count of active tokens in this Vault cluster. get: summary: HashiCorp Backwards compatibility is not guaranteed for this API operationId: getSysInternalCountersTokens tags: - System responses: '200': description: OK "/sys/internal/specs/openapi": x-vault-unauthenticated: true get: summary: HashiCorp Generate an OpenAPI 3 document of all mounted paths. operationId: getSysInternalSpecsOpenapi tags: - System responses: '200': description: OK "/sys/internal/ui/feature-flags": description: Enabled feature flags. Internal API; its location, inputs, and outputs may change. get: summary: HashiCorp Lists enabled feature flags. operationId: getSysInternalUiFeatureFlags tags: - System responses: '200': description: OK "/sys/internal/ui/mounts": description: Information about mounts returned according to their tuned visibility. Internal API; its location, inputs, and outputs may change. x-vault-unauthenticated: true get: summary: HashiCorp Lists all enabled and visible auth and secrets mounts. operationId: getSysInternalUiMounts tags: - System responses: '200': description: OK "/sys/internal/ui/mounts/{path}": description: Information about mounts returned according to their tuned visibility. Internal API; its location, inputs, and outputs may change. parameters: - name: path description: The path of the mount. in: path schema: type: string required: true x-vault-unauthenticated: true get: summary: HashiCorp Return information about the given mount. operationId: getSysInternalUiMountsPath tags: - System responses: '200': description: OK "/sys/internal/ui/namespaces": description: Information about visible child namespaces. Internal API; its location, inputs, and outputs may change. x-vault-unauthenticated: true get: summary: HashiCorp Backwards compatibility is not guaranteed for this API operationId: getSysInternalUiNamespaces tags: - System responses: '200': description: OK "/sys/internal/ui/resultant-acl": description: Information about a token's resultant ACL. Internal API; its location, inputs, and outputs may change. get: summary: HashiCorp Backwards compatibility is not guaranteed for this API operationId: getSysInternalUiResultantAcl tags: - System responses: '200': description: OK "/sys/key-status": description: Provides information about the backend encryption key. get: summary: HashiCorp Provides information about the backend encryption key. operationId: getSysKeyStatus tags: - System responses: '200': description: OK "/sys/leader": description: Check the high availability status and current leader of Vault x-vault-unauthenticated: true get: summary: HashiCorp Returns the high availability status and current leader instance of Vault. operationId: getSysLeader tags: - System responses: '200': description: OK "/sys/leases": description: List leases associated with this Vault cluster x-vault-sudo: true get: summary: HashiCorp List leases associated with this Vault cluster operationId: getSysLeases tags: - System responses: '200': description: OK "/sys/leases/count": description: Count of leases associated with this Vault cluster get: summary: HashiCorp Count of leases associated with this Vault cluster operationId: getSysLeasesCount tags: - System responses: '200': description: OK "/sys/leases/lookup": description: View or list lease metadata. post: summary: HashiCorp Retrieve lease metadata. operationId: postSysLeasesLookup tags: - System requestBody: content: application/json: schema: type: object properties: lease_id: type: string description: The lease identifier to renew. This is included with a lease. responses: '200': description: OK "/sys/leases/lookup/": description: View or list lease metadata. x-vault-sudo: true get: summary: HashiCorp Returns a list of lease ids. operationId: getSysLeasesLookup tags: - System parameters: - name: list description: Return a list if `true` in: query schema: type: string responses: '200': description: OK "/sys/leases/lookup/{prefix}": description: View or list lease metadata. parameters: - name: prefix description: 'The path to list leases under. Example: "aws/creds/deploy"' in: path schema: type: string required: true x-vault-sudo: true get: summary: HashiCorp Returns a list of lease ids. operationId: getSysLeasesLookupPrefix tags: - System parameters: - name: list description: Return a list if `true` in: query schema: type: string responses: '200': description: OK "/sys/leases/renew": description: Renew a lease on a secret post: summary: HashiCorp Renews a lease, requesting to extend the lease. operationId: postSysLeasesRenew tags: - System requestBody: content: application/json: schema: type: object properties: increment: type: integer description: The desired increment in seconds to the lease format: seconds lease_id: type: string description: The lease identifier to renew. This is included with a lease. url_lease_id: type: string description: The lease identifier to renew. This is included with a lease. responses: '200': description: OK "/sys/leases/renew/{url_lease_id}": description: Renew a lease on a secret parameters: - name: url_lease_id description: The lease identifier to renew. This is included with a lease. in: path schema: type: string required: true post: summary: HashiCorp Renews a lease, requesting to extend the lease. operationId: postSysLeasesRenewUrl_lease_id tags: - System requestBody: content: application/json: schema: type: object properties: increment: type: integer description: The desired increment in seconds to the