openapi: 3.0.0 info: title: HashiCorp Vault API description: HTTP API that gives you full access to Vault. All API routes are prefixed with `/v1/`. contact: {} version: '1.5.3' servers: - url: https://{defaultHost} variables: defaultHost: default: www.example.com paths: /Skywalker-kv/config: get: tags: - secrets summary: getSkywalkerKvConfig description: Configures settings for the KV store operationId: getSkywalkerKvConfig parameters: [] responses: '200': description: OK headers: {} content: {} deprecated: false post: tags: - secrets summary: postSkywalkerKvConfig description: Configures settings for the KV store operationId: postSkywalkerKvConfig parameters: [] requestBody: description: '' content: application/json: schema: $ref: '#/components/schemas/SkywalkerKvConfigRequest' required: false responses: '200': description: OK headers: {} content: {} deprecated: false /Skywalker-kv/data/{path}: get: tags: - secrets summary: getSkywalkerKvDataPath description: Write, Read, and Delete data in the Key-Value Store. operationId: getSkywalkerKvDataPath parameters: - name: path in: path description: Location of the secret. required: true style: simple schema: type: string responses: '200': description: OK headers: {} content: {} deprecated: false post: tags: - secrets summary: postSkywalkerKvDataPath description: Write, Read, and Delete data in the Key-Value Store. operationId: postSkywalkerKvDataPath parameters: - name: path in: path description: Location of the secret. required: true style: simple schema: type: string requestBody: description: '' content: application/json: schema: $ref: '#/components/schemas/SkywalkerKvDataRequest' required: false responses: '200': description: OK headers: {} content: {} deprecated: false delete: tags: - secrets summary: deleteSkywalkerKvDataPath description: Write, Read, and Delete data in the Key-Value Store. operationId: deleteSkywalkerKvDataPath parameters: - name: path in: path description: Location of the secret. required: true style: simple schema: type: string responses: '204': description: empty body headers: {} content: {} deprecated: false /Skywalker-kv/delete/{path}: post: tags: - secrets summary: postSkywalkerKvDeletePath description: Marks one or more versions as deleted in the KV store. operationId: postSkywalkerKvDeletePath parameters: - name: path in: path description: Location of the secret. required: true style: simple schema: type: string requestBody: description: '' content: application/json: schema: $ref: '#/components/schemas/SkywalkerKvDeleteRequest' required: false responses: '200': description: OK headers: {} content: {} deprecated: false /Skywalker-kv/destroy/{path}: post: tags: - secrets summary: postSkywalkerKvDestroyPath description: Permanently removes one or more versions in the KV store operationId: postSkywalkerKvDestroyPath parameters: - name: path in: path description: Location of the secret. required: true style: simple schema: type: string requestBody: description: '' content: application/json: schema: $ref: '#/components/schemas/SkywalkerKvDestroyRequest' required: false responses: '200': description: OK headers: {} content: {} deprecated: false /Skywalker-kv/metadata/{path}: get: tags: - secrets summary: getSkywalkerKvMetadataPath description: Configures settings for the KV store operationId: getSkywalkerKvMetadataPath parameters: - name: path in: path description: Location of the secret. required: true style: simple schema: type: string - name: list in: query description: Return a list if `true` style: form explode: true schema: type: string responses: '200': description: OK headers: {} content: {} deprecated: false post: tags: - secrets summary: postSkywalkerKvMetadataPath description: Configures settings for the KV store operationId: postSkywalkerKvMetadataPath parameters: - name: path in: path description: Location of the secret. required: true style: simple schema: type: string requestBody: description: '' content: application/json: schema: $ref: '#/components/schemas/SkywalkerKvMetadataRequest' required: false responses: '200': description: OK headers: {} content: {} deprecated: false delete: tags: - secrets summary: deleteSkywalkerKvMetadataPath description: Configures settings for the KV store operationId: deleteSkywalkerKvMetadataPath parameters: - name: path in: path description: Location of the secret. required: true style: simple schema: type: string responses: '204': description: empty body headers: {} content: {} deprecated: false /Skywalker-kv/undelete/{path}: post: tags: - secrets summary: postSkywalkerKvUndeletePath description: Undeletes one or more versions from the KV store. operationId: postSkywalkerKvUndeletePath parameters: - name: path in: path description: Location of the secret. required: true style: simple schema: type: string requestBody: description: '' content: application/json: schema: $ref: '#/components/schemas/SkywalkerKvUndeleteRequest' required: false responses: '200': description: OK headers: {} content: {} deprecated: false /cubbyhole/{path}: get: tags: - secrets summary: getCubbyholePath description: Pass-through secret storage to a token-specific cubbyhole in the storage backend, allowing you to read/write arbitrary data into secret storage. operationId: getCubbyholePath parameters: - name: path in: path description: Specifies the path of the secret. required: true style: simple schema: type: string - name: list in: query description: Return a list if `true` style: form explode: true schema: type: string responses: '200': description: OK headers: {} content: {} deprecated: false post: tags: - secrets summary: postCubbyholePath description: Pass-through secret storage to a token-specific cubbyhole in the storage backend, allowing you to read/write arbitrary data into secret storage. operationId: postCubbyholePath parameters: - name: path in: path description: Specifies the path of the secret. required: true style: simple schema: type: string responses: '200': description: OK headers: {} content: {} deprecated: false delete: tags: - secrets summary: deleteCubbyholePath description: Pass-through secret storage to a token-specific cubbyhole in the storage backend, allowing you to read/write arbitrary data into secret storage. operationId: deleteCubbyholePath parameters: - name: path in: path description: Specifies the path of the secret. required: true style: simple schema: type: string responses: '204': description: empty body headers: {} content: {} deprecated: false /jedi-users/config: get: tags: - secrets summary: getJediUsersConfig description: Configures settings for the KV store operationId: getJediUsersConfig parameters: [] responses: '200': description: OK headers: {} content: {} deprecated: false post: tags: - secrets summary: postJediUsersConfig description: Configures settings for the KV store operationId: postJediUsersConfig parameters: [] requestBody: description: '' content: application/json: schema: $ref: '#/components/schemas/JediUsersConfigRequest' required: false responses: '200': description: OK headers: {} content: {} deprecated: false /jedi-users/data/{path}: get: tags: - secrets summary: getJediUsersDataPath description: Write, Read, and Delete data in the Key-Value Store. operationId: getJediUsersDataPath parameters: - name: path in: path description: Location of the secret. required: true style: simple schema: type: string responses: '200': description: OK headers: {} content: {} deprecated: false post: tags: - secrets summary: postJediUsersDataPath description: Write, Read, and Delete data in the Key-Value Store. operationId: postJediUsersDataPath parameters: - name: path in: path description: Location of the secret. required: true style: simple schema: type: string requestBody: description: '' content: application/json: schema: $ref: '#/components/schemas/JediUsersDataRequest' required: false responses: '200': description: OK headers: {} content: {} deprecated: false delete: tags: - secrets summary: deleteJediUsersDataPath description: Write, Read, and Delete data in the Key-Value Store. operationId: deleteJediUsersDataPath parameters: - name: path in: path description: Location of the secret. required: true style: simple schema: type: string responses: '204': description: empty body headers: {} content: {} deprecated: false /jedi-users/delete/{path}: post: tags: - secrets summary: postJediUsersDeletePath description: Marks one or more versions as deleted in the KV store. operationId: postJediUsersDeletePath parameters: - name: path in: path description: Location of the secret. required: true style: simple schema: type: string requestBody: description: '' content: application/json: schema: $ref: '#/components/schemas/JediUsersDeleteRequest' required: false responses: '200': description: OK headers: {} content: {} deprecated: false /jedi-users/destroy/{path}: post: tags: - secrets summary: postJediUsersDestroyPath description: Permanently removes one or more versions in the KV store operationId: postJediUsersDestroyPath parameters: - name: path in: path description: Location of the secret. required: true style: simple schema: type: string requestBody: description: '' content: application/json: schema: $ref: '#/components/schemas/JediUsersDestroyRequest' required: false responses: '200': description: OK headers: {} content: {} deprecated: false /jedi-users/metadata/{path}: get: tags: - secrets summary: getJediUsersMetadataPath description: Configures settings for the KV store operationId: getJediUsersMetadataPath parameters: - name: path in: path description: Location of the secret. required: true style: simple schema: type: string - name: list in: query description: Return a list if `true` style: form explode: true schema: type: string responses: '200': description: OK headers: {} content: {} deprecated: false post: tags: - secrets summary: postJediUsersMetadataPath description: Configures settings for the KV store operationId: postJediUsersMetadataPath parameters: - name: path in: path description: Location of the secret. required: true style: simple schema: type: string requestBody: description: '' content: application/json: schema: $ref: '#/components/schemas/JediUsersMetadataRequest' required: false responses: '200': description: OK headers: {} content: {} deprecated: false delete: tags: - secrets summary: deleteJediUsersMetadataPath description: Configures settings for the KV store operationId: deleteJediUsersMetadataPath parameters: - name: path in: path description: Location of the secret. required: true style: simple schema: type: string responses: '204': description: empty body headers: {} content: {} deprecated: false /jedi-users/undelete/{path}: post: tags: - secrets summary: postJediUsersUndeletePath description: Undeletes one or more versions from the KV store. operationId: postJediUsersUndeletePath parameters: - name: path in: path description: Location of the secret. required: true style: simple schema: type: string requestBody: description: '' content: application/json: schema: $ref: '#/components/schemas/JediUsersUndeleteRequest' required: false responses: '200': description: OK headers: {} content: {} deprecated: false /kv/config: get: tags: - secrets summary: getKvConfig description: Configures settings for the KV store operationId: getKvConfig parameters: [] responses: '200': description: OK headers: {} content: {} deprecated: false post: tags: - secrets summary: postKvConfig description: Configures settings for the KV store operationId: postKvConfig parameters: [] requestBody: description: '' content: application/json: schema: $ref: '#/components/schemas/KvConfigRequest' required: false responses: '200': description: OK headers: {} content: {} deprecated: false /kv/data/{path}: get: tags: - secrets summary: getKvDataPath description: Write, Read, and Delete data in the Key-Value Store. operationId: getKvDataPath parameters: - name: path in: path description: Location of the secret. required: true style: simple schema: type: string responses: '200': description: OK headers: {} content: {} deprecated: false post: tags: - secrets summary: postKvDataPath description: Write, Read, and Delete data in the Key-Value Store. operationId: postKvDataPath parameters: - name: path in: path description: Location of the secret. required: true style: simple schema: type: string requestBody: description: '' content: application/json: schema: $ref: '#/components/schemas/KvDataRequest' required: false responses: '200': description: OK headers: {} content: {} deprecated: false delete: tags: - secrets summary: deleteKvDataPath description: Write, Read, and Delete data in the Key-Value Store. operationId: deleteKvDataPath parameters: - name: path in: path description: Location of the secret. required: true style: simple schema: type: string responses: '204': description: empty body headers: {} content: {} deprecated: false /kv/delete/{path}: post: tags: - secrets summary: postKvDeletePath description: Marks one or more versions as deleted in the KV store. operationId: postKvDeletePath parameters: - name: path in: path description: Location of the secret. required: true style: simple schema: type: string requestBody: description: '' content: application/json: schema: $ref: '#/components/schemas/KvDeleteRequest' required: false responses: '200': description: OK headers: {} content: {} deprecated: false /kv/destroy/{path}: post: tags: - secrets summary: postKvDestroyPath description: Permanently removes one or more versions in the KV store operationId: postKvDestroyPath parameters: - name: path in: path description: Location of the secret. required: true style: simple schema: type: string requestBody: description: '' content: application/json: schema: $ref: '#/components/schemas/KvDestroyRequest' required: false responses: '200': description: OK headers: {} content: {} deprecated: false /kv/metadata/{path}: get: tags: - secrets summary: getKvMetadataPath description: Configures settings for the KV store operationId: getKvMetadataPath parameters: - name: path in: path description: Location of the secret. required: true style: simple schema: type: string - name: list in: query description: Return a list if `true` style: form explode: true schema: type: string responses: '200': description: OK headers: {} content: {} deprecated: false post: tags: - secrets summary: postKvMetadataPath description: Configures settings for the KV store operationId: postKvMetadataPath parameters: - name: path in: path description: Location of the secret. required: true style: simple schema: type: string requestBody: description: '' content: application/json: schema: $ref: '#/components/schemas/KvMetadataRequest' required: false responses: '200': description: OK headers: {} content: {} deprecated: false delete: tags: - secrets summary: deleteKvMetadataPath description: Configures settings for the KV store operationId: deleteKvMetadataPath parameters: - name: path in: path description: Location of the secret. required: true style: simple schema: type: string responses: '204': description: empty body headers: {} content: {} deprecated: false /kv/undelete/{path}: post: tags: - secrets summary: postKvUndeletePath description: Undeletes one or more versions from the KV store. operationId: postKvUndeletePath parameters: - name: path in: path description: Location of the secret. required: true style: simple schema: type: string requestBody: description: '' content: application/json: schema: $ref: '#/components/schemas/KvUndeleteRequest' required: false responses: '200': description: OK headers: {} content: {} deprecated: false /pki/ca: get: tags: - secrets summary: getPkiCa description: Fetch a CA, CRL, CA Chain, or non-revoked certificate. operationId: getPkiCa parameters: [] responses: '200': description: OK headers: {} content: {} deprecated: false /pki/ca/pem: get: tags: - secrets summary: getPkiCaPem description: Fetch a CA, CRL, CA Chain, or non-revoked certificate. operationId: getPkiCaPem parameters: [] responses: '200': description: OK headers: {} content: {} deprecated: false /pki/ca_chain: get: tags: - secrets summary: getPkiCa_chain description: Fetch a CA, CRL, CA Chain, or non-revoked certificate. operationId: getPkiCa_chain parameters: [] responses: '200': description: OK headers: {} content: {} deprecated: false /pki/cert/ca_chain: get: tags: - secrets summary: getPkiCertCa_chain description: Fetch a CA, CRL, CA Chain, or non-revoked certificate. operationId: getPkiCertCa_chain parameters: [] responses: '200': description: OK headers: {} content: {} deprecated: false /pki/cert/crl: get: tags: - secrets summary: getPkiCertCrl description: Fetch a CA, CRL, CA Chain, or non-revoked certificate. operationId: getPkiCertCrl parameters: [] responses: '200': description: OK headers: {} content: {} deprecated: false /pki/cert/{serial}: get: tags: - secrets summary: getPkiCertSerial description: Fetch a CA, CRL, CA Chain, or non-revoked certificate. operationId: getPkiCertSerial parameters: - name: serial in: path description: Certificate serial number, in colon- or hyphen-separated octal required: true style: simple schema: type: string responses: '200': description: OK headers: {} content: {} deprecated: false /pki/certs: get: tags: - secrets summary: getPkiCerts description: Fetch a CA, CRL, CA Chain, or non-revoked certificate. operationId: getPkiCerts parameters: - name: list in: query description: Return a list if `true` style: form explode: true schema: type: string responses: '200': description: OK headers: {} content: {} deprecated: false /pki/config/ca: post: tags: - secrets summary: postPkiConfigCa description: Set the CA certificate and private key used for generated credentials. operationId: postPkiConfigCa parameters: [] requestBody: description: '' content: application/json: schema: $ref: '#/components/schemas/PkiConfigCaRequest' required: false responses: '200': description: OK headers: {} content: {} deprecated: false /pki/config/crl: get: tags: - secrets summary: getPkiConfigCrl description: Configure the CRL expiration. operationId: getPkiConfigCrl parameters: [] responses: '200': description: OK headers: {} content: {} deprecated: false post: tags: - secrets summary: postPkiConfigCrl description: Configure the CRL expiration. operationId: postPkiConfigCrl parameters: [] requestBody: description: '' content: application/json: schema: $ref: '#/components/schemas/PkiConfigCrlRequest' required: false responses: '200': description: OK headers: {} content: {} deprecated: false /pki/config/urls: get: tags: - secrets summary: getPkiConfigUrls description: Set the URLs for the issuing CA, CRL distribution points, and OCSP servers. operationId: getPkiConfigUrls parameters: [] responses: '200': description: OK headers: {} content: {} deprecated: false post: tags: - secrets summary: postPkiConfigUrls description: Set the URLs for the issuing CA, CRL distribution points, and OCSP servers. operationId: postPkiConfigUrls parameters: [] requestBody: description: '' content: application/json: schema: $ref: '#/components/schemas/PkiConfigUrlsRequest' required: false responses: '200': description: OK headers: {} content: {} deprecated: false /pki/crl: get: tags: - secrets summary: getPkiCrl description: Fetch a CA, CRL, CA Chain, or non-revoked certificate. operationId: getPkiCrl parameters: [] responses: '200': description: OK headers: {} content: {} deprecated: false /pki/crl/pem: get: tags: - secrets summary: getPkiCrlPem description: Fetch a CA, CRL, CA Chain, or non-revoked certificate. operationId: getPkiCrlPem parameters: [] responses: '200': description: OK headers: {} content: {} deprecated: false /pki/crl/rotate: get: tags: - secrets summary: getPkiCrlRotate description: Force a rebuild of the CRL. operationId: getPkiCrlRotate parameters: [] responses: '200': description: OK headers: {} content: {} deprecated: false /pki/intermediate/generate/{exported}: post: tags: - secrets summary: postPkiIntermediateGenerateExported description: Generate a new CSR and private key used for signing. operationId: postPkiIntermediateGenerateExported parameters: - name: exported in: path description: Must be "internal" or "exported". If set to "exported", the generated private key will be returned. This is your *only* chance to retrieve the private key! required: true style: simple schema: type: string requestBody: description: '' content: application/json: schema: $ref: '#/components/schemas/PkiIntermediateGenerateRequest' required: false responses: '200': description: OK headers: {} content: {} deprecated: false /pki/intermediate/set-signed: post: tags: - secrets summary: postPkiIntermediateSetSigned description: Provide the signed intermediate CA cert. operationId: postPkiIntermediateSetSigned parameters: [] requestBody: description: '' content: application/json: schema: $ref: '#/components/schemas/PkiIntermediateSetSignedRequest' required: false responses: '200': description: OK headers: {} content: {} deprecated: false /pki/issue/{role}: post: tags: - secrets summary: postPkiIssueRole description: Request a certificate using a certain role with the provided details. operationId: postPkiIssueRole parameters: - name: role in: path description: The desired role with configuration for this request required: true style: simple schema: type: string requestBody: description: '' content: application/json: schema: $ref: '#/components/schemas/PkiIssueRequest' required: false responses: '200': description: OK headers: {} content: {} deprecated: false /pki/revoke: post: tags: - secrets summary: postPkiRevoke description: Revoke a certificate by serial number. operationId: postPkiRevoke parameters: [] requestBody: description: '' content: application/json: schema: $ref: '#/components/schemas/PkiRevokeRequest' required: false responses: '200': description: OK headers: {} content: {} deprecated: false /pki/roles: get: tags: - secrets summary: getPkiRoles description: List the existing roles in this backend operationId: getPkiRoles parameters: - name: list in: query description: Return a list if `true` style: form explode: true schema: type: string responses: '200': description: OK headers: {} content: {} deprecated: false /pki/roles/{name}: get: tags: - secrets summary: getPkiRolesName description: Manage the roles that can be created with this backend. operationId: getPkiRolesName parameters: - name: name in: path description: Name of the role required: true style: simple schema: type: string responses: '200': description: OK headers: {} content: {} deprecated: false post: tags: - secrets summary: postPkiRolesName description: Manage the roles that can be created with this backend. operationId: postPkiRolesName parameters: - name: name in: path description: Name of the role required: true style: simple schema: type: string requestBody: description: '' content: application/json: schema: $ref: '#/components/schemas/PkiRolesRequest' required: false responses: '200': description: OK headers: {} content: {} deprecated: false delete: tags: - secrets summary: deletePkiRolesName description: Manage the roles that can be created with this backend. operationId: deletePkiRolesName parameters: - name: name in: path description: Name of the role required: true style: simple schema: type: string responses: '204': description: empty body headers: {} content: {} deprecated: false /pki/root: delete: tags: - secrets summary: deletePkiRoot description: Deletes the root CA key to allow a new one to be generated. operationId: deletePkiRoot parameters: [] responses: '204': description: empty body headers: {} content: {} deprecated: false /pki/root/generate/{exported}: post: tags: - secrets summary: postPkiRootGenerateExported description: Generate a new CA certificate and private key used for signing. operationId: postPkiRootGenerateExported parameters: - name: exported in: path description: Must be "internal" or "exported". If set to "exported", the generated private key will be returned. This is your *only* chance to retrieve the private key! required: true style: simple schema: type: string requestBody: description: '' content: application/json: schema: $ref: '#/components/schemas/PkiRootGenerateRequest' required: false responses: '200': description: OK headers: {} content: {} deprecated: false /pki/root/sign-intermediate: post: tags: - secrets summary: postPkiRootSignIntermediate description: Issue an intermediate CA certificate based on the provided CSR. operationId: postPkiRootSignIntermediate parameters: [] requestBody: description: '' content: application/json: schema: $ref: '#/components/schemas/PkiRootSignIntermediateRequest' required: false responses: '200': description: OK headers: {} content: {} deprecated: false /pki/root/sign-self-issued: post: tags: - secrets summary: postPkiRootSignSelfIssued description: Signs another CA's self-issued certificate. operationId: postPkiRootSignSelfIssued parameters: [] requestBody: description: '' content: application/json: schema: $ref: '#/components/schemas/PkiRootSignSelfIssuedRequest' required: false responses: '200': description: OK headers: {} content: {} deprecated: false /pki/sign-verbatim: post: tags: - secrets summary: postPkiSignVerbatim description: Request certificates using a certain role with the provided details. operationId: postPkiSignVerbatim parameters: [] requestBody: description: '' content: application/json: schema: $ref: '#/components/schemas/PkiSignVerbatimRequest' required: false responses: '200': description: OK headers: {} content: {} deprecated: false /pki/sign-verbatim/{role}: post: tags: - secrets summary: postPkiSignVerbatimRole description: Request certificates using a certain role with the provided details. operationId: postPkiSignVerbatimRole parameters: - name: role in: path description: The desired role with configuration for this request required: true style: simple schema: type: string requestBody: description: '' content: application/json: schema: $ref: '#/components/schemas/PkiSignVerbatimRequest1' required: false responses: '200': description: OK headers: {} content: {} deprecated: false /pki/sign/{role}: post: tags: - secrets summary: postPkiSignRole description: Request certificates using a certain role with the provided details. operationId: postPkiSignRole parameters: - name: role in: path description: The desired role with configuration for this request required: true style: simple schema: type: string requestBody: description: '' content: application/json: schema: $ref: '#/components/schemas/PkiSignRequest' required: false responses: '200': description: OK headers: {} content: {} deprecated: false /pki/tidy: post: tags: - secrets summary: postPkiTidy description: Tidy up the backend by removing expired certificates, revocation information, or both. operationId: postPkiTidy parameters: [] requestBody: description: '' content: application/json: schema: $ref: '#/components/schemas/PkiTidyRequest' required: false responses: '200': description: OK headers: {} content: {} deprecated: false /auth/approle/login: post: tags: - auth summary: postAuthApproleLogin description: Issue a token based on the credentials supplied operationId: postAuthApproleLogin parameters: [] requestBody: description: '' content: application/json: schema: $ref: '#/components/schemas/AuthApproleLoginRequest' required: false responses: '200': description: OK headers: {} content: {} deprecated: false /auth/approle/role: get: tags: - auth summary: getAuthApproleRole description: Lists all the roles registered with the backend. operationId: getAuthApproleRole parameters: - name: list in: query description: Return a list if `true` style: form explode: true schema: type: string responses: '200': description: OK headers: {} content: {} deprecated: false /auth/approle/role/{role_name}: get: tags: - auth summary: getAuthApproleRoleRole_name description: Register an role with the backend. operationId: getAuthApproleRoleRole_name parameters: - name: role_name in: path description: Name of the role. required: true style: simple schema: type: string responses: '200': description: OK headers: {} content: {} deprecated: false post: tags: - auth summary: postAuthApproleRoleRole_name description: Register an role with the backend. operationId: postAuthApproleRoleRole_name parameters: - name: role_name in: path description: Name of the role. required: true style: simple schema: type: string requestBody: description: '' content: application/json: schema: $ref: '#/components/schemas/AuthApproleRoleRequest' required: false responses: '200': description: OK headers: {} content: {} deprecated: false delete: tags: - auth summary: deleteAuthApproleRoleRole_name description: Register an role with the backend. operationId: deleteAuthApproleRoleRole_name parameters: - name: role_name in: path description: Name of the role. required: true style: simple schema: type: string responses: '204': description: empty body headers: {} content: {} deprecated: false /auth/approle/role/{role_name}/bind-secret-id: get: tags: - auth summary: getAuthApproleRoleRole_nameBindSecretId description: Impose secret_id to be presented during login using this role. operationId: getAuthApproleRoleRole_nameBindSecretId parameters: - name: role_name in: path description: Name of the role. required: true style: simple schema: type: string responses: '200': description: OK headers: {} content: {} deprecated: false post: tags: - auth summary: postAuthApproleRoleRole_nameBindSecretId description: Impose secret_id to be presented during login using this role. operationId: postAuthApproleRoleRole_nameBindSecretId parameters: - name: role_name in: path description: Name of the role. required: true style: simple schema: type: string requestBody: description: '' content: application/json: schema: $ref: '#/components/schemas/AuthApproleRoleBindSecretIdRequest' required: false responses: '200': description: OK headers: {} content: {} deprecated: false delete: tags: - auth summary: deleteAuthApproleRoleRole_nameBindSecretId description: Impose secret_id to be presented during login using this role. operationId: deleteAuthApproleRoleRole_nameBindSecretId parameters: - name: role_name in: path description: Name of the role. required: true style: simple schema: type: string responses: '204': description: empty body headers: {} content: {} deprecated: false /auth/approle/role/{role_name}/bound-cidr-list: get: tags: - auth summary: getAuthApproleRoleRole_nameBoundCidrList description: 'Deprecated: Comma separated list of CIDR blocks, if set, specifies blocks of IP addresses which can perform the login operation' operationId: getAuthApproleRoleRole_nameBoundCidrList parameters: - name: role_name in: path description: Name of the role. required: true style: simple schema: type: string responses: '200': description: OK headers: {} content: {} deprecated: false post: tags: - auth summary: postAuthApproleRoleRole_nameBoundCidrList description: 'Deprecated: Comma separated list of CIDR blocks, if set, specifies blocks of IP addresses which can perform the login operation' operationId: postAuthApproleRoleRole_nameBoundCidrList parameters: - name: role_name in: path description: Name of the role. required: true style: simple schema: type: string requestBody: description: '' content: application/json: schema: $ref: '#/components/schemas/AuthApproleRoleBoundCidrListRequest' required: false responses: '200': description: OK headers: {} content: {} deprecated: false delete: tags: - auth summary: deleteAuthApproleRoleRole_nameBoundCidrList description: 'Deprecated: Comma separated list of CIDR blocks, if set, specifies blocks of IP addresses which can perform the login operation' operationId: deleteAuthApproleRoleRole_nameBoundCidrList parameters: - name: role_name in: path description: Name of the role. required: true style: simple schema: type: string responses: '204': description: empty body headers: {} content: {} deprecated: false /auth/approle/role/{role_name}/custom-secret-id: post: tags: - auth summary: postAuthApproleRoleRole_nameCustomSecretId description: Assign a SecretID of choice against the role. operationId: postAuthApproleRoleRole_nameCustomSecretId parameters: - name: role_name in: path description: Name of the role. required: true style: simple schema: type: string requestBody: description: '' content: application/json: schema: $ref: '#/components/schemas/AuthApproleRoleCustomSecretIdRequest' required: false responses: '200': description: OK headers: {} content: {} deprecated: false /auth/approle/role/{role_name}/local-secret-ids: get: tags: - auth summary: getAuthApproleRoleRole_nameLocalSecretIds description: Enables cluster local secret IDs operationId: getAuthApproleRoleRole_nameLocalSecretIds parameters: - name: role_name in: path description: Name of the role. required: true style: simple schema: type: string responses: '200': description: OK headers: {} content: {} deprecated: false /auth/approle/role/{role_name}/period: get: tags: - auth summary: getAuthApproleRoleRole_namePeriod description: Updates the value of 'period' on the role operationId: getAuthApproleRoleRole_namePeriod parameters: - name: role_name in: path description: Name of the role. required: true style: simple schema: type: string responses: '200': description: OK headers: {} content: {} deprecated: false post: tags: - auth summary: postAuthApproleRoleRole_namePeriod description: Updates the value of 'period' on the role operationId: postAuthApproleRoleRole_namePeriod parameters: - name: role_name in: path description: Name of the role. required: true style: simple schema: type: string requestBody: description: '' content: application/json: schema: $ref: '#/components/schemas/AuthApproleRolePeriodRequest' required: false responses: '200': description: OK headers: {} content: {} deprecated: false delete: tags: - auth summary: deleteAuthApproleRoleRole_namePeriod description: Updates the value of 'period' on the role operationId: deleteAuthApproleRoleRole_namePeriod parameters: - name: role_name in: path description: Name of the role. required: true style: simple schema: type: string responses: '204': description: empty body headers: {} content: {} deprecated: false /auth/approle/role/{role_name}/policies: get: tags: - auth summary: getAuthApproleRoleRole_namePolicies description: Policies of the role. operationId: getAuthApproleRoleRole_namePolicies parameters: - name: role_name in: path description: Name of the role. required: true style: simple schema: type: string responses: '200': description: OK headers: {} content: {} deprecated: false post: tags: - auth summary: postAuthApproleRoleRole_namePolicies description: Policies of the role. operationId: postAuthApproleRoleRole_namePolicies parameters: - name: role_name in: path description: Name of the role. required: true style: simple schema: type: string requestBody: description: '' content: application/json: schema: $ref: '#/components/schemas/AuthApproleRolePoliciesRequest' required: false responses: '200': description: OK headers: {} content: {} deprecated: false delete: tags: - auth summary: deleteAuthApproleRoleRole_namePolicies description: Policies of the role. operationId: deleteAuthApproleRoleRole_namePolicies parameters: - name: role_name in: path description: Name of the role. required: true style: simple schema: type: string responses: '204': description: empty body headers: {} content: {} deprecated: false /auth/approle/role/{role_name}/role-id: get: tags: - auth summary: getAuthApproleRoleRole_nameRoleId description: Returns the 'role_id' of the role. operationId: getAuthApproleRoleRole_nameRoleId parameters: - name: role_name in: path description: Name of the role. required: true style: simple schema: type: string responses: '200': description: OK headers: {} content: {} deprecated: false post: tags: - auth summary: postAuthApproleRoleRole_nameRoleId description: Returns the 'role_id' of the role. operationId: postAuthApproleRoleRole_nameRoleId parameters: - name: role_name in: path description: Name of the role. required: true style: simple schema: type: string requestBody: description: '' content: application/json: schema: $ref: '#/components/schemas/AuthApproleRoleRoleIdRequest' required: false responses: '200': description: OK headers: {} content: {} deprecated: false /auth/approle/role/{role_name}/secret-id: get: tags: - auth summary: getAuthApproleRoleRole_nameSecretId description: Generate a SecretID against this role. operationId: getAuthApproleRoleRole_nameSecretId parameters: - name: role_name in: path description: Name of the role. required: true style: simple schema: type: string - name: list in: query description: Return a list if `true` style: form explode: true schema: type: string responses: '200': description: OK headers: {} content: {} deprecated: false post: tags: - auth summary: postAuthApproleRoleRole_nameSecretId description: Generate a SecretID against this role. operationId: postAuthApproleRoleRole_nameSecretId parameters: - name: role_name in: path description: Name of the role. required: true style: simple schema: type: string requestBody: description: '' content: application/json: schema: $ref: '#/components/schemas/AuthApproleRoleSecretIdRequest' required: false responses: '200': description: OK headers: {} content: {} deprecated: false /auth/approle/role/{role_name}/secret-id-accessor/destroy: post: tags: - auth summary: postAuthApproleRoleRole_nameSecretIdAccessorDestroy description: '' operationId: postAuthApproleRoleRole_nameSecretIdAccessorDestroy parameters: - name: role_name in: path description: Name of the role. required: true style: simple schema: type: string requestBody: description: '' content: application/json: schema: $ref: '#/components/schemas/AuthApproleRoleSecretIdAccessorDestroyRequest' required: false responses: '200': description: OK headers: {} content: {} deprecated: false delete: tags: - auth summary: deleteAuthApproleRoleRole_nameSecretIdAccessorDestroy description: '' operationId: deleteAuthApproleRoleRole_nameSecretIdAccessorDestroy parameters: - name: role_name in: path description: Name of the role. required: true style: simple schema: type: string responses: '204': description: empty body headers: {} content: {} deprecated: false /auth/approle/role/{role_name}/secret-id-accessor/lookup: post: tags: - auth summary: postAuthApproleRoleRole_nameSecretIdAccessorLookup description: '' operationId: postAuthApproleRoleRole_nameSecretIdAccessorLookup parameters: - name: role_name in: path description: Name of the role. required: true style: simple schema: type: string requestBody: description: '' content: application/json: schema: $ref: '#/components/schemas/AuthApproleRoleSecretIdAccessorLookupRequest' required: false responses: '200': description: OK headers: {} content: {} deprecated: false /auth/approle/role/{role_name}/secret-id-bound-cidrs: get: tags: - auth summary: getAuthApproleRoleRole_nameSecretIdBoundCidrs description: Comma separated list of CIDR blocks, if set, specifies blocks of IP addresses which can perform the login operation operationId: getAuthApproleRoleRole_nameSecretIdBoundCidrs parameters: - name: role_name in: path description: Name of the role. required: true style: simple schema: type: string responses: '200': description: OK headers: {} content: {} deprecated: false post: tags: - auth summary: postAuthApproleRoleRole_nameSecretIdBoundCidrs description: Comma separated list of CIDR blocks, if set, specifies blocks of IP addresses which can perform the login operation operationId: postAuthApproleRoleRole_nameSecretIdBoundCidrs parameters: - name: role_name in: path description: Name of the role. required: true style: simple schema: type: string requestBody: description: '' content: application/json: schema: $ref: '#/components/schemas/AuthApproleRoleSecretIdBoundCidrsRequest' required: false responses: '200': description: OK headers: {} content: {} deprecated: false delete: tags: - auth summary: deleteAuthApproleRoleRole_nameSecretIdBoundCidrs description: Comma separated list of CIDR blocks, if set, specifies blocks of IP addresses which can perform the login operation operationId: deleteAuthApproleRoleRole_nameSecretIdBoundCidrs parameters: - name: role_name in: path description: Name of the role. required: true style: simple schema: type: string responses: '204': description: empty body headers: {} content: {} deprecated: false /auth/approle/role/{role_name}/secret-id-num-uses: get: tags: - auth summary: getAuthApproleRoleRole_nameSecretIdNumUses description: Use limit of the SecretID generated against the role. operationId: getAuthApproleRoleRole_nameSecretIdNumUses parameters: - name: role_name in: path description: Name of the role. required: true style: simple schema: type: string responses: '200': description: OK headers: {} content: {} deprecated: false post: tags: - auth summary: postAuthApproleRoleRole_nameSecretIdNumUses description: Use limit of the SecretID generated against the role. operationId: postAuthApproleRoleRole_nameSecretIdNumUses parameters: - name: role_name in: path description: Name of the role. required: true style: simple schema: type: string requestBody: description: '' content: application/json: schema: $ref: '#/components/schemas/AuthApproleRoleSecretIdNumUsesRequest' required: false responses: '200': description: OK headers: {} content: {} deprecated: false delete: tags: - auth summary: deleteAuthApproleRoleRole_nameSecretIdNumUses description: Use limit of the SecretID generated against the role. operationId: deleteAuthApproleRoleRole_nameSecretIdNumUses parameters: - name: role_name in: path description: Name of the role. required: true style: simple schema: type: string responses: '204': description: empty body headers: {} content: {} deprecated: false /auth/approle/role/{role_name}/secret-id-ttl: get: tags: - auth summary: getAuthApproleRoleRole_nameSecretIdTtl description: Duration in seconds, representing the lifetime of the SecretIDs that are generated against the role using 'role//secret-id' or 'role//custom-secret-id' endpoints. operationId: getAuthApproleRoleRole_nameSecretIdTtl parameters: - name: role_name in: path description: Name of the role. required: true style: simple schema: type: string responses: '200': description: OK headers: {} content: {} deprecated: false post: tags: - auth summary: postAuthApproleRoleRole_nameSecretIdTtl description: Duration in seconds, representing the lifetime of the SecretIDs that are generated against the role using 'role//secret-id' or 'role//custom-secret-id' endpoints. operationId: postAuthApproleRoleRole_nameSecretIdTtl parameters: - name: role_name in: path description: Name of the role. required: true style: simple schema: type: string requestBody: description: '' content: application/json: schema: $ref: '#/components/schemas/AuthApproleRoleSecretIdTtlRequest' required: false responses: '200': description: OK headers: {} content: {} deprecated: false delete: tags: - auth summary: deleteAuthApproleRoleRole_nameSecretIdTtl description: Duration in seconds, representing the lifetime of the SecretIDs that are generated against the role using 'role//secret-id' or 'role//custom-secret-id' endpoints. operationId: deleteAuthApproleRoleRole_nameSecretIdTtl parameters: - name: role_name in: path description: Name of the role. required: true style: simple schema: type: string responses: '204': description: empty body headers: {} content: {} deprecated: false /auth/approle/role/{role_name}/secret-id/destroy: post: tags: - auth summary: postAuthApproleRoleRole_nameSecretIdDestroy description: Invalidate an issued secret_id operationId: postAuthApproleRoleRole_nameSecretIdDestroy parameters: - name: role_name in: path description: Name of the role. required: true style: simple schema: type: string requestBody: description: '' content: application/json: schema: $ref: '#/components/schemas/AuthApproleRoleSecretIdDestroyRequest' required: false responses: '200': description: OK headers: {} content: {} deprecated: false delete: tags: - auth summary: deleteAuthApproleRoleRole_nameSecretIdDestroy description: Invalidate an issued secret_id operationId: deleteAuthApproleRoleRole_nameSecretIdDestroy parameters: - name: role_name in: path description: Name of the role. required: true style: simple schema: type: string responses: '204': description: empty body headers: {} content: {} deprecated: false /auth/approle/role/{role_name}/secret-id/lookup: post: tags: - auth summary: postAuthApproleRoleRole_nameSecretIdLookup description: Read the properties of an issued secret_id operationId: postAuthApproleRoleRole_nameSecretIdLookup parameters: - name: role_name in: path description: Name of the role. required: true style: simple schema: type: string requestBody: description: '' content: application/json: schema: $ref: '#/components/schemas/AuthApproleRoleSecretIdLookupRequest' required: false responses: '200': description: OK headers: {} content: {} deprecated: false /auth/approle/role/{role_name}/token-bound-cidrs: get: tags: - auth summary: getAuthApproleRoleRole_nameTokenBoundCidrs description: Comma separated string or list of CIDR blocks. If set, specifies the blocks of IP addresses which can use the returned token. operationId: getAuthApproleRoleRole_nameTokenBoundCidrs parameters: - name: role_name in: path description: Name of the role. required: true style: simple schema: type: string responses: '200': description: OK headers: {} content: {} deprecated: false post: tags: - auth summary: postAuthApproleRoleRole_nameTokenBoundCidrs description: Comma separated string or list of CIDR blocks. If set, specifies the blocks of IP addresses which can use the returned token. operationId: postAuthApproleRoleRole_nameTokenBoundCidrs parameters: - name: role_name in: path description: Name of the role. required: true style: simple schema: type: string requestBody: description: '' content: application/json: schema: $ref: '#/components/schemas/AuthApproleRoleTokenBoundCidrsRequest' required: false responses: '200': description: OK headers: {} content: {} deprecated: false delete: tags: - auth summary: deleteAuthApproleRoleRole_nameTokenBoundCidrs description: Comma separated string or list of CIDR blocks. If set, specifies the blocks of IP addresses which can use the returned token. operationId: deleteAuthApproleRoleRole_nameTokenBoundCidrs parameters: - name: role_name in: path description: Name of the role. required: true style: simple schema: type: string responses: '204': description: empty body headers: {} content: {} deprecated: false /auth/approle/role/{role_name}/token-max-ttl: get: tags: - auth summary: getAuthApproleRoleRole_nameTokenMaxTtl description: Duration in seconds, the maximum lifetime of the tokens issued by using the SecretIDs that were generated against this role, after which the tokens are not allowed to be renewed. operationId: getAuthApproleRoleRole_nameTokenMaxTtl parameters: - name: role_name in: path description: Name of the role. required: true style: simple schema: type: string responses: '200': description: OK headers: {} content: {} deprecated: false post: tags: - auth summary: postAuthApproleRoleRole_nameTokenMaxTtl description: Duration in seconds, the maximum lifetime of the tokens issued by using the SecretIDs that were generated against this role, after which the tokens are not allowed to be renewed. operationId: postAuthApproleRoleRole_nameTokenMaxTtl parameters: - name: role_name in: path description: Name of the role. required: true style: simple schema: type: string requestBody: description: '' content: application/json: schema: $ref: '#/components/schemas/AuthApproleRoleTokenMaxTtlRequest' required: false responses: '200': description: OK headers: {} content: {} deprecated: false delete: tags: - auth summary: deleteAuthApproleRoleRole_nameTokenMaxTtl description: Duration in seconds, the maximum lifetime of the tokens issued by using the SecretIDs that were generated against this role, after which the tokens are not allowed to be renewed. operationId: deleteAuthApproleRoleRole_nameTokenMaxTtl parameters: - name: role_name in: path description: Name of the role. required: true style: simple schema: type: string responses: '204': description: empty body headers: {} content: {} deprecated: false /auth/approle/role/{role_name}/token-num-uses: get: tags: - auth summary: getAuthApproleRoleRole_nameTokenNumUses description: Number of times issued tokens can be used operationId: getAuthApproleRoleRole_nameTokenNumUses parameters: - name: role_name in: path description: Name of the role. required: true style: simple schema: type: string responses: '200': description: OK headers: {} content: {} deprecated: false post: tags: - auth summary: postAuthApproleRoleRole_nameTokenNumUses description: Number of times issued tokens can be used operationId: postAuthApproleRoleRole_nameTokenNumUses parameters: - name: role_name in: path description: Name of the role. required: true style: simple schema: type: string requestBody: description: '' content: application/json: schema: $ref: '#/components/schemas/AuthApproleRoleTokenNumUsesRequest' required: false responses: '200': description: OK headers: {} content: {} deprecated: false delete: tags: - auth summary: deleteAuthApproleRoleRole_nameTokenNumUses description: Number of times issued tokens can be used operationId: deleteAuthApproleRoleRole_nameTokenNumUses parameters: - name: role_name in: path description: Name of the role. required: true style: simple schema: type: string responses: '204': description: empty body headers: {} content: {} deprecated: false /auth/approle/role/{role_name}/token-ttl: get: tags: - auth summary: getAuthApproleRoleRole_nameTokenTtl description: Duration in seconds, the lifetime of the token issued by using the SecretID that is generated against this role, before which the token needs to be renewed. operationId: getAuthApproleRoleRole_nameTokenTtl parameters: - name: role_name in: path description: Name of the role. required: true style: simple schema: type: string responses: '200': description: OK headers: {} content: {} deprecated: false post: tags: - auth summary: postAuthApproleRoleRole_nameTokenTtl description: Duration in seconds, the lifetime of the token issued by using the SecretID that is generated against this role, before which the token needs to be renewed. operationId: postAuthApproleRoleRole_nameTokenTtl parameters: - name: role_name in: path description: Name of the role. required: true style: simple schema: type: string requestBody: description: '' content: application/json: schema: $ref: '#/components/schemas/AuthApproleRoleTokenTtlRequest' required: false responses: '200': description: OK headers: {} content: {} deprecated: false delete: tags: - auth summary: deleteAuthApproleRoleRole_nameTokenTtl description: Duration in seconds, the lifetime of the token issued by using the SecretID that is generated against this role, before which the token needs to be renewed. operationId: deleteAuthApproleRoleRole_nameTokenTtl parameters: - name: role_name in: path description: Name of the role. required: true style: simple schema: type: string responses: '204': description: empty body headers: {} content: {} deprecated: false /auth/approle/tidy/secret-id: post: tags: - auth summary: postAuthApproleTidySecretId description: Trigger the clean-up of expired SecretID entries. operationId: postAuthApproleTidySecretId parameters: [] responses: '200': description: OK headers: {} content: {} deprecated: false /auth/ldap/config: get: tags: - auth summary: getAuthLdapConfig description: Configure the LDAP server to connect to, along with its options. operationId: getAuthLdapConfig parameters: [] responses: '200': description: OK headers: {} content: {} deprecated: false post: tags: - auth summary: postAuthLdapConfig description: Configure the LDAP server to connect to, along with its options. operationId: postAuthLdapConfig parameters: [] requestBody: description: '' content: application/json: schema: $ref: '#/components/schemas/AuthLdapConfigRequest' required: false responses: '200': description: OK headers: {} content: {} deprecated: false /auth/ldap/duo/access: post: tags: - auth summary: postAuthLdapDuoAccess description: Configure the access keys and host for Duo API connections. operationId: postAuthLdapDuoAccess parameters: [] requestBody: description: '' content: application/json: schema: $ref: '#/components/schemas/AuthLdapDuoAccessRequest' required: false responses: '200': description: OK headers: {} content: {} deprecated: false /auth/ldap/duo/config: get: tags: - auth summary: getAuthLdapDuoConfig description: Configure Duo second factor behavior. operationId: getAuthLdapDuoConfig parameters: [] responses: '200': description: OK headers: {} content: {} deprecated: false post: tags: - auth summary: postAuthLdapDuoConfig description: Configure Duo second factor behavior. operationId: postAuthLdapDuoConfig parameters: [] requestBody: description: '' content: application/json: schema: $ref: '#/components/schemas/AuthLdapDuoConfigRequest' required: false responses: '200': description: OK headers: {} content: {} deprecated: false /auth/ldap/groups: get: tags: - auth summary: getAuthLdapGroups description: Manage additional groups for users allowed to authenticate. operationId: getAuthLdapGroups parameters: - name: list in: query description: Return a list if `true` style: form explode: true schema: type: string responses: '200': description: OK headers: {} content: {} deprecated: false /auth/ldap/groups/{name}: get: tags: - auth summary: getAuthLdapGroupsName description: Manage additional groups for users allowed to authenticate. operationId: getAuthLdapGroupsName parameters: - name: name in: path description: Name of the LDAP group. required: true style: simple schema: type: string responses: '200': description: OK headers: {} content: {} deprecated: false post: tags: - auth summary: postAuthLdapGroupsName description: Manage additional groups for users allowed to authenticate. operationId: postAuthLdapGroupsName parameters: - name: name in: path description: Name of the LDAP group. required: true style: simple schema: type: string requestBody: description: '' content: application/json: schema: $ref: '#/components/schemas/AuthLdapGroupsRequest' required: false responses: '200': description: OK headers: {} content: {} deprecated: false delete: tags: - auth summary: deleteAuthLdapGroupsName description: Manage additional groups for users allowed to authenticate. operationId: deleteAuthLdapGroupsName parameters: - name: name in: path description: Name of the LDAP group. required: true style: simple schema: type: string responses: '204': description: empty body headers: {} content: {} deprecated: false /auth/ldap/login/{username}: post: tags: - auth summary: postAuthLdapLoginUsername description: Log in with a username and password. operationId: postAuthLdapLoginUsername parameters: - name: username in: path description: DN (distinguished name) to be used for login. required: true style: simple schema: type: string requestBody: description: '' content: application/json: schema: $ref: '#/components/schemas/AuthLdapLoginRequest' required: false responses: '200': description: OK headers: {} content: {} deprecated: false /auth/ldap/mfa_config: get: tags: - auth summary: getAuthLdapMfa_config description: Configure multi factor backend. operationId: getAuthLdapMfa_config parameters: [] responses: '200': description: OK headers: {} content: {} deprecated: false post: tags: - auth summary: postAuthLdapMfa_config description: Configure multi factor backend. operationId: postAuthLdapMfa_config parameters: [] requestBody: description: '' content: application/json: schema: $ref: '#/components/schemas/AuthLdapMfaConfigRequest' required: false responses: '200': description: OK headers: {} content: {} deprecated: false /auth/ldap/users: get: tags: - auth summary: getAuthLdapUsers description: Manage users allowed to authenticate. operationId: getAuthLdapUsers parameters: - name: list in: query description: Return a list if `true` style: form explode: true schema: type: string responses: '200': description: OK headers: {} content: {} deprecated: false /auth/ldap/users/{name}: get: tags: - auth summary: getAuthLdapUsersName description: Manage users allowed to authenticate. operationId: getAuthLdapUsersName parameters: - name: name in: path description: Name of the LDAP user. required: true style: simple schema: type: string responses: '200': description: OK headers: {} content: {} deprecated: false post: tags: - auth summary: postAuthLdapUsersName description: Manage users allowed to authenticate. operationId: postAuthLdapUsersName parameters: - name: name in: path description: Name of the LDAP user. required: true style: simple schema: type: string requestBody: description: '' content: application/json: schema: $ref: '#/components/schemas/AuthLdapUsersRequest' required: false responses: '200': description: OK headers: {} content: {} deprecated: false delete: tags: - auth summary: deleteAuthLdapUsersName description: Manage users allowed to authenticate. operationId: deleteAuthLdapUsersName parameters: - name: name in: path description: Name of the LDAP user. required: true style: simple schema: type: string responses: '204': description: empty body headers: {} content: {} deprecated: false /auth/rancher/config: get: tags: - auth summary: getAuthRancherConfig description: Configures the JWT Public Key and Kubernetes API information. operationId: getAuthRancherConfig parameters: [] responses: '200': description: OK headers: {} content: {} deprecated: false post: tags: - auth summary: postAuthRancherConfig description: Configures the JWT Public Key and Kubernetes API information. operationId: postAuthRancherConfig parameters: [] requestBody: description: '' content: application/json: schema: $ref: '#/components/schemas/AuthRancherConfigRequest' required: false responses: '200': description: OK headers: {} content: {} deprecated: false /auth/rancher/login: post: tags: - auth summary: postAuthRancherLogin description: Authenticates Kubernetes service accounts with Vault. operationId: postAuthRancherLogin parameters: [] requestBody: description: '' content: application/json: schema: $ref: '#/components/schemas/AuthRancherLoginRequest' required: false responses: '200': description: OK headers: {} content: {} deprecated: false /auth/rancher/role: get: tags: - auth summary: getAuthRancherRole description: Lists all the roles registered with the backend. operationId: getAuthRancherRole parameters: - name: list in: query description: Return a list if `true` style: form explode: true schema: type: string responses: '200': description: OK headers: {} content: {} deprecated: false /auth/rancher/role/{name}: get: tags: - auth summary: getAuthRancherRoleName description: Register an role with the backend. operationId: getAuthRancherRoleName parameters: - name: name in: path description: Name of the role. required: true style: simple schema: type: string responses: '200': description: OK headers: {} content: {} deprecated: false post: tags: - auth summary: postAuthRancherRoleName description: Register an role with the backend. operationId: postAuthRancherRoleName parameters: - name: name in: path description: Name of the role. required: true style: simple schema: type: string requestBody: description: '' content: application/json: schema: $ref: '#/components/schemas/AuthRancherRoleRequest' required: false responses: '200': description: OK headers: {} content: {} deprecated: false delete: tags: - auth summary: deleteAuthRancherRoleName description: Register an role with the backend. operationId: deleteAuthRancherRoleName parameters: - name: name in: path description: Name of the role. required: true style: simple schema: type: string responses: '204': description: empty body headers: {} content: {} deprecated: false /auth/token/accessors/: get: tags: - auth summary: getAuthTokenAccessors description: List token accessors, which can then be be used to iterate and discover their properties or revoke them. Because this can be used to cause a denial of service, this endpoint requires 'sudo' capability in addition to 'list'. operationId: getAuthTokenAccessors parameters: - name: list in: query description: Return a list if `true` style: form explode: true schema: type: string responses: '200': description: OK headers: {} content: {} deprecated: false /auth/token/create: post: tags: - auth summary: postAuthTokenCreate description: The token create path is used to create new tokens. operationId: postAuthTokenCreate parameters: [] responses: '200': description: OK headers: {} content: {} deprecated: false /auth/token/create-orphan: post: tags: - auth summary: postAuthTokenCreateOrphan description: The token create path is used to create new orphan tokens. operationId: postAuthTokenCreateOrphan parameters: [] responses: '200': description: OK headers: {} content: {} deprecated: false /auth/token/create/{role_name}: post: tags: - auth summary: postAuthTokenCreateRole_name description: This token create path is used to create new tokens adhering to the given role. operationId: postAuthTokenCreateRole_name parameters: - name: role_name in: path description: Name of the role required: true style: simple schema: type: string responses: '200': description: OK headers: {} content: {} deprecated: false /auth/token/lookup: get: tags: - auth summary: getAuthTokenLookup description: This endpoint will lookup a token and its properties. operationId: getAuthTokenLookup parameters: [] responses: '200': description: OK headers: {} content: {} deprecated: false post: tags: - auth summary: postAuthTokenLookup description: This endpoint will lookup a token and its properties. operationId: postAuthTokenLookup parameters: [] requestBody: description: '' content: application/json: schema: $ref: '#/components/schemas/AuthTokenLookupRequest' required: false responses: '200': description: OK headers: {} content: {} deprecated: false /auth/token/lookup-accessor: post: tags: - auth summary: postAuthTokenLookupAccessor description: This endpoint will lookup a token associated with the given accessor and its properties. Response will not contain the token ID. operationId: postAuthTokenLookupAccessor parameters: [] requestBody: description: '' content: application/json: schema: $ref: '#/components/schemas/AuthTokenLookupAccessorRequest' required: false responses: '200': description: OK headers: {} content: {} deprecated: false /auth/token/lookup-self: get: tags: - auth summary: getAuthTokenLookupSelf description: This endpoint will lookup a token and its properties. operationId: getAuthTokenLookupSelf parameters: [] responses: '200': description: OK headers: {} content: {} deprecated: false post: tags: - auth summary: postAuthTokenLookupSelf description: This endpoint will lookup a token and its properties. operationId: postAuthTokenLookupSelf parameters: [] requestBody: description: '' content: application/json: schema: $ref: '#/components/schemas/AuthTokenLookupSelfRequest' required: false responses: '200': description: OK headers: {} content: {} deprecated: false /auth/token/renew: post: tags: - auth summary: postAuthTokenRenew description: This endpoint will renew the given token and prevent expiration. operationId: postAuthTokenRenew parameters: [] requestBody: description: '' content: application/json: schema: $ref: '#/components/schemas/AuthTokenRenewRequest' required: false responses: '200': description: OK headers: {} content: {} deprecated: false /auth/token/renew-accessor: post: tags: - auth summary: postAuthTokenRenewAccessor description: This endpoint will renew a token associated with the given accessor and its properties. Response will not contain the token ID. operationId: postAuthTokenRenewAccessor parameters: [] requestBody: description: '' content: application/json: schema: $ref: '#/components/schemas/AuthTokenRenewAccessorRequest' required: false responses: '200': description: OK headers: {} content: {} deprecated: false /auth/token/renew-self: post: tags: - auth summary: postAuthTokenRenewSelf description: This endpoint will renew the token used to call it and prevent expiration. operationId: postAuthTokenRenewSelf parameters: [] requestBody: description: '' content: application/json: schema: $ref: '#/components/schemas/AuthTokenRenewSelfRequest' required: false responses: '200': description: OK headers: {} content: {} deprecated: false /auth/token/revoke: post: tags: - auth summary: postAuthTokenRevoke description: This endpoint will delete the given token and all of its child tokens. operationId: postAuthTokenRevoke parameters: [] requestBody: description: '' content: application/json: schema: $ref: '#/components/schemas/AuthTokenRevokeRequest' required: false responses: '200': description: OK headers: {} content: {} deprecated: false /auth/token/revoke-accessor: post: tags: - auth summary: postAuthTokenRevokeAccessor description: This endpoint will delete the token associated with the accessor and all of its child tokens. operationId: postAuthTokenRevokeAccessor parameters: [] requestBody: description: '' content: application/json: schema: $ref: '#/components/schemas/AuthTokenRevokeAccessorRequest' required: false responses: '200': description: OK headers: {} content: {} deprecated: false /auth/token/revoke-orphan: post: tags: - auth summary: postAuthTokenRevokeOrphan description: This endpoint will delete the token and orphan its child tokens. operationId: postAuthTokenRevokeOrphan parameters: [] requestBody: description: '' content: application/json: schema: $ref: '#/components/schemas/AuthTokenRevokeOrphanRequest' required: false responses: '200': description: OK headers: {} content: {} deprecated: false /auth/token/revoke-self: post: tags: - auth summary: postAuthTokenRevokeSelf description: This endpoint will delete the token used to call it and all of its child tokens. operationId: postAuthTokenRevokeSelf parameters: [] responses: '200': description: OK headers: {} content: {} deprecated: false /auth/token/roles: get: tags: - auth summary: getAuthTokenRoles description: This endpoint lists configured roles. operationId: getAuthTokenRoles parameters: - name: list in: query description: Return a list if `true` style: form explode: true schema: type: string responses: '200': description: OK headers: {} content: {} deprecated: false /auth/token/roles/{role_name}: get: tags: - auth summary: getAuthTokenRolesRole_name description: '' operationId: getAuthTokenRolesRole_name parameters: - name: role_name in: path description: Name of the role required: true style: simple schema: type: string responses: '200': description: OK headers: {} content: {} deprecated: false post: tags: - auth summary: postAuthTokenRolesRole_name description: '' operationId: postAuthTokenRolesRole_name parameters: - name: role_name in: path description: Name of the role required: true style: simple schema: type: string requestBody: description: '' content: application/json: schema: $ref: '#/components/schemas/AuthTokenRolesRequest' required: false responses: '200': description: OK headers: {} content: {} deprecated: false delete: tags: - auth summary: deleteAuthTokenRolesRole_name description: '' operationId: deleteAuthTokenRolesRole_name parameters: - name: role_name in: path description: Name of the role required: true style: simple schema: type: string responses: '204': description: empty body headers: {} content: {} deprecated: false /auth/token/tidy: post: tags: - auth summary: postAuthTokenTidy description: This endpoint performs cleanup tasks that can be run if certain error conditions have occurred. operationId: postAuthTokenTidy parameters: [] responses: '200': description: OK headers: {} content: {} deprecated: false /identity/alias: post: tags: - identity summary: postIdentityAlias description: Create a new alias. operationId: postIdentityAlias parameters: [] requestBody: description: '' content: application/json: schema: $ref: '#/components/schemas/IdentityAliasRequest' required: false responses: '200': description: OK headers: {} content: {} deprecated: false /identity/alias/id: get: tags: - identity summary: getIdentityAliasId description: List all the alias IDs. operationId: getIdentityAliasId parameters: - name: list in: query description: Return a list if `true` style: form explode: true schema: type: string responses: '200': description: OK headers: {} content: {} deprecated: false /identity/alias/id/{id}: get: tags: - identity summary: getIdentityAliasIdId description: Update, read or delete an alias ID. operationId: getIdentityAliasIdId parameters: - name: id in: path description: ID of the alias required: true style: simple schema: type: string responses: '200': description: OK headers: {} content: {} deprecated: false post: tags: - identity summary: postIdentityAliasIdId description: Update, read or delete an alias ID. operationId: postIdentityAliasIdId parameters: - name: id in: path description: ID of the alias required: true style: simple schema: type: string requestBody: description: '' content: application/json: schema: $ref: '#/components/schemas/IdentityAliasIdRequest' required: false responses: '200': description: OK headers: {} content: {} deprecated: false delete: tags: - identity summary: deleteIdentityAliasIdId description: Update, read or delete an alias ID. operationId: deleteIdentityAliasIdId parameters: - name: id in: path description: ID of the alias required: true style: simple schema: type: string responses: '204': description: empty body headers: {} content: {} deprecated: false /identity/entity: post: tags: - identity summary: postIdentityEntity description: Create a new entity operationId: postIdentityEntity parameters: [] requestBody: description: '' content: application/json: schema: $ref: '#/components/schemas/IdentityEntityRequest' required: false responses: '200': description: OK headers: {} content: {} deprecated: false /identity/entity-alias: post: tags: - identity summary: postIdentityEntityAlias description: Create a new alias. operationId: postIdentityEntityAlias parameters: [] requestBody: description: '' content: application/json: schema: $ref: '#/components/schemas/IdentityEntityAliasRequest' required: false responses: '200': description: OK headers: {} content: {} deprecated: false /identity/entity-alias/id: get: tags: - identity summary: getIdentityEntityAliasId description: List all the alias IDs. operationId: getIdentityEntityAliasId parameters: - name: list in: query description: Return a list if `true` style: form explode: true schema: type: string responses: '200': description: OK headers: {} content: {} deprecated: false /identity/entity-alias/id/{id}: get: tags: - identity summary: getIdentityEntityAliasIdId description: Update, read or delete an alias ID. operationId: getIdentityEntityAliasIdId parameters: - name: id in: path description: ID of the alias required: true style: simple schema: type: string responses: '200': description: OK headers: {} content: {} deprecated: false post: tags: - identity summary: postIdentityEntityAliasIdId description: Update, read or delete an alias ID. operationId: postIdentityEntityAliasIdId parameters: - name: id in: path description: ID of the alias required: true style: simple schema: type: string requestBody: description: '' content: application/json: schema: $ref: '#/components/schemas/IdentityEntityAliasIdRequest' required: false responses: '200': description: OK headers: {} content: {} deprecated: false delete: tags: - identity summary: deleteIdentityEntityAliasIdId description: Update, read or delete an alias ID. operationId: deleteIdentityEntityAliasIdId parameters: - name: id in: path description: ID of the alias required: true style: simple schema: type: string responses: '204': description: empty body headers: {} content: {} deprecated: false /identity/entity/batch-delete: post: tags: - identity summary: postIdentityEntityBatchDelete description: Delete all of the entities provided operationId: postIdentityEntityBatchDelete parameters: [] requestBody: description: '' content: application/json: schema: $ref: '#/components/schemas/IdentityEntityBatchDeleteRequest' required: false responses: '200': description: OK headers: {} content: {} deprecated: false /identity/entity/id: get: tags: - identity summary: getIdentityEntityId description: List all the entity IDs operationId: getIdentityEntityId parameters: - name: list in: query description: Return a list if `true` style: form explode: true schema: type: string responses: '200': description: OK headers: {} content: {} deprecated: false /identity/entity/id/{id}: get: tags: - identity summary: getIdentityEntityIdId description: Update, read or delete an entity using entity ID operationId: getIdentityEntityIdId parameters: - name: id in: path description: ID of the entity. If set, updates the corresponding existing entity. required: true style: simple schema: type: string responses: '200': description: OK headers: {} content: {} deprecated: false post: tags: - identity summary: postIdentityEntityIdId description: Update, read or delete an entity using entity ID operationId: postIdentityEntityIdId parameters: - name: id in: path description: ID of the entity. If set, updates the corresponding existing entity. required: true style: simple schema: type: string requestBody: description: '' content: application/json: schema: $ref: '#/components/schemas/IdentityEntityIdRequest' required: false responses: '200': description: OK headers: {} content: {} deprecated: false delete: tags: - identity summary: deleteIdentityEntityIdId description: Update, read or delete an entity using entity ID operationId: deleteIdentityEntityIdId parameters: - name: id in: path description: ID of the entity. If set, updates the corresponding existing entity. required: true style: simple schema: type: string responses: '204': description: empty body headers: {} content: {} deprecated: false /identity/entity/merge: post: tags: - identity summary: postIdentityEntityMerge description: Merge two or more entities together operationId: postIdentityEntityMerge parameters: [] requestBody: description: '' content: application/json: schema: $ref: '#/components/schemas/IdentityEntityMergeRequest' required: false responses: '200': description: OK headers: {} content: {} deprecated: false /identity/entity/name: get: tags: - identity summary: getIdentityEntityName description: List all the entity names operationId: getIdentityEntityName parameters: - name: list in: query description: Return a list if `true` style: form explode: true schema: type: string responses: '200': description: OK headers: {} content: {} deprecated: false /identity/entity/name/{name}: get: tags: - identity summary: getIdentityEntityNameName description: Update, read or delete an entity using entity name operationId: getIdentityEntityNameName parameters: - name: name in: path description: Name of the entity required: true style: simple schema: type: string responses: '200': description: OK headers: {} content: {} deprecated: false post: tags: - identity summary: postIdentityEntityNameName description: Update, read or delete an entity using entity name operationId: postIdentityEntityNameName parameters: - name: name in: path description: Name of the entity required: true style: simple schema: type: string requestBody: description: '' content: application/json: schema: $ref: '#/components/schemas/IdentityEntityNameRequest' required: false responses: '200': description: OK headers: {} content: {} deprecated: false delete: tags: - identity summary: deleteIdentityEntityNameName description: Update, read or delete an entity using entity name operationId: deleteIdentityEntityNameName parameters: - name: name in: path description: Name of the entity required: true style: simple schema: type: string responses: '204': description: empty body headers: {} content: {} deprecated: false /identity/group: post: tags: - identity summary: postIdentityGroup description: Create a new group. operationId: postIdentityGroup parameters: [] requestBody: description: '' content: application/json: schema: $ref: '#/components/schemas/IdentityGroupRequest' required: false responses: '200': description: OK headers: {} content: {} deprecated: false /identity/group-alias: post: tags: - identity summary: postIdentityGroupAlias description: Creates a new group alias, or updates an existing one. operationId: postIdentityGroupAlias parameters: [] requestBody: description: '' content: application/json: schema: $ref: '#/components/schemas/IdentityGroupAliasRequest' required: false responses: '200': description: OK headers: {} content: {} deprecated: false /identity/group-alias/id: get: tags: - identity summary: getIdentityGroupAliasId description: List all the group alias IDs. operationId: getIdentityGroupAliasId parameters: - name: list in: query description: Return a list if `true` style: form explode: true schema: type: string responses: '200': description: OK headers: {} content: {} deprecated: false /identity/group-alias/id/{id}: get: tags: - identity summary: getIdentityGroupAliasIdId description: '' operationId: getIdentityGroupAliasIdId parameters: - name: id in: path description: ID of the group alias. required: true style: simple schema: type: string responses: '200': description: OK headers: {} content: {} deprecated: false post: tags: - identity summary: postIdentityGroupAliasIdId description: '' operationId: postIdentityGroupAliasIdId parameters: - name: id in: path description: ID of the group alias. required: true style: simple schema: type: string requestBody: description: '' content: application/json: schema: $ref: '#/components/schemas/IdentityGroupAliasIdRequest' required: false responses: '200': description: OK headers: {} content: {} deprecated: false delete: tags: - identity summary: deleteIdentityGroupAliasIdId description: '' operationId: deleteIdentityGroupAliasIdId parameters: - name: id in: path description: ID of the group alias. required: true style: simple schema: type: string responses: '204': description: empty body headers: {} content: {} deprecated: false /identity/group/id: get: tags: - identity summary: getIdentityGroupId description: List all the group IDs. operationId: getIdentityGroupId parameters: - name: list in: query description: Return a list if `true` style: form explode: true schema: type: string responses: '200': description: OK headers: {} content: {} deprecated: false /identity/group/id/{id}: get: tags: - identity summary: getIdentityGroupIdId description: Update or delete an existing group using its ID. operationId: getIdentityGroupIdId parameters: - name: id in: path description: ID of the group. If set, updates the corresponding existing group. required: true style: simple schema: type: string responses: '200': description: OK headers: {} content: {} deprecated: false post: tags: - identity summary: postIdentityGroupIdId description: Update or delete an existing group using its ID. operationId: postIdentityGroupIdId parameters: - name: id in: path description: ID of the group. If set, updates the corresponding existing group. required: true style: simple schema: type: string requestBody: description: '' content: application/json: schema: $ref: '#/components/schemas/IdentityGroupIdRequest' required: false responses: '200': description: OK headers: {} content: {} deprecated: false delete: tags: - identity summary: deleteIdentityGroupIdId description: Update or delete an existing group using its ID. operationId: deleteIdentityGroupIdId parameters: - name: id in: path description: ID of the group. If set, updates the corresponding existing group. required: true style: simple schema: type: string responses: '204': description: empty body headers: {} content: {} deprecated: false /identity/group/name: get: tags: - identity summary: getIdentityGroupName description: '' operationId: getIdentityGroupName parameters: - name: list in: query description: Return a list if `true` style: form explode: true schema: type: string responses: '200': description: OK headers: {} content: {} deprecated: false /identity/group/name/{name}: get: tags: - identity summary: getIdentityGroupNameName description: '' operationId: getIdentityGroupNameName parameters: - name: name in: path description: Name of the group. required: true style: simple schema: type: string responses: '200': description: OK headers: {} content: {} deprecated: false post: tags: - identity summary: postIdentityGroupNameName description: '' operationId: postIdentityGroupNameName parameters: - name: name in: path description: Name of the group. required: true style: simple schema: type: string requestBody: description: '' content: application/json: schema: $ref: '#/components/schemas/IdentityGroupNameRequest' required: false responses: '200': description: OK headers: {} content: {} deprecated: false delete: tags: - identity summary: deleteIdentityGroupNameName description: '' operationId: deleteIdentityGroupNameName parameters: - name: name in: path description: Name of the group. required: true style: simple schema: type: string responses: '204': description: empty body headers: {} content: {} deprecated: false /identity/lookup/entity: post: tags: - identity summary: postIdentityLookupEntity description: Query entities based on various properties. operationId: postIdentityLookupEntity parameters: [] requestBody: description: '' content: application/json: schema: $ref: '#/components/schemas/IdentityLookupEntityRequest' required: false responses: '200': description: OK headers: {} content: {} deprecated: false /identity/lookup/group: post: tags: - identity summary: postIdentityLookupGroup description: Query groups based on various properties. operationId: postIdentityLookupGroup parameters: [] requestBody: description: '' content: application/json: schema: $ref: '#/components/schemas/IdentityLookupGroupRequest' required: false responses: '200': description: OK headers: {} content: {} deprecated: false /identity/oidc/.well-known/keys: get: tags: - identity summary: getIdentityOidcWellKnownKeys description: Retrieve public keys operationId: getIdentityOidcWellKnownKeys parameters: [] responses: '200': description: OK headers: {} content: {} deprecated: false /identity/oidc/.well-known/openid-configuration: get: tags: - identity summary: getIdentityOidcWellKnownOpenidConfiguration description: Query OIDC configurations operationId: getIdentityOidcWellKnownOpenidConfiguration parameters: [] responses: '200': description: OK headers: {} content: {} deprecated: false /identity/oidc/config: get: tags: - identity summary: getIdentityOidcConfig description: OIDC configuration operationId: getIdentityOidcConfig parameters: [] responses: '200': description: OK headers: {} content: {} deprecated: false post: tags: - identity summary: postIdentityOidcConfig description: OIDC configuration operationId: postIdentityOidcConfig parameters: [] requestBody: description: '' content: application/json: schema: $ref: '#/components/schemas/IdentityOidcConfigRequest' required: false responses: '200': description: OK headers: {} content: {} deprecated: false /identity/oidc/introspect: post: tags: - identity summary: postIdentityOidcIntrospect description: Verify the authenticity of an OIDC token operationId: postIdentityOidcIntrospect parameters: [] requestBody: description: '' content: application/json: schema: $ref: '#/components/schemas/IdentityOidcIntrospectRequest' required: false responses: '200': description: OK headers: {} content: {} deprecated: false /identity/oidc/key: get: tags: - identity summary: getIdentityOidcKey description: List OIDC keys operationId: getIdentityOidcKey parameters: - name: list in: query description: Return a list if `true` style: form explode: true schema: type: string responses: '200': description: OK headers: {} content: {} deprecated: false /identity/oidc/key/{name}: get: tags: - identity summary: getIdentityOidcKeyName description: CRUD operations for OIDC keys. operationId: getIdentityOidcKeyName parameters: - name: name in: path description: Name of the key required: true style: simple schema: type: string responses: '200': description: OK headers: {} content: {} deprecated: false post: tags: - identity summary: postIdentityOidcKeyName description: CRUD operations for OIDC keys. operationId: postIdentityOidcKeyName parameters: - name: name in: path description: Name of the key required: true style: simple schema: type: string requestBody: description: '' content: application/json: schema: $ref: '#/components/schemas/IdentityOidcKeyRequest' required: false responses: '200': description: OK headers: {} content: {} deprecated: false delete: tags: - identity summary: deleteIdentityOidcKeyName description: CRUD operations for OIDC keys. operationId: deleteIdentityOidcKeyName parameters: - name: name in: path description: Name of the key required: true style: simple schema: type: string responses: '204': description: empty body headers: {} content: {} deprecated: false /identity/oidc/key/{name}/rotate: post: tags: - identity summary: postIdentityOidcKeyNameRotate description: Rotate a named OIDC key. operationId: postIdentityOidcKeyNameRotate parameters: - name: name in: path description: Name of the key required: true style: simple schema: type: string requestBody: description: '' content: application/json: schema: $ref: '#/components/schemas/IdentityOidcKeyRotateRequest' required: false responses: '200': description: OK headers: {} content: {} deprecated: false /identity/oidc/role: get: tags: - identity summary: getIdentityOidcRole description: List configured OIDC roles operationId: getIdentityOidcRole parameters: - name: list in: query description: Return a list if `true` style: form explode: true schema: type: string responses: '200': description: OK headers: {} content: {} deprecated: false /identity/oidc/role/{name}: get: tags: - identity summary: getIdentityOidcRoleName description: CRUD operations on OIDC Roles operationId: getIdentityOidcRoleName parameters: - name: name in: path description: Name of the role required: true style: simple schema: type: string responses: '200': description: OK headers: {} content: {} deprecated: false post: tags: - identity summary: postIdentityOidcRoleName description: CRUD operations on OIDC Roles operationId: postIdentityOidcRoleName parameters: - name: name in: path description: Name of the role required: true style: simple schema: type: string requestBody: description: '' content: application/json: schema: $ref: '#/components/schemas/IdentityOidcRoleRequest' required: false responses: '200': description: OK headers: {} content: {} deprecated: false delete: tags: - identity summary: deleteIdentityOidcRoleName description: CRUD operations on OIDC Roles operationId: deleteIdentityOidcRoleName parameters: - name: name in: path description: Name of the role required: true style: simple schema: type: string responses: '204': description: empty body headers: {} content: {} deprecated: false /identity/oidc/token/{name}: get: tags: - identity summary: getIdentityOidcTokenName description: Generate an OIDC token operationId: getIdentityOidcTokenName parameters: - name: name in: path description: Name of the role required: true style: simple schema: type: string responses: '200': description: OK headers: {} content: {} deprecated: false /identity/persona: post: tags: - identity summary: postIdentityPersona description: Create a new alias. operationId: postIdentityPersona parameters: [] requestBody: description: '' content: application/json: schema: $ref: '#/components/schemas/IdentityPersonaRequest' required: false responses: '200': description: OK headers: {} content: {} deprecated: false /identity/persona/id: get: tags: - identity summary: getIdentityPersonaId description: List all the alias IDs. operationId: getIdentityPersonaId parameters: - name: list in: query description: Return a list if `true` style: form explode: true schema: type: string responses: '200': description: OK headers: {} content: {} deprecated: false /identity/persona/id/{id}: get: tags: - identity summary: getIdentityPersonaIdId description: Update, read or delete an alias ID. operationId: getIdentityPersonaIdId parameters: - name: id in: path description: ID of the persona required: true style: simple schema: type: string responses: '200': description: OK headers: {} content: {} deprecated: false post: tags: - identity summary: postIdentityPersonaIdId description: Update, read or delete an alias ID. operationId: postIdentityPersonaIdId parameters: - name: id in: path description: ID of the persona required: true style: simple schema: type: string requestBody: description: '' content: application/json: schema: $ref: '#/components/schemas/IdentityPersonaIdRequest' required: false responses: '200': description: OK headers: {} content: {} deprecated: false delete: tags: - identity summary: deleteIdentityPersonaIdId description: Update, read or delete an alias ID. operationId: deleteIdentityPersonaIdId parameters: - name: id in: path description: ID of the persona required: true style: simple schema: type: string responses: '204': description: empty body headers: {} content: {} deprecated: false /sys/audit: get: tags: - system summary: getSysAudit description: List the currently enabled audit backends. operationId: getSysAudit parameters: [] responses: '200': description: OK headers: {} content: {} deprecated: false /sys/audit-hash/{path}: post: tags: - system summary: postSysAuditHashPath description: The hash of the given string via the given audit backend operationId: postSysAuditHashPath parameters: - name: path in: path description: 'The name of the backend. Cannot be delimited. Example: "mysql"' required: true style: simple schema: type: string requestBody: description: '' content: application/json: schema: $ref: '#/components/schemas/SysAuditHashRequest' required: false responses: '200': description: OK headers: {} content: {} deprecated: false /sys/audit/{path}: post: tags: - system summary: postSysAuditPath description: Enable or disable audit backends. operationId: postSysAuditPath parameters: - name: path in: path description: 'The name of the backend. Cannot be delimited. Example: "mysql"' required: true style: simple schema: type: string requestBody: description: '' content: application/json: schema: $ref: '#/components/schemas/SysAuditRequest' required: false responses: '200': description: OK headers: {} content: {} deprecated: false delete: tags: - system summary: deleteSysAuditPath description: Enable