lease format: seconds lease_id: type: string description: The lease identifier to renew. This is included with a lease. responses: '200': description: OK "/sys/leases/revoke": description: Revoke a leased secret immediately post: summary: HashiCorp Revokes a lease immediately. operationId: postSysLeasesRevoke tags: - System requestBody: content: application/json: schema: type: object properties: lease_id: type: string description: The lease identifier to renew. This is included with a lease. sync: type: boolean description: Whether or not to perform the revocation synchronously default: true url_lease_id: type: string description: The lease identifier to renew. This is included with a lease. responses: '200': description: OK "/sys/leases/revoke-force/{prefix}": description: Revoke all secrets generated in a given prefix, ignoring errors. parameters: - name: prefix description: 'The path to revoke keys under. Example: "prod/aws/ops"' in: path schema: type: string required: true x-vault-sudo: true post: summary: HashiCorp Revokes all secrets or tokens generated under a given prefix immediately description: |- Unlike `/sys/leases/revoke-prefix`, this path ignores backend errors encountered during revocation. This is potentially very dangerous and should only be used in specific emergency situations where errors in the backend or the connected backend service prevent normal revocation. By ignoring these errors, Vault abdicates responsibility for ensuring that the issued credentials or secrets are properly revoked and/or cleaned up. Access to this endpoint should be tightly controlled. operationId: postSysLeasesRevokeForcePrefix tags: - System responses: '200': description: OK "/sys/leases/revoke-prefix/{prefix}": description: Revoke all secrets generated in a given prefix parameters: - name: prefix description: 'The path to revoke keys under. Example: "prod/aws/ops"' in: path schema: type: string required: true x-vault-sudo: true post: summary: HashiCorp Revokes all secrets (via a lease ID prefix) or tokens (via the tokens' path property) generated under a given prefix immediately. operationId: postSysLeasesRevokePrefixPrefix tags: - System requestBody: content: application/json: schema: type: object properties: sync: type: boolean description: Whether or not to perform the revocation synchronously default: true responses: '200': description: OK "/sys/leases/revoke/{url_lease_id}": description: Revoke a leased secret immediately parameters: - name: url_lease_id description: The lease identifier to renew. This is included with a lease. in: path schema: type: string required: true post: summary: HashiCorp Revokes a lease immediately. operationId: postSysLeasesRevokeUrl_lease_id tags: - System requestBody: content: application/json: schema: type: object properties: lease_id: type: string description: The lease identifier to renew. This is included with a lease. sync: type: boolean description: Whether or not to perform the revocation synchronously default: true responses: '200': description: OK "/sys/leases/tidy": description: This endpoint performs cleanup tasks that can be run if certain error conditions have occurred. post: summary: |- HashiCorp This endpoint performs cleanup tasks that can be run if certain error conditions have occurred. operationId: postSysLeasesTidy tags: - System responses: '200': description: OK "/sys/metrics": description: Export the metrics aggregated for telemetry purpose. parameters: - name: format description: Format to export metrics into. Currently accepts only "prometheus". in: query schema: type: string get: summary: HashiCorp Export the metrics aggregated for telemetry purpose. operationId: getSysMetrics tags: - System responses: '200': description: OK "/sys/monitor": parameters: - name: log_level description: Log level to view system logs at. Currently supported values are "trace", "debug", "info", "warn", "error". in: query schema: type: string get: operationId: getSysMonitor tags: - System responses: '200': description: OK "/sys/mounts": description: List the currently mounted backends. get: summary: HashiCorp List the currently mounted backends. operationId: getSysMounts tags: - System responses: '200': description: OK "/sys/mounts/{path}": description: Mount a new backend at a new path. parameters: - name: path description: 'The path to mount to. Example: "aws/east"' in: path schema: type: string required: true post: summary: HashiCorp Enable a new secrets engine at the given path. operationId: postSysMountsPath tags: - System requestBody: content: application/json: schema: type: object properties: config: type: object description: Configuration for this mount, such as default_lease_ttl and max_lease_ttl. format: map description: type: string description: User-friendly description for this mount. external_entropy_access: type: boolean description: Whether to give the mount access to Vault's external entropy. default: false local: type: boolean description: Mark the mount as a local mount, which is not replicated and is unaffected by replication. default: false options: type: object description: The options to pass into the backend. Should be a json object with string keys and values. format: kvpairs plugin_name: type: string description: Name of the plugin to mount based from the name registered in the plugin catalog. seal_wrap: type: boolean description: Whether to turn on seal wrapping for the mount. default: false type: type: string description: 'The type of the backend. Example: "passthrough"' responses: '200': description: OK delete: summary: HashiCorp Disable the mount point specified at the given path. operationId: deleteSysMountsPath tags: - System responses: '204': description: empty body "/sys/mounts/{path}/tune": description: Tune backend configuration parameters for this mount. parameters: - name: path description: 'The path to mount to. Example: "aws/east"' in: path schema: type: string required: true get: summary: HashiCorp Tune backend configuration parameters for this mount. operationId: getSysMountsPathTune tags: - System responses: '200': description: OK post: summary: HashiCorp Tune backend configuration parameters for this mount. operationId: postSysMountsPathTune tags: - System requestBody: content: application/json: schema: type: object properties: allowed_response_headers: type: array description: A list of headers to whitelist and allow a plugin to set on responses. items: type: string audit_non_hmac_request_keys: type: array description: The list of keys in the request data object that will not be HMAC'ed by audit devices. items: type: string audit_non_hmac_response_keys: type: array description: The list of keys in the response data object that will not be HMAC'ed by audit devices. items: type: string default_lease_ttl: type: string description: The default lease TTL for this mount. description: type: string description: User-friendly description for this credential backend. listing_visibility: type: string description: Determines the visibility of the mount in the UI-specific listing endpoint. Accepted value are 'unauth' and ''. max_lease_ttl: type: string description: The max lease TTL for this mount. options: type: object description: The options to pass into the backend. Should be a json object with string keys and values. format: kvpairs passthrough_request_headers: type: array description: A list of headers to whitelist and pass from the request to the plugin. items: type: string token_type: type: string description: The type of token to issue (service or batch). responses: '200': description: OK "/sys/plugins/catalog": description: Lists all the plugins known to Vault get: summary: HashiCorp Lists all the plugins known to Vault operationId: getSysPluginsCatalog tags: - System responses: '200': description: OK "/sys/plugins/catalog/{name}": description: Configures the plugins known to Vault parameters: - name: name description: The name of the plugin in: path schema: type: string required: true x-vault-sudo: true get: summary: HashiCorp Return the configuration data for the plugin with the given name. operationId: getSysPluginsCatalogName tags: - System responses: '200': description: OK post: summary: HashiCorp Register a new plugin, or updates an existing one with the supplied name. operationId: postSysPluginsCatalogName tags: - System requestBody: content: application/json: schema: type: object properties: args: type: array description: The args passed to plugin command. items: type: string command: type: string description: The command used to start the plugin. The executable defined in this command must exist in vault's plugin directory. env: type: array description: The environment variables passed to plugin command. Each entry is of the form "key=value". items: type: string sha256: type: string description: The SHA256 sum of the executable used in the command field. This should be HEX encoded. sha_256: type: string description: The SHA256 sum of the executable used in the command field. This should be HEX encoded. type: type: string description: The type of the plugin, may be auth, secret, or database responses: '200': description: OK delete: summary: HashiCorp Remove the plugin with the given name. operationId: deleteSysPluginsCatalogName tags: - System responses: '204': description: empty body "/sys/plugins/catalog/{type}": description: Configures the plugins known to Vault parameters: - name: type description: The type of the plugin, may be auth, secret, or database in: path schema: type: string required: true x-vault-sudo: true get: summary: HashiCorp List the plugins in the catalog. operationId: getSysPluginsCatalogType tags: - System parameters: - name: list description: Return a list if `true` in: query schema: type: string responses: '200': description: OK "/sys/plugins/catalog/{type}/{name}": description: Configures the plugins known to Vault parameters: - name: name description: The name of the plugin in: path schema: type: string required: true - name: type description: The type of the plugin, may be auth, secret, or database in: path schema: type: string required: true x-vault-sudo: true get: summary: HashiCorp Return the configuration data for the plugin with the given name. operationId: getSysPluginsCatalogTypeName tags: - System responses: '200': description: OK post: summary: HashiCorp Register a new plugin, or updates an existing one with the supplied name. operationId: postSysPluginsCatalogTypeName tags: - System requestBody: content: application/json: schema: type: object properties: args: type: array description: The args passed to plugin command. items: type: string command: type: string description: The command used to start the plugin. The executable defined in this command must exist in vault's plugin directory. env: type: array description: The environment variables passed to plugin command. Each entry is of the form "key=value". items: type: string sha256: type: string description: The SHA256 sum of the executable used in the command field. This should be HEX encoded. sha_256: type: string description: The SHA256 sum of the executable used in the command field. This should be HEX encoded. responses: '200': description: OK delete: summary: HashiCorp Remove the plugin with the given name. operationId: deleteSysPluginsCatalogTypeName tags: - System responses: '204': description: empty body "/sys/plugins/reload/backend": description: Reload mounts that use a particular backend plugin. post: summary: HashiCorp Reload mounted plugin backends. description: Either the plugin name (`plugin`) or the desired plugin backend mounts (`mounts`) must be provided, but not both. In the case that the plugin name is provided, all mounted paths that use that plugin backend will be reloaded. If (`scope`) is provided and is (`global`), the plugin(s) are reloaded globally. operationId: postSysPluginsReloadBackend tags: - System requestBody: content: application/json: schema: type: object properties: mounts: type: array description: The mount paths of the plugin backends to reload. items: type: string plugin: type: string description: The name of the plugin to reload, as registered in the plugin catalog. scope: type: string responses: '200': description: OK "/sys/policies/acl": description: List the configured access control policies. get: summary: HashiCorp List the configured access control policies. operationId: getSysPoliciesAcl tags: - System parameters: - name: list description: Return a list if `true` in: query schema: type: string responses: '200': description: OK "/sys/policies/acl/{name}": description: Read, Modify, or Delete an access control policy. parameters: - name: name description: 'The name of the policy. Example: "ops"' in: path schema: type: string required: true get: summary: HashiCorp Retrieve information about the named ACL policy. operationId: getSysPoliciesAclName tags: - System responses: '200': description: OK post: summary: HashiCorp Add a new or update an existing ACL policy. operationId: postSysPoliciesAclName tags: - System requestBody: content: application/json: schema: type: object properties: policy: type: string description: The rules of the policy. responses: '200': description: OK delete: summary: HashiCorp Delete the ACL policy with the given name. operationId: deleteSysPoliciesAclName tags: - System responses: '204': description: empty body "/sys/policies/password/{name}": description: Read, Modify, or Delete a password policy. parameters: - name: name description: The name of the password policy. in: path schema: type: string required: true get: summary: HashiCorp Retrieve an existing password policy. operationId: getSysPoliciesPasswordName tags: - System responses: '200': description: OK post: summary: HashiCorp Add a new or update an existing password policy. operationId: postSysPoliciesPasswordName tags: - System requestBody: content: application/json: schema: type: object properties: policy: type: string description: The password policy responses: '200': description: OK delete: summary: HashiCorp Delete a password policy. operationId: deleteSysPoliciesPasswordName tags: - System responses: '204': description: empty body "/sys/policies/password/{name}/generate": description: Generate a password from an existing password policy. parameters: - name: name description: The name of the password policy. in: path schema: type: string required: true get: summary: HashiCorp Generate a password from an existing password policy. operationId: getSysPoliciesPasswordNameGenerate tags: - System responses: '200': description: OK "/sys/policy": description: List the configured access control policies. get: summary: HashiCorp List the configured access control policies. operationId: getSysPolicy tags: - System parameters: - name: list description: Return a list if `true` in: query schema: type: string responses: '200': description: OK "/sys/policy/{name}": description: Read, Modify, or Delete an access control policy. parameters: - name: name description: 'The name of the policy. Example: "ops"' in: path schema: type: string required: true get: summary: HashiCorp Retrieve the policy body for the named policy. operationId: getSysPolicyName tags: - System responses: '200': description: OK post: summary: HashiCorp Add a new or update an existing policy. operationId: postSysPolicyName tags: - System requestBody: content: application/json: schema: type: object properties: policy: type: string description: The rules of the policy. rules: type: string description: The rules of the policy. deprecated: true responses: '200': description: OK delete: summary: HashiCorp Delete the policy with the given name. operationId: deleteSysPolicyName tags: - System responses: '204': description: empty body "/sys/pprof/": get: summary: HashiCorp Returns an HTML page listing the available profiles. description: "Returns an HTML page listing the available \nprofiles. This should be mainly accessed via browsers or applications that can \nrender pages." operationId: getSysPprof tags: - System responses: '200': description: OK "/sys/pprof/allocs": get: summary: HashiCorp Returns a sampling of all past memory allocations. description: Returns a sampling of all past memory allocations. operationId: getSysPprofAllocs tags: - System responses: '200': description: OK "/sys/pprof/block": get: summary: HashiCorp Returns stack traces that led to blocking on synchronization primitives description: Returns stack traces that led to blocking on synchronization primitives operationId: getSysPprofBlock tags: - System responses: '200': description: OK "/sys/pprof/cmdline": get: summary: HashiCorp Returns the running program's command line. description: Returns the running program's command line, with arguments separated by NUL bytes. operationId: getSysPprofCmdline tags: - System responses: '200': description: OK "/sys/pprof/goroutine": get: summary: HashiCorp Returns stack traces of all current goroutines. description: Returns stack traces of all current goroutines. operationId: getSysPprofGoroutine tags: - System responses: '200': description: OK "/sys/pprof/heap": get: summary: HashiCorp Returns a sampling of memory allocations of live object. description: Returns a sampling of memory allocations of live object. operationId: getSysPprofHeap tags: - System responses: '200': description: OK "/sys/pprof/mutex": get: summary: HashiCorp Returns stack traces of holders of contended mutexes description: Returns stack traces of holders of contended mutexes operationId: getSysPprofMutex tags: - System responses: '200': description: OK "/sys/pprof/profile": get: summary: HashiCorp Returns a pprof-formatted cpu profile payload. description: Returns a pprof-formatted cpu profile payload. Profiling lasts for duration specified in seconds GET parameter, or for 30 seconds if not specified. operationId: getSysPprofProfile tags: - System responses: '200': description: OK "/sys/pprof/symbol": get: summary: HashiCorp Returns the program counters listed in the request. description: Returns the program counters listed in the request. operationId: getSysPprofSymbol tags: - System responses: '200': description: OK "/sys/pprof/threadcreate": get: summary: HashiCorp Returns stack traces that led to the creation of new OS threads description: Returns stack traces that led to the creation of new OS threads operationId: getSysPprofThreadcreate tags: - System responses: '200': description: OK "/sys/pprof/trace": get: summary: HashiCorp Returns the execution trace in binary form. description: Returns the execution trace in binary form. Tracing lasts for duration specified in seconds GET parameter, or for 1 second if not specified. operationId: getSysPprofTrace tags: - System responses: '200': description: OK "/sys/quotas/config": description: Create, update and read the quota configuration. get: operationId: getSysQuotasConfig tags: - System responses: '200': description: OK post: operationId: postSysQuotasConfig tags: - System requestBody: content: application/json: schema: type: object properties: enable_rate_limit_audit_logging: type: boolean description: If set, starts audit logging of requests that get rejected due to rate limit quota rule violations. enable_rate_limit_response_headers: type: boolean description: If set, additional rate limit quota HTTP headers will be added to responses. rate_limit_exempt_paths: type: array description: Specifies the list of exempt paths from all rate limit quotas. If empty no paths will be exempt. items: type: string responses: '200': description: OK "/sys/quotas/rate-limit": description: Lists the names of all the rate limit quotas. get: operationId: getSysQuotasRateLimit tags: - System parameters: - name: list description: Return a list if `true` in: query schema: type: string responses: '200': description: OK "/sys/quotas/rate-limit/{name}": description: Get, create or update rate limit resource quota for an optional namespace or mount. parameters: - name: name description: Name of the quota rule. in: path schema: type: string required: true get: operationId: getSysQuotasRateLimitName tags: - System responses: '200': description: OK post: operationId: postSysQuotasRateLimitName tags: - System requestBody: content: application/json: schema: type: object properties: block_interval: type: integer description: If set, when a client reaches a rate limit threshold, the client will be prohibited from any further requests until after the 'block_interval' has elapsed. format: seconds interval: type: integer description: The duration to enforce rate limiting for (default '1s'). format: seconds path: type: string description: Path of the mount or namespace to apply the quota. A blank path configures a global quota. For example namespace1/ adds a quota to a full namespace, namespace1/auth/userpass adds a quota to userpass in namespace1. rate: type: number description: The maximum number of requests in a given interval to be allowed by the quota rule. The 'rate' must be positive. format: float type: type: string description: Type of the quota rule. responses: '200': description: OK delete: operationId: deleteSysQuotasRateLimitName tags: - System responses: '204': description: empty body "/sys/raw": description: Write, Read, and Delete data directly in the Storage backend. x-vault-sudo: true get: summary: HashiCorp Read the value of the key at the given path. operationId: getSysRaw tags: - System parameters: - name: list description: Return a list if `true` in: query schema: type: string responses: '200': description: OK post: summary: HashiCorp Update the value of the key at the given path. operationId: postSysRaw tags: - System requestBody: content: application/json: schema: type: object properties: path: type: string value: type: string responses: '200': description: OK delete: summary: HashiCorp Delete the key with given path. operationId: deleteSysRaw tags: - System responses: '204': description: empty body "/sys/raw/{path}": description: Write, Read, and Delete data directly in the Storage backend. parameters: - name: path in: path schema: type: string required: true x-vault-sudo: true get: summary: HashiCorp Read the value of the key at the given path. operationId: getSysRawPath tags: - System parameters: - name: list description: Return a list if `true` in: query schema: type: string responses: '200': description: OK post: summary: HashiCorp Update the value of the key at the given path. operationId: postSysRawPath tags: - System requestBody: content: application/json: schema: type: object properties: value: type: string responses: '200': description: OK delete: summary: HashiCorp Delete the key with given path. operationId: deleteSysRawPath tags: - System responses: '204': description: empty body "/sys/rekey/backup": description: Allows fetching or deleting the backup of the rotated unseal keys. get: summary: HashiCorp Return the backup copy of PGP-encrypted unseal keys. operationId: getSysRekeyBackup tags: - System responses: '200': description: OK delete: summary: HashiCorp Delete the backup copy of PGP-encrypted unseal keys. operationId: deleteSysRekeyBackup tags: - System responses: '204': description: empty body "/sys/rekey/init": x-vault-unauthenticated: true get: summary: HashiCorp Reads the configuration and progress of the current rekey attempt. operationId: getSysRekeyInit tags: - System responses: '200': description: OK post: summary: HashiCorp Initializes a new rekey attempt. description: Only a single rekey attempt can take place at a time, and changing the parameters of a rekey requires canceling and starting a new rekey, which will also provide a new nonce. operationId: postSysRekeyInit tags: - System requestBody: content: application/json: schema: type: object properties: backup: type: boolean description: Specifies if using PGP-encrypted keys, whether Vault should also store a plaintext backup of the PGP-encrypted keys. pgp_keys: type: array description: Specifies an array of PGP public keys used to encrypt the output unseal keys. Ordering is preserved. The keys must be base64-encoded from their original binary representation. The size of this array must be the same as secret_shares. items: type: string require_verification: type: boolean description: Turns on verification functionality secret_shares: type: integer description: Specifies the number of shares to split the master key into. secret_threshold: type: integer description: Specifies the number of shares required to reconstruct the master key. This must be less than or equal secret_shares. If using Vault HSM with auto-unsealing, this value must be the same as secret_shares. responses: '200': description: OK delete: summary: HashiCorp Cancels any in-progress rekey. description: 'This clears the rekey settings as well as any progress made. This must be called to change the parameters of the rekey. Note: verification is still a part of a rekey. If rekeying is canceled during the verification flow, the current unseal keys remain valid.' operationId: deleteSysRekeyInit tags: - System responses: '204': description: empty body "/sys/rekey/recovery-key-backup": description: Allows fetching or deleting the backup of the rotated unseal keys. get: summary: HashiCorp Allows fetching or deleting the backup of the rotated unseal keys. operationId: getSysRekeyRecoveryKeyBackup tags: - System responses: '200': description: OK delete: summary: HashiCorp Allows fetching or deleting the backup of the rotated unseal keys. operationId: deleteSysRekeyRecoveryKeyBackup tags: - System responses: '204': description: empty body "/sys/rekey/update": x-vault-unauthenticated: true post: summary: HashiCorp Enter a single master key share to progress the rekey of the Vault. operationId: postSysRekeyUpdate tags: - System requestBody: content: application/json: schema: type: object properties: key: type: string description: Specifies a single master key share. nonce: type: string description: Specifies the nonce of the rekey attempt. responses: '200': description: OK "/sys/rekey/verify": x-vault-unauthenticated: true get: summary: HashiCorp Read the configuration and progress of the current rekey verification attempt. operationId: getSysRekeyVerify tags: - System responses: '200': description: OK post: summary: HashiCorp Enter a single new key share to progress the rekey verification operation. operationId: postSysRekeyVerify tags: - System requestBody: content: application/json: schema: type: object properties: key: type: string description: Specifies a single master share key from the new set of shares. nonce: type: string description: Specifies the nonce of the rekey verification operation. responses: '200': description: OK delete: summary: HashiCorp Cancel any in-progress rekey verification operation. description: This clears any progress made and resets the nonce. Unlike a `DELETE` against `sys/rekey/init`, this only resets the current verification operation, not the entire rekey atttempt. operationId: deleteSysRekeyVerify tags: - System responses: '204': description: empty body "/sys/remount": description: Move the mount point of an already-mounted backend. x-vault-sudo: true post: summary: HashiCorp Move the mount point of an already-mounted backend. operationId: postSysRemount tags: - System requestBody: content: application/json: schema: type: object properties: from: type: string description: The previous mount point. to: type: string description: The new mount point. responses: '200': description: OK "/sys/renew": description: Renew a lease on a secret post: summary: HashiCorp Renews a lease, requesting to extend the lease. operationId: postSysRenew tags: - System requestBody: content: application/json: schema: type: object properties: increment: type: integer description: The desired increment in seconds to the lease format: seconds lease_id: type: string description: The lease identifier to renew. This is included with a lease. url_lease_id: type: string description: The lease identifier to renew. This is included with a lease. responses: '200': description: OK "/sys/renew/{url_lease_id}": description: Renew a lease on a secret parameters: - name: url_lease_id description: The lease identifier to renew. This is included with a lease. in: path schema: type: string required: true post: summary: HashiCorp Renews a lease, requesting to extend the lease. operationId: postSysRenewUrl_lease_id tags: - System requestBody: content: application/json: schema: type: object properties: increment: type: integer description: The desired increment in seconds to the lease format: seconds lease_id: type: string description: The lease identifier to renew. This is included with a lease. responses: '200': description: OK "/sys/replication/status": x-vault-unauthenticated: true get: operationId: getSysReplicationStatus tags: - System responses: '200': description: OK "/sys/revoke": description: Revoke a leased secret immediately post: summary: HashiCorp Revokes a lease immediately. operationId: postSysRevoke tags: - System requestBody: content: application/json: schema: type: object properties: lease_id: type: string description: The lease identifier to renew. This is included with a lease. sync: type: boolean description: Whether or not to perform the revocation synchronously default: true url_lease_id: type: string description: The lease identifier to renew. This is included with a lease. responses: '200': description: OK "/sys/revoke-force/{prefix}": description: Revoke all secrets generated in a given prefix, ignoring errors. parameters: - name: prefix description: 'The path to revoke keys under. Example: "prod/aws/ops"' in: path schema: type: string required: true x-vault-sudo: true post: summary: HashiCorp Revokes all secrets or tokens generated under a given prefix immediately description: |- Unlike `/sys/leases/revoke-prefix`, this path ignores backend errors encountered during revocation. This is potentially very dangerous and should only be used in specific emergency situations where errors in the backend or the connected backend service prevent normal revocation. By ignoring these errors, Vault abdicates responsibility for ensuring that the issued credentials or secrets are properly revoked and/or cleaned up. Access to this endpoint should be tightly controlled. operationId: postSysRevokeForcePrefix tags: - System responses: '200': description: OK "/sys/revoke-prefix/{prefix}": description: Revoke all secrets generated in a given prefix parameters: - name: prefix description: 'The path to revoke keys under. Example: "prod/aws/ops"' in: path schema: type: string required: true x-vault-sudo: true post: summary: HashiCorp Revokes all secrets (via a lease ID prefix) or tokens (via the tokens' path property) generated under a given prefix immediately. operationId: postSysRevokePrefixPrefix tags: - System requestBody: content: application/json: schema: type: object properties: sync: type: boolean description: Whether or not to perform the revocation synchronously default: true responses: '200': description: OK "/sys/revoke/{url_lease_id}": description: Revoke a leased secret immediately parameters: - name: url_lease_id description: The lease identifier to renew. This is included with a lease. in: path schema: type: string required: true post: summary: HashiCorp Revokes a lease immediately. operationId: postSysRevokeUrl_lease_id tags: - System requestBody: content: application/json: schema: type: object properties: lease_id: type: string description: The lease identifier to renew. This is included with a lease. sync: type: boolean description: Whether or not to perform the revocation synchronously default: true responses: '200': description: OK "/sys/rotate": description: Rotates the backend encryption key used to persist data. x-vault-sudo: true post: summary: HashiCorp Rotates the backend encryption key used to persist data. operationId: postSysRotate tags: - System responses: '200': description: OK "/sys/rotate/config": description: Configures settings related to the backend encryption key management. get: operationId: getSysRotateConfig tags: - System responses: '200': description: OK post: operationId: postSysRotateConfig tags: - System requestBody: content: application/json: schema: type: object properties: enabled: type: boolean description: Whether automatic rotation is enabled. interval: type: integer description: How long after installation of an active key term that the key will be automatically rotated. format: seconds max_operations: description: The number of encryption operations performed before the barrier key is automatically rotated. format: unknown responses: '200': description: OK "/sys/seal": description: Seals the Vault. post: summary: HashiCorp Seal the Vault. operationId: postSysSeal tags: - System responses: '200': description: OK "/sys/seal-status": description: Returns the seal status of the Vault. x-vault-unauthenticated: true get: summary: HashiCorp Check the seal status of a Vault. operationId: getSysSealStatus tags: - System responses: '200': description: OK "/sys/step-down": post: summary: HashiCorp Cause the node to give up active status. description: This endpoint forces the node to give up active status. If the node does not have active status, this endpoint does nothing. Note that the node will sleep for ten seconds before attempting to grab the active lock again, but if no standby nodes grab the active lock in the interim, the same node may become the active node again. operationId: postSysStepDown tags: - System responses: '204': description: empty body "/sys/tools/hash": description: Generate a hash sum for input data post: summary: HashiCorp Generate a hash sum for input data operationId: postSysToolsHash tags: - System requestBody: content: application/json: schema: type: object properties: algorithm: type: string description: 'Algorithm to use (POST body parameter). Valid values are: * sha2-224 * sha2-256 * sha2-384 * sha2-512 Defaults to "sha2-256".' default: sha2-256 format: type: string description: Encoding format to use. Can be "hex" or "base64". Defaults to "hex". default: hex input: type: string description: The base64-encoded input data urlalgorithm: type: string description: Algorithm to use (POST URL parameter) responses: '200': description: OK "/sys/tools/hash/{urlalgorithm}": description: Generate a hash sum for input data parameters: - name: urlalgorithm description: Algorithm to use (POST URL parameter) in: path schema: type: string required: true post: summary: HashiCorp Generate a hash sum for input data operationId: postSysToolsHashUrlalgorithm tags: - System requestBody: content: application/json: schema: type: object properties: algorithm: type: string description: 'Algorithm to use (POST body parameter). Valid values are: * sha2-224 * sha2-256 * sha2-384 * sha2-512 Defaults to "sha2-256".' default: sha2-256 format: type: string description: Encoding format to use. Can be "hex" or "base64". Defaults to "hex". default: hex input: type: string description: The base64-encoded input data responses: '200': description: OK "/sys/tools/random": description: Generate random bytes post: summary: HashiCorp Generate random bytes operationId: postSysToolsRandom tags: - System requestBody: content: application/json: schema: type: object properties: bytes: type: integer description: The number of bytes to generate (POST body parameter). Defaults to 32 (256 bits). default: 32 format: type: string description: Encoding format to use. Can be "hex" or "base64". Defaults to "base64". default: base64 urlbytes: type: string description: The number of bytes to generate (POST URL parameter) responses: '200': description: OK "/sys/tools/random/{urlbytes}": description: Generate random bytes parameters: - name: urlbytes description: The number of bytes to generate (POST URL parameter) in: path schema: type: string required: true post: summary: HashiCorp Generate random bytes operationId: postSysToolsRandomUrlbytes tags: - System requestBody: content: application/json: schema: type: object properties: bytes: type: integer description: The number of bytes to generate (POST body parameter). Defaults to 32 (256 bits). default: 32 format: type: string description: Encoding format to use. Can be "hex" or "base64". Defaults to "base64". default: base64 responses: '200': description: OK "/sys/unseal": description: Unseals the Vault. x-vault-unauthenticated: true post: summary: HashiCorp Unseal the Vault. operationId: postSysUnseal tags: - System requestBody: content: application/json: schema: type: object properties: key: type: string description: Specifies a single master key share. This is required unless reset is true. reset: type: boolean description: Specifies if previously-provided unseal keys are discarded and the unseal process is reset. responses: '200': description: OK "/sys/wrapping/lookup": description: Looks up the properties of a response-wrapped token. x-vault-unauthenticated: true get: summary: HashiCorp Look up wrapping properties for the requester's token. operationId: getSysWrappingLookup tags: - System responses: '200': description: OK post: summary: HashiCorp Look up wrapping properties for the given token. operationId: postSysWrappingLookup tags: - System requestBody: content: application/json: schema: type: object properties: token: type: string responses: '200': description: OK "/sys/wrapping/rewrap": description: Rotates a response-wrapped token. post: summary: HashiCorp Rotates a response-wrapped token. operationId: postSysWrappingRewrap tags: - System requestBody: content: application/json: schema: type: object properties: token: type: string responses: '200': description: OK "/sys/wrapping/unwrap": description: Unwraps a response-wrapped token. post: summary: HashiCorp Unwraps a response-wrapped token. operationId: postSysWrappingUnwrap tags: - System requestBody: content: application/json: schema: type: object properties: token: type: string responses: '200': description: OK "/sys/wrapping/wrap": description: Response-wraps an arbitrary JSON object. post: summary: HashiCorp Response-wraps an arbitrary JSON object. operationId: postSysWrappingWrap tags: - System responses: '200': description: OK tags: - name: Auth - name: Identity - name: Secrets - name: System