or disable audit backends. operationId: deleteSysAuditPath parameters: - name: path in: path description: 'The name of the backend. Cannot be delimited. Example: "mysql"' required: true style: simple schema: type: string responses: '204': description: empty body headers: {} content: {} deprecated: false /sys/auth: get: tags: - system summary: getSysAuth description: List the currently enabled credential backends. operationId: getSysAuth parameters: [] responses: '200': description: OK headers: {} content: {} deprecated: false /sys/auth/{path}: post: tags: - system summary: postSysAuthPath description: >- After enabling, the auth method can be accessed and configured via the auth path specified as part of the URL. This auth path will be nested under the auth prefix. For example, enable the "foo" auth method will make it accessible at /auth/foo. operationId: postSysAuthPath parameters: - name: path in: path description: 'The path to mount to. Cannot be delimited. Example: "user"' required: true style: simple schema: type: string requestBody: description: '' content: application/json: schema: $ref: '#/components/schemas/SysAuthRequest' required: false responses: '200': description: OK headers: {} content: {} deprecated: false delete: tags: - system summary: deleteSysAuthPath description: Enable a new credential backend with a name. operationId: deleteSysAuthPath parameters: - name: path in: path description: 'The path to mount to. Cannot be delimited. Example: "user"' required: true style: simple schema: type: string responses: '204': description: empty body headers: {} content: {} deprecated: false /sys/auth/{path}/tune: get: tags: - system summary: getSysAuthPathTune description: This endpoint requires sudo capability on the final path, but the same functionality can be achieved without sudo via `sys/mounts/auth/[auth-path]/tune`. operationId: getSysAuthPathTune parameters: - name: path in: path description: Tune the configuration parameters for an auth path. required: true style: simple schema: type: string responses: '200': description: OK headers: {} content: {} deprecated: false post: tags: - system summary: postSysAuthPathTune description: This endpoint requires sudo capability on the final path, but the same functionality can be achieved without sudo via `sys/mounts/auth/[auth-path]/tune`. operationId: postSysAuthPathTune parameters: - name: path in: path description: Tune the configuration parameters for an auth path. required: true style: simple schema: type: string requestBody: description: '' content: application/json: schema: $ref: '#/components/schemas/SysAuthTuneRequest' required: false responses: '200': description: OK headers: {} content: {} deprecated: false /sys/capabilities: post: tags: - system summary: postSysCapabilities description: Fetches the capabilities of the given token on the given path. operationId: postSysCapabilities parameters: [] requestBody: description: '' content: application/json: schema: $ref: '#/components/schemas/SysCapabilitiesRequest' required: false responses: '200': description: OK headers: {} content: {} deprecated: false /sys/capabilities-accessor: post: tags: - system summary: postSysCapabilitiesAccessor description: Fetches the capabilities of the token associated with the given token, on the given path. operationId: postSysCapabilitiesAccessor parameters: [] requestBody: description: '' content: application/json: schema: $ref: '#/components/schemas/SysCapabilitiesAccessorRequest' required: false responses: '200': description: OK headers: {} content: {} deprecated: false /sys/capabilities-self: post: tags: - system summary: postSysCapabilitiesSelf description: Fetches the capabilities of the given token on the given path. operationId: postSysCapabilitiesSelf parameters: [] requestBody: description: '' content: application/json: schema: $ref: '#/components/schemas/SysCapabilitiesSelfRequest' required: false responses: '200': description: OK headers: {} content: {} deprecated: false /sys/config/auditing/request-headers: get: tags: - system summary: getSysConfigAuditingRequestHeaders description: Lists the headers configured to be audited. operationId: getSysConfigAuditingRequestHeaders parameters: [] responses: '200': description: OK headers: {} content: {} deprecated: false /sys/config/auditing/request-headers/{header}: get: tags: - system summary: getSysConfigAuditingRequestHeadersHeader description: Configures the headers sent to the audit logs. operationId: getSysConfigAuditingRequestHeadersHeader parameters: - name: header in: path description: '' required: true style: simple schema: type: string responses: '200': description: OK headers: {} content: {} deprecated: false post: tags: - system summary: postSysConfigAuditingRequestHeadersHeader description: Configures the headers sent to the audit logs. operationId: postSysConfigAuditingRequestHeadersHeader parameters: - name: header in: path description: '' required: true style: simple schema: type: string requestBody: description: '' content: application/json: schema: $ref: '#/components/schemas/SysConfigAuditingRequestHeadersRequest' required: false responses: '200': description: OK headers: {} content: {} deprecated: false delete: tags: - system summary: deleteSysConfigAuditingRequestHeadersHeader description: Configures the headers sent to the audit logs. operationId: deleteSysConfigAuditingRequestHeadersHeader parameters: - name: header in: path description: '' required: true style: simple schema: type: string responses: '204': description: empty body headers: {} content: {} deprecated: false /sys/config/control-group: get: tags: - system summary: getSysConfigControlGroup description: Configure control group global settings. operationId: getSysConfigControlGroup parameters: [] responses: '200': description: OK headers: {} content: {} deprecated: false post: tags: - system summary: postSysConfigControlGroup description: Configure control group global settings. operationId: postSysConfigControlGroup parameters: [] requestBody: description: '' content: application/json: schema: $ref: '#/components/schemas/SysConfigControlGroupRequest' required: false responses: '200': description: OK headers: {} content: {} deprecated: false delete: tags: - system summary: deleteSysConfigControlGroup description: Configure control group global settings. operationId: deleteSysConfigControlGroup parameters: [] responses: '204': description: empty body headers: {} content: {} deprecated: false /sys/config/cors: get: tags: - system summary: getSysConfigCors description: This path responds to the following HTTP methods. GET / Returns the configuration of the CORS setting. POST / Sets the comma-separated list of origins that can make cross-origin requests. DELETE / Clears the CORS configuration and disables acceptance of CORS requests. operationId: getSysConfigCors parameters: [] responses: '200': description: OK headers: {} content: {} deprecated: false post: tags: - system summary: postSysConfigCors description: This path responds to the following HTTP methods. GET / Returns the configuration of the CORS setting. POST / Sets the comma-separated list of origins that can make cross-origin requests. DELETE / Clears the CORS configuration and disables acceptance of CORS requests. operationId: postSysConfigCors parameters: [] requestBody: description: '' content: application/json: schema: $ref: '#/components/schemas/SysConfigCorsRequest' required: false responses: '200': description: OK headers: {} content: {} deprecated: false delete: tags: - system summary: deleteSysConfigCors description: This path responds to the following HTTP methods. GET / Returns the configuration of the CORS setting. POST / Sets the comma-separated list of origins that can make cross-origin requests. DELETE / Clears the CORS configuration and disables acceptance of CORS requests. operationId: deleteSysConfigCors parameters: [] responses: '204': description: empty body headers: {} content: {} deprecated: false /sys/config/state/sanitized: get: tags: - system summary: getSysConfigStateSanitized description: The sanitized output strips configuration values in the storage, HA storage, and seals stanzas, which may contain sensitive values such as API tokens. It also removes any token or secret fields in other stanzas, such as the circonus_api_token from telemetry. operationId: getSysConfigStateSanitized parameters: [] responses: '200': description: OK headers: {} content: {} deprecated: false /sys/config/ui/headers/: get: tags: - system summary: getSysConfigUiHeaders description: This path responds to the following HTTP methods. GET /
Returns the header value. POST /
Sets the header value for the UI. DELETE /
Clears the header value for UI. LIST / List the headers configured for the UI. operationId: getSysConfigUiHeaders parameters: - name: list in: query description: Return a list if `true` style: form explode: true schema: type: string responses: '200': description: OK headers: {} content: {} deprecated: false /sys/config/ui/headers/{header}: get: tags: - system summary: getSysConfigUiHeadersHeader description: This path responds to the following HTTP methods. GET /
Returns the header value. POST /
Sets the header value for the UI. DELETE /
Clears the header value for UI. LIST / List the headers configured for the UI. operationId: getSysConfigUiHeadersHeader parameters: - name: header in: path description: The name of the header. required: true style: simple schema: type: string responses: '200': description: OK headers: {} content: {} deprecated: false post: tags: - system summary: postSysConfigUiHeadersHeader description: This path responds to the following HTTP methods. GET /
Returns the header value. POST /
Sets the header value for the UI. DELETE /
Clears the header value for UI. LIST / List the headers configured for the UI. operationId: postSysConfigUiHeadersHeader parameters: - name: header in: path description: The name of the header. required: true style: simple schema: type: string requestBody: description: '' content: application/json: schema: $ref: '#/components/schemas/SysConfigUiHeadersRequest' required: false responses: '200': description: OK headers: {} content: {} deprecated: false delete: tags: - system summary: deleteSysConfigUiHeadersHeader description: This path responds to the following HTTP methods. GET /
Returns the header value. POST /
Sets the header value for the UI. DELETE /
Clears the header value for UI. LIST / List the headers configured for the UI. operationId: deleteSysConfigUiHeadersHeader parameters: - name: header in: path description: The name of the header. required: true style: simple schema: type: string responses: '204': description: empty body headers: {} content: {} deprecated: false /sys/control-group/authorize: post: tags: - system summary: postSysControlGroupAuthorize description: Authorize a control group request operationId: postSysControlGroupAuthorize parameters: [] requestBody: description: '' content: application/json: schema: $ref: '#/components/schemas/SysControlGroupAuthorizeRequest' required: false responses: '200': description: OK headers: {} content: {} deprecated: false /sys/control-group/request: post: tags: - system summary: postSysControlGroupRequest description: Check the status of a control group request operationId: postSysControlGroupRequest parameters: [] requestBody: description: '' content: application/json: schema: $ref: '#/components/schemas/SysControlGroupRequestRequest' required: false responses: '200': description: OK headers: {} content: {} deprecated: false /sys/generate-root: get: tags: - system summary: getSysGenerateRoot description: Reads, generates, or deletes a root token regeneration process. operationId: getSysGenerateRoot parameters: [] responses: '200': description: OK headers: {} content: {} deprecated: false post: tags: - system summary: postSysGenerateRoot description: Only a single root generation attempt can take place at a time. One (and only one) of otp or pgp_key are required. operationId: postSysGenerateRoot parameters: [] requestBody: description: '' content: application/json: schema: $ref: '#/components/schemas/SysGenerateRootRequest' required: false responses: '200': description: OK headers: {} content: {} deprecated: false delete: tags: - system summary: deleteSysGenerateRoot description: Reads, generates, or deletes a root token regeneration process. operationId: deleteSysGenerateRoot parameters: [] responses: '204': description: empty body headers: {} content: {} deprecated: false /sys/generate-root/attempt: get: tags: - system summary: getSysGenerateRootAttempt description: Reads, generates, or deletes a root token regeneration process. operationId: getSysGenerateRootAttempt parameters: [] responses: '200': description: OK headers: {} content: {} deprecated: false post: tags: - system summary: postSysGenerateRootAttempt description: Only a single root generation attempt can take place at a time. One (and only one) of otp or pgp_key are required. operationId: postSysGenerateRootAttempt parameters: [] requestBody: description: '' content: application/json: schema: $ref: '#/components/schemas/SysGenerateRootAttemptRequest' required: false responses: '200': description: OK headers: {} content: {} deprecated: false delete: tags: - system summary: deleteSysGenerateRootAttempt description: Reads, generates, or deletes a root token regeneration process. operationId: deleteSysGenerateRootAttempt parameters: [] responses: '204': description: empty body headers: {} content: {} deprecated: false /sys/generate-root/update: post: tags: - system summary: postSysGenerateRootUpdate description: If the threshold number of master key shares is reached, Vault will complete the root generation and issue the new token. Otherwise, this API must be called multiple times until that threshold is met. The attempt nonce must be provided with each call. operationId: postSysGenerateRootUpdate parameters: [] requestBody: description: '' content: application/json: schema: $ref: '#/components/schemas/SysGenerateRootUpdateRequest' required: false responses: '200': description: OK headers: {} content: {} deprecated: false /sys/health: get: tags: - system summary: getSysHealth description: Checks the health status of the Vault. operationId: getSysHealth parameters: [] responses: '200': description: initialized, unsealed, and active headers: {} content: {} '429': description: unsealed and standby headers: {} content: {} '472': description: data recovery mode replication secondary and active headers: {} content: {} '501': description: not initialized headers: {} content: {} '503': description: sealed headers: {} content: {} deprecated: false /sys/host-info: get: tags: - system summary: getSysHostInfo description: >- Information about the host instance that this Vault server is running on. The information that gets collected includes host hardware information, and CPU, disk, and memory utilization operationId: getSysHostInfo parameters: [] responses: '200': description: OK headers: {} content: {} deprecated: false /sys/init: get: tags: - system summary: getSysInit description: Initializes or returns the initialization status of the Vault. operationId: getSysInit parameters: [] responses: '200': description: OK headers: {} content: {} deprecated: false post: tags: - system summary: postSysInit description: The Vault must not have been previously initialized. The recovery options, as well as the stored shares option, are only available when using Vault HSM. operationId: postSysInit parameters: [] requestBody: description: '' content: application/json: schema: $ref: '#/components/schemas/SysInitRequest' required: false responses: '200': description: OK headers: {} content: {} deprecated: false /sys/internal/specs/openapi: get: tags: - system summary: getSysInternalSpecsOpenapi description: '' operationId: getSysInternalSpecsOpenapi parameters: [] responses: '200': description: OK headers: {} content: {} deprecated: false /sys/internal/ui/mounts: get: tags: - system summary: getSysInternalUiMounts description: Information about mounts returned according to their tuned visibility. Internal API; its location, inputs, and outputs may change. operationId: getSysInternalUiMounts parameters: [] responses: '200': description: OK headers: {} content: {} deprecated: false /sys/internal/ui/mounts/{path}: get: tags: - system summary: getSysInternalUiMountsPath description: Information about mounts returned according to their tuned visibility. Internal API; its location, inputs, and outputs may change. operationId: getSysInternalUiMountsPath parameters: - name: path in: path description: The path of the mount. required: true style: simple schema: type: string responses: '200': description: OK headers: {} content: {} deprecated: false /sys/key-status: get: tags: - system summary: getSysKeyStatus description: Provides information about the backend encryption key. operationId: getSysKeyStatus parameters: [] responses: '200': description: OK headers: {} content: {} deprecated: false /sys/leader: get: tags: - system summary: getSysLeader description: Check the high availability status and current leader of Vault operationId: getSysLeader parameters: [] responses: '200': description: OK headers: {} content: {} deprecated: false /sys/leases/lookup: post: tags: - system summary: postSysLeasesLookup description: View or list lease metadata. operationId: postSysLeasesLookup parameters: [] requestBody: description: '' content: application/json: schema: $ref: '#/components/schemas/SysLeasesLookupRequest' required: false responses: '200': description: OK headers: {} content: {} deprecated: false /sys/leases/lookup/: get: tags: - system summary: getSysLeasesLookup description: View or list lease metadata. operationId: getSysLeasesLookup parameters: - name: list in: query description: Return a list if `true` style: form explode: true schema: type: string responses: '200': description: OK headers: {} content: {} deprecated: false /sys/leases/lookup/{prefix}: get: tags: - system summary: getSysLeasesLookupPrefix description: View or list lease metadata. operationId: getSysLeasesLookupPrefix parameters: - name: prefix in: path description: 'The path to list leases under. Example: "aws/creds/deploy"' required: true style: simple schema: type: string - name: list in: query description: Return a list if `true` style: form explode: true schema: type: string responses: '200': description: OK headers: {} content: {} deprecated: false /sys/leases/renew: post: tags: - system summary: postSysLeasesRenew description: Renew a lease on a secret operationId: postSysLeasesRenew parameters: [] requestBody: description: '' content: application/json: schema: $ref: '#/components/schemas/SysLeasesRenewRequest' required: false responses: '200': description: OK headers: {} content: {} deprecated: false /sys/leases/renew/{url_lease_id}: post: tags: - system summary: postSysLeasesRenewUrl_lease_id description: Renew a lease on a secret operationId: postSysLeasesRenewUrl_lease_id parameters: - name: url_lease_id in: path description: The lease identifier to renew. This is included with a lease. required: true style: simple schema: type: string requestBody: description: '' content: application/json: schema: $ref: '#/components/schemas/SysLeasesRenewRequest1' required: false responses: '200': description: OK headers: {} content: {} deprecated: false /sys/leases/revoke: post: tags: - system summary: postSysLeasesRevoke description: Revoke a leased secret immediately operationId: postSysLeasesRevoke parameters: [] requestBody: description: '' content: application/json: schema: $ref: '#/components/schemas/SysLeasesRevokeRequest' required: false responses: '200': description: OK headers: {} content: {} deprecated: false /sys/leases/revoke-force/{prefix}: post: tags: - system summary: postSysLeasesRevokeForcePrefix description: >- Unlike `/sys/leases/revoke-prefix`, this path ignores backend errors encountered during revocation. This is potentially very dangerous and should only be used in specific emergency situations where errors in the backend or the connected backend service prevent normal revocation. By ignoring these errors, Vault abdicates responsibility for ensuring that the issued credentials or secrets are properly revoked and/or cleaned up. Access to this endpoint should be tightly controlled. operationId: postSysLeasesRevokeForcePrefix parameters: - name: prefix in: path description: 'The path to revoke keys under. Example: "prod/aws/ops"' required: true style: simple schema: type: string responses: '200': description: OK headers: {} content: {} deprecated: false /sys/leases/revoke-prefix/{prefix}: post: tags: - system summary: postSysLeasesRevokePrefixPrefix description: Revoke all secrets generated in a given prefix operationId: postSysLeasesRevokePrefixPrefix parameters: - name: prefix in: path description: 'The path to revoke keys under. Example: "prod/aws/ops"' required: true style: simple schema: type: string requestBody: description: '' content: application/json: schema: $ref: '#/components/schemas/SysLeasesRevokePrefixRequest' required: false responses: '200': description: OK headers: {} content: {} deprecated: false /sys/leases/revoke/{url_lease_id}: post: tags: - system summary: postSysLeasesRevokeUrl_lease_id description: Revoke a leased secret immediately operationId: postSysLeasesRevokeUrl_lease_id parameters: - name: url_lease_id in: path description: The lease identifier to renew. This is included with a lease. required: true style: simple schema: type: string requestBody: description: '' content: application/json: schema: $ref: '#/components/schemas/SysLeasesRevokeRequest1' required: false responses: '200': description: OK headers: {} content: {} deprecated: false /sys/leases/tidy: post: tags: - system summary: postSysLeasesTidy description: This endpoint performs cleanup tasks that can be run if certain error conditions have occurred. operationId: postSysLeasesTidy parameters: [] responses: '200': description: OK headers: {} content: {} deprecated: false /sys/license: get: tags: - system summary: getSysLicense description: The path responds to the following HTTP methods. GET / Returns information on the installed license POST Sets the license for the server operationId: getSysLicense parameters: [] responses: '200': description: OK headers: {} content: {} deprecated: false post: tags: - system summary: postSysLicense description: The path responds to the following HTTP methods. GET / Returns information on the installed license POST Sets the license for the server operationId: postSysLicense parameters: [] requestBody: description: '' content: application/json: schema: $ref: '#/components/schemas/SysLicenseRequest' required: false responses: '200': description: OK headers: {} content: {} deprecated: false /sys/metrics: get: tags: - system summary: getSysMetrics description: Export the metrics aggregated for telemetry purpose. operationId: getSysMetrics parameters: - name: format in: query description: Format to export metrics into. Currently accepts only "prometheus". style: form explode: true schema: type: string responses: '200': description: OK headers: {} content: {} deprecated: false /sys/mfa/method: get: tags: - system summary: getSysMfaMethod description: Lists all the available MFA methods by their name. operationId: getSysMfaMethod parameters: - name: list in: query description: Return a list if `true` style: form explode: true schema: type: string responses: '200': description: OK headers: {} content: {} deprecated: false /sys/mfa/method/duo/{name}: get: tags: - system summary: getSysMfaMethodDuoName description: Defines or updates a Duo MFA method. operationId: getSysMfaMethodDuoName parameters: - name: name in: path description: Name of the MFA method. required: true style: simple schema: type: string responses: '200': description: OK headers: {} content: {} deprecated: false post: tags: - system summary: postSysMfaMethodDuoName description: Defines or updates a Duo MFA method. operationId: postSysMfaMethodDuoName parameters: - name: name in: path description: Name of the MFA method. required: true style: simple schema: type: string requestBody: description: '' content: application/json: schema: $ref: '#/components/schemas/SysMfaMethodDuoRequest' required: false responses: '200': description: OK headers: {} content: {} deprecated: false delete: tags: - system summary: deleteSysMfaMethodDuoName description: Defines or updates a Duo MFA method. operationId: deleteSysMfaMethodDuoName parameters: - name: name in: path description: Name of the MFA method. required: true style: simple schema: type: string responses: '204': description: empty body headers: {} content: {} deprecated: false /sys/mfa/method/okta/{name}: get: tags: - system summary: getSysMfaMethodOktaName description: Defines or updates an Okta MFA method. operationId: getSysMfaMethodOktaName parameters: - name: name in: path description: Name of the MFA method. required: true style: simple schema: type: string responses: '200': description: OK headers: {} content: {} deprecated: false post: tags: - system summary: postSysMfaMethodOktaName description: Defines or updates an Okta MFA method. operationId: postSysMfaMethodOktaName parameters: - name: name in: path description: Name of the MFA method. required: true style: simple schema: type: string requestBody: description: '' content: application/json: schema: $ref: '#/components/schemas/SysMfaMethodOktaRequest' required: false responses: '200': description: OK headers: {} content: {} deprecated: false delete: tags: - system summary: deleteSysMfaMethodOktaName description: Defines or updates an Okta MFA method. operationId: deleteSysMfaMethodOktaName parameters: - name: name in: path description: Name of the MFA method. required: true style: simple schema: type: string responses: '204': description: empty body headers: {} content: {} deprecated: false /sys/mfa/method/pingid/{name}: get: tags: - system summary: getSysMfaMethodPingidName description: Defines or updates a PingID MFA method. operationId: getSysMfaMethodPingidName parameters: - name: name in: path description: Name of the MFA method. required: true style: simple schema: type: string responses: '200': description: OK headers: {} content: {} deprecated: false post: tags: - system summary: postSysMfaMethodPingidName description: Defines or updates a PingID MFA method. operationId: postSysMfaMethodPingidName parameters: - name: name in: path description: Name of the MFA method. required: true style: simple schema: type: string requestBody: description: '' content: application/json: schema: $ref: '#/components/schemas/SysMfaMethodPingidRequest' required: false responses: '200': description: OK headers: {} content: {} deprecated: false delete: tags: - system summary: deleteSysMfaMethodPingidName description: Defines or updates a PingID MFA method. operationId: deleteSysMfaMethodPingidName parameters: - name: name in: path description: Name of the MFA method. required: true style: simple schema: type: string responses: '204': description: empty body headers: {} content: {} deprecated: false /sys/mfa/method/totp/{name}: get: tags: - system summary: getSysMfaMethodTotpName description: Defines or updates a TOTP MFA method. operationId: getSysMfaMethodTotpName parameters: - name: name in: path description: Name of the MFA method. required: true style: simple schema: type: string responses: '200': description: OK headers: {} content: {} deprecated: false post: tags: - system summary: postSysMfaMethodTotpName description: Defines or updates a TOTP MFA method. operationId: postSysMfaMethodTotpName parameters: - name: name in: path description: Name of the MFA method. required: true style: simple schema: type: string requestBody: description: '' content: application/json: schema: $ref: '#/components/schemas/SysMfaMethodTotpRequest' required: false responses: '200': description: OK headers: {} content: {} deprecated: false delete: tags: - system summary: deleteSysMfaMethodTotpName description: Defines or updates a TOTP MFA method. operationId: deleteSysMfaMethodTotpName parameters: - name: name in: path description: Name of the MFA method. required: true style: simple schema: type: string responses: '204': description: empty body headers: {} content: {} deprecated: false /sys/mfa/method/totp/{name}/admin-destroy: post: tags: - system summary: postSysMfaMethodTotpNameAdminDestroy description: Deletes the TOTP secret for the given method name on the given entity. operationId: postSysMfaMethodTotpNameAdminDestroy parameters: - name: name in: path description: Name of the MFA method. required: true style: simple schema: type: string requestBody: description: '' content: application/json: schema: $ref: '#/components/schemas/SysMfaMethodTotpAdminDestroyRequest' required: false responses: '200': description: OK headers: {} content: {} deprecated: false /sys/mfa/method/totp/{name}/admin-generate: post: tags: - system summary: postSysMfaMethodTotpNameAdminGenerate description: Generates a TOTP secret for the given method name on the given entity. operationId: postSysMfaMethodTotpNameAdminGenerate parameters: - name: name in: path description: Name of the MFA method. required: true style: simple schema: type: string requestBody: description: '' content: application/json: schema: $ref: '#/components/schemas/SysMfaMethodTotpAdminGenerateRequest' required: false responses: '200': description: OK headers: {} content: {} deprecated: false /sys/mfa/method/totp/{name}/generate: get: tags: - system summary: getSysMfaMethodTotpNameGenerate description: Generates a TOTP secret for the given method name on the entity of the calling token. operationId: getSysMfaMethodTotpNameGenerate parameters: - name: name in: path description: Name of the MFA method. required: true style: simple schema: type: string responses: '200': description: OK headers: {} content: {} deprecated: false /sys/monitor: get: tags: - system summary: getSysMonitor description: '' operationId: getSysMonitor parameters: - name: log_level in: query description: Log level to view system logs at. Currently supported values are "trace", "debug", "info", "warn", "error". style: form explode: true schema: type: string responses: '200': description: OK headers: {} content: {} deprecated: false /sys/mounts: get: tags: - system summary: getSysMounts description: List the currently mounted backends. operationId: getSysMounts parameters: [] responses: '200': description: OK headers: {} content: {} deprecated: false /sys/mounts/{path}: post: tags: - system summary: postSysMountsPath description: Mount a new backend at a new path. operationId: postSysMountsPath parameters: - name: path in: path description: 'The path to mount to. Example: "aws/east"' required: true style: simple schema: type: string requestBody: description: '' content: application/json: schema: $ref: '#/components/schemas/SysMountsRequest' required: false responses: '200': description: OK headers: {} content: {} deprecated: false delete: tags: - system summary: deleteSysMountsPath description: Mount a new backend at a new path. operationId: deleteSysMountsPath parameters: - name: path in: path description: 'The path to mount to. Example: "aws/east"' required: true style: simple schema: type: string responses: '204': description: empty body headers: {} content: {} deprecated: false /sys/mounts/{path}/tune: get: tags: - system summary: getSysMountsPathTune description: Tune backend configuration parameters for this mount. operationId: getSysMountsPathTune parameters: - name: path in: path description: 'The path to mount to. Example: "aws/east"' required: true style: simple schema: type: string responses: '200': description: OK headers: {} content: {} deprecated: false post: tags: - system summary: postSysMountsPathTune description: Tune backend configuration parameters for this mount. operationId: postSysMountsPathTune parameters: - name: path in: path description: 'The path to mount to. Example: "aws/east"' required: true style: simple schema: type: string requestBody: description: '' content: application/json: schema: $ref: '#/components/schemas/SysMountsTuneRequest' required: false responses: '200': description: OK headers: {} content: {} deprecated: false /sys/namespaces: get: tags: - system summary: getSysNamespaces description: '' operationId: getSysNamespaces parameters: - name: list in: query description: Return a list if `true` style: form explode: true schema: type: string responses: '200': description: OK headers: {} content: {} deprecated: false /sys/namespaces/{path}: get: tags: - system summary: getSysNamespacesPath description: '' operationId: getSysNamespacesPath parameters: - name: path in: path description: Path of the namespace. required: true style: simple schema: type: string responses: '200': description: OK headers: {} content: {} deprecated: false post: tags: - system summary: postSysNamespacesPath description: '' operationId: postSysNamespacesPath parameters: - name: path in: path description: Path of the namespace. required: true style: simple schema: type: string responses: '200': description: OK headers: {} content: {} deprecated: false delete: tags: - system summary: deleteSysNamespacesPath description: '' operationId: deleteSysNamespacesPath parameters: - name: path in: path description: Path of the namespace. required: true style: simple schema: type: string responses: '204': description: empty body headers: {} content: {} deprecated: false /sys/plugins/catalog: get: tags: - system summary: getSysPluginsCatalog description: Lists all the plugins known to Vault operationId: getSysPluginsCatalog parameters: [] responses: '200': description: OK headers: {} content: {} deprecated: false /sys/plugins/catalog/{name}: get: tags: - system summary: getSysPluginsCatalogName description: Configures the plugins known to Vault operationId: getSysPluginsCatalogName parameters: - name: name in: path description: The name of the plugin required: true style: simple schema: type: string responses: '200': description: OK headers: {} content: {} deprecated: false post: tags: - system summary: postSysPluginsCatalogName description: Configures the plugins known to Vault operationId: postSysPluginsCatalogName parameters: - name: name in: path description: The name of the plugin required: true style: simple schema: type: string requestBody: description: '' content: application/json: schema: $ref: '#/components/schemas/SysPluginsCatalogRequest' required: false responses: '200': description: OK headers: {} content: {} deprecated: false delete: tags: - system summary: deleteSysPluginsCatalogName description: Configures the plugins known to Vault operationId: deleteSysPluginsCatalogName parameters: - name: name in: path description: The name of the plugin required: true style: simple schema: type: string responses: '204': description: empty body headers: {} content: {} deprecated: false /sys/plugins/catalog/{type}: get: tags: - system summary: getSysPluginsCatalogType description: Configures the plugins known to Vault operationId: getSysPluginsCatalogType parameters: - name: type in: path description: The type of the plugin, may be auth, secret, or database required: true style: simple schema: type: string - name: list in: query description: Return a list if `true` style: form explode: true schema: type: string responses: '200': description: OK headers: {} content: {} deprecated: false /sys/plugins/catalog/{type}/{name}: get: tags: - system summary: getSysPluginsCatalogTypeName description: Configures the plugins known to Vault operationId: getSysPluginsCatalogTypeName parameters: - name: name in: path description: The name of the plugin required: true style: simple schema: type: string - name: type in: path description: The type of the plugin, may be auth, secret, or database required: true style: simple schema: type: string responses: '200': description: OK headers: {} content: {} deprecated: false post: tags: - system summary: postSysPluginsCatalogTypeName description: Configures the plugins known to Vault operationId: postSysPluginsCatalogTypeName parameters: - name: name in: path description: The name of the plugin required: true style: simple schema: type: string - name: type in: path description: The type of the plugin, may be auth, secret, or database required: true style: simple schema: type: string requestBody: description: '' content: application/json: schema: $ref: '#/components/schemas/SysPluginsCatalogRequest1' required: false responses: '200': description: OK headers: {} content: {} deprecated: false delete: tags: - system summary: deleteSysPluginsCatalogTypeName description: Configures the plugins known to Vault operationId: deleteSysPluginsCatalogTypeName parameters: - name: name in: path description: The name of the plugin required: true style: simple schema: type: string - name: type in: path description: The type of the plugin, may be auth, secret, or database required: true style: simple schema: type: string responses: '204': description: empty body headers: {} content: {} deprecated: false /sys/plugins/reload/backend: post: tags: - system summary: postSysPluginsReloadBackend description: Either the plugin name (`plugin`) or the desired plugin backend mounts (`mounts`) must be provided, but not both. In the case that the plugin name is provided, all mounted paths that use that plugin backend will be reloaded. If (`scope`) is provided and is (`global`), the plugin(s) are reloaded globally. operationId: postSysPluginsReloadBackend parameters: [] requestBody: description: '' content: application/json: schema: $ref: '#/components/schemas/SysPluginsReloadBackendRequest' required: false responses: '200': description: OK headers: {} content: {} deprecated: false /sys/plugins/reload/backend/status: get: tags: - system summary: getSysPluginsReloadBackendStatus description: The reload_id returned by a cluster scoped reload must be provided. operationId: getSysPluginsReloadBackendStatus parameters: [] responses: '200': description: OK headers: {} content: {} deprecated: false /sys/policies/acl: get: tags: - system summary: getSysPoliciesAcl description: List the configured access control policies. operationId: getSysPoliciesAcl parameters: - name: list in: query description: Return a list if `true` style: form explode: true schema: type: string responses: '200': description: OK headers: {} content: {} deprecated: false /sys/policies/acl/{name}: get: tags: - system summary: getSysPoliciesAclName description: Read, Modify, or Delete an access control policy. operationId: getSysPoliciesAclName parameters: - name: name in: path description: 'The name of the policy. Example: "ops"' required: true style: simple schema: type: string responses: '200': description: OK headers: {} content: {} deprecated: false post: tags: - system summary: postSysPoliciesAclName description: Read, Modify, or Delete an access control policy. operationId: postSysPoliciesAclName parameters: - name: name in: path description: 'The name of the policy. Example: "ops"' required: true style: simple schema: type: string requestBody: description: '' content: application/json: schema: $ref: '#/components/schemas/SysPoliciesAclRequest' required: false responses: '200': description: OK headers: {} content: {} deprecated: false delete: tags: - system summary: deleteSysPoliciesAclName description: Read, Modify, or Delete an access control policy. operationId: deleteSysPoliciesAclName parameters: - name: name in: path description: 'The name of the policy. Example: "ops"' required: true style: simple schema: type: string responses: '204': description: empty body headers: {} content: {} deprecated: false /sys/policies/egp: get: tags: - system summary: getSysPoliciesEgp description: List the configured access control policies. operationId: getSysPoliciesEgp parameters: - name: list in: query description: Return a list if `true` style: form explode: true schema: type: string responses: '200': description: OK headers: {} content: {} deprecated: false /sys/policies/egp/{name}: get: tags: - system summary: getSysPoliciesEgpName description: Read, Modify, or Delete an access control policy. operationId: getSysPoliciesEgpName parameters: - name: name in: path description: 'The name of the policy. Example: "ops"' required: true style: simple schema: type: string responses: '200': description: OK headers: {} content: {} deprecated: false post: tags: - system summary: postSysPoliciesEgpName description: Read, Modify, or Delete an access control policy. operationId: postSysPoliciesEgpName parameters: - name: name in: path description: 'The name of the policy. Example: "ops"' required: true style: simple schema: type: string requestBody: description: '' content: application/json: schema: $ref: '#/components/schemas/SysPoliciesEgpRequest' required: false responses: '200': description: OK headers: {} content: {} deprecated: false delete: tags: - system summary: deleteSysPoliciesEgpName description: Read, Modify, or Delete an access control policy. operationId: deleteSysPoliciesEgpName parameters: - name: name in: path description: 'The name of the policy. Example: "ops"' required: true style: simple schema: type: string responses: '204': description: empty body headers: {} content: {} deprecated: false /sys/policies/password/{name}: get: tags: - system summary: getSysPoliciesPasswordName description: Read, Modify, or Delete a password policy. operationId: getSysPoliciesPasswordName parameters: - name: name in: path description: The name of the password policy. required: true style: simple schema: type: string responses: '200': description: OK headers: {} content: {} deprecated: false post: tags: - system summary: postSysPoliciesPasswordName description: Read, Modify, or Delete a password policy. operationId: postSysPoliciesPasswordName parameters: - name: name in: path description: The name of the password policy. required: true style: simple schema: type: string requestBody: description: '' content: application/json: schema: $ref: '#/components/schemas/SysPoliciesPasswordRequest' required: false responses: '200': description: OK headers: {} content: {} deprecated: false delete: tags: - system summary: deleteSysPoliciesPasswordName description: Read, Modify, or Delete a password policy. operationId: deleteSysPoliciesPasswordName parameters: - name: name in: path description: The name of the password policy. required: true style: simple schema: type: string responses: '204': description: empty body headers: {} content: {} deprecated: false /sys/policies/password/{name}/generate: get: tags: - system summary: getSysPoliciesPasswordNameGenerate description: Generate a password from an existing password policy. operationId: getSysPoliciesPasswordNameGenerate parameters: - name: name in: path description: The name of the password policy. required: true style: simple schema: type: string responses: '200': description: OK headers: {} content: {} deprecated: false /sys/policies/rgp: get: tags: - system summary: getSysPoliciesRgp description: List the configured access control policies. operationId: getSysPoliciesRgp parameters: - name: list in: query description: Return a list if `true` style: form explode: true schema: type: string responses: '200': description: OK headers: {} content: {} deprecated: false /sys/policies/rgp/{name}: get: tags: - system summary: getSysPoliciesRgpName description: Read, Modify, or Delete an access control policy. operationId: getSysPoliciesRgpName parameters: - name: name in: path description: 'The name of the policy. Example: "ops"' required: true style: simple schema: type: string responses: '200': description: OK headers: {} content: {} deprecated: false post: tags: - system summary: postSysPoliciesRgpName description: Read, Modify, or Delete an access control policy. operationId: postSysPoliciesRgpName parameters: - name: name in: path description: 'The name of the policy. Example: "ops"' required: true style: simple schema: type: string requestBody: description: '' content: application/json: schema: $ref: '#/components/schemas/SysPoliciesRgpRequest' required: false responses: '200': description: OK headers: {} content: {} deprecated: false delete: tags: - system summary: deleteSysPoliciesRgpName description: Read, Modify, or Delete an access control policy. operationId: deleteSysPoliciesRgpName parameters: - name: name in: path description: 'The name of the policy. Example: "ops"' required: true style: simple schema: type: string responses: '204': description: empty body headers: {} content: {} deprecated: false /sys/policy: get: tags: - system summary: getSysPolicy description: List the configured access control policies. operationId: getSysPolicy parameters: - name: list in: query description: Return a list if `true` style: form explode: true schema: type: string responses: '200': description: OK headers: {} content: {} deprecated: false /sys/policy/{name}: get: tags: - system summary: getSysPolicyName description: Read, Modify, or Delete an access control policy. operationId: getSysPolicyName parameters: - name: name in: path description: 'The name of the policy. Example: "ops"' required: true style: simple schema: type: string responses: '200': description: OK headers: {} content: {} deprecated: false post: tags: - system summary: postSysPolicyName description: Read, Modify, or Delete an access control policy. operationId: postSysPolicyName parameters: - name: name in: path description: 'The name of the policy. Example: "ops"' required: true style: simple schema: type: string requestBody: description: '' content: application/json: schema: $ref: '#/components/schemas/SysPolicyRequest' required: false responses: '200': description: OK headers: {} content: {} deprecated: false delete: tags: - system summary: deleteSysPolicyName description: Read, Modify, or Delete an access control policy. operationId: deleteSysPolicyName parameters: - name: name in: path description: 'The name of the policy. Example: "ops"' required: true style: simple schema: type: string responses: '204': description: empty body headers: {} content: {} deprecated: false /sys/pprof/: get: tags: - system summary: getSysPprof description: "Returns an HTML page listing the available \nprofiles. This should be mainly accessed via browsers or applications that can \nrender pages." operationId: getSysPprof parameters: [] responses: '200': description: OK headers: {} content: {} deprecated: false /sys/pprof/cmdline: get: tags: - system summary: getSysPprofCmdline description: Returns the running program's command line, with arguments separated by NUL bytes. operationId: getSysPprofCmdline parameters: [] responses: '200': description: OK headers: {} content: {} deprecated: false /sys/pprof/goroutine: get: tags: - system summary: getSysPprofGoroutine description: Returns stack traces of all current goroutines. operationId: getSysPprofGoroutine parameters: [] responses: '200': description: OK headers: {} content: {} deprecated: false /sys/pprof/heap: get: tags: - system summary: getSysPprofHeap description: Returns a sampling of memory allocations of live object. operationId: getSysPprofHeap parameters: [] responses: '200': description: OK headers: {} content: {} deprecated: false /sys/pprof/profile: get: tags: - system summary: getSysPprofProfile description: Returns a pprof-formatted cpu profile payload. Profiling lasts for duration specified in seconds GET parameter, or for 30 seconds if not specified. operationId: getSysPprofProfile parameters: [] responses: '200': description: OK headers: {} content: {} deprecated: false /sys/pprof/symbol: get: tags: - system summary: getSysPprofSymbol description: Returns the program counters listed in the request. operationId: getSysPprofSymbol parameters: [] responses: '200': description: OK headers: {} content: {} deprecated: false /sys/pprof/trace: get: tags: - system summary: getSysPprofTrace description: Returns the execution trace in binary form. Tracing lasts for duration specified in seconds GET parameter, or for 1 second if not specified. operationId: getSysPprofTrace parameters: [] responses: '200': description: OK headers: {} content: {} deprecated: false /sys/quotas/config: get: tags: - system summary: getSysQuotasConfig description: Create, update and read the quota configuration. operationId: getSysQuotasConfig parameters: [] responses: '200': description: OK headers: {} content: {} deprecated: false post: tags: - system summary: postSysQuotasConfig description: Create, update and read the quota configuration. operationId: postSysQuotasConfig parameters: [] requestBody: description: '' content: application/json: schema: $ref: '#/components/schemas/SysQuotasConfigRequest' required: false responses: '200': description: OK headers: {} content: {} deprecated: false /sys/quotas/lease-count: get: tags: - system summary: getSysQuotasLeaseCount description: Lists the names of all the lease count quotas. operationId: getSysQuotasLeaseCount parameters: - name: list in: query description: Return a list if `true` style: form explode: true schema: type: string responses: '200': description: OK headers: {} content: {} deprecated: false /sys/quotas/lease-count/{name}: get: tags: - system summary: getSysQuotasLeaseCountName description: Get, create or update lease count resource quota for an optional namespace or mount. operationId: getSysQuotasLeaseCountName parameters: - name: name in: path description: Name of the quota rule. required: true style: simple schema: type: string responses: '200': description: OK headers: {} content: {} deprecated: false post: tags: - system summary: postSysQuotasLeaseCountName description: Get, create or update lease count resource quota for an optional namespace or mount. operationId: postSysQuotasLeaseCountName parameters: - name: name in: path description: Name of the quota rule. required: true style: simple schema: type: string requestBody: description: '' content: application/json: schema: $ref: '#/components/schemas/SysQuotasLeaseCountRequest' required: false responses: '200': description: OK headers: {} content: {} deprecated: false delete: tags: - system summary: deleteSysQuotasLeaseCountName description: Get, create or update lease count resource quota for an optional namespace or mount. operationId: deleteSysQuotasLeaseCountName parameters: - name: name in: path description: Name of the quota rule. required: true style: simple schema: type: string responses: '204': description: empty body headers: {} content: {} deprecated: false /sys/quotas/rate-limit: get: tags: - system summary: getSysQuotasRateLimit description: Lists the names of all the rate limit quotas. operationId: getSysQuotasRateLimit parameters: - name: list in: query description: Return a list if `true` style: form explode: true schema: type: string responses: '200': description: OK headers: {} content: {} deprecated: false /sys/quotas/rate-limit/{name}: get: tags: - system summary: getSysQuotasRateLimitName description: Get, create or update rate limit resource quota for an optional namespace or mount. operationId: getSysQuotasRateLimitName parameters: - name: name in: path description: Name of the quota rule. required: true style: simple schema: type: string responses: '200': description: OK headers: {} content: {} deprecated: false post: tags: - system summary: postSysQuotasRateLimitName description: Get, create or update rate limit resource quota for an optional namespace or mount. operationId: postSysQuotasRateLimitName parameters: - name: name in: path description: Name of the quota rule. required: true style: simple schema: type: string requestBody: description: '' content: application/json: schema: $ref: '#/components/schemas/SysQuotasRateLimitRequest' required: false responses: '200': description: OK headers: {} content: {} deprecated: false delete: tags: - system summary: deleteSysQuotasRateLimitName description: Get, create or update rate limit resource quota for an optional namespace or mount. operationId: deleteSysQuotasRateLimitName parameters: - name: name in: path description: Name of the quota rule. required: true style: simple schema: type: string responses: '204': description: empty body headers: {} content: {} deprecated: false /sys/rekey/backup: get: tags: - system summary: getSysRekeyBackup description: Allows fetching or deleting the backup of the rotated unseal keys. operationId: getSysRekeyBackup parameters: [] responses: '200': description: OK headers: {} content: {} deprecated: false delete: tags: - system summary: deleteSysRekeyBackup description: Allows fetching or deleting the backup of the rotated unseal keys. operationId: deleteSysRekeyBackup parameters: [] responses: '204': description: empty body headers: {} content: {} deprecated: false /sys/rekey/init: get: tags: - system summary: getSysRekeyInit description: '' operationId: getSysRekeyInit parameters: [] responses: '200': description: OK headers: {} content: {} deprecated: false post: tags: - system summary: postSysRekeyInit description: Only a single rekey attempt can take place at a time, and changing the parameters of a rekey requires canceling and starting a new rekey, which will also provide a new nonce. operationId: postSysRekeyInit parameters: [] requestBody: description: '' content: application/json: schema: $ref: '#/components/schemas/SysRekeyInitRequest' required: false responses: '200': description: OK headers: {} content: {} deprecated: false delete: tags: - system summary: deleteSysRekeyInit description: 'This clears the rekey settings as well as any progress made. This must be called to change the parameters of the rekey. Note: verification is still a part of a rekey. If rekeying is canceled during the verification flow, the current unseal keys remain valid.' operationId: deleteSysRekeyInit parameters: [] responses: '204': description: empty body headers: {} content: {} deprecated: false /sys/rekey/recovery-key-backup: get: tags: - system summary: getSysRekeyRecoveryKeyBackup description: Allows fetching or deleting the backup of the rotated unseal keys. operationId: getSysRekeyRecoveryKeyBackup parameters: [] responses: '200': description: OK headers: {} content: {} deprecated: false delete: tags: - system summary: deleteSysRekeyRecoveryKeyBackup description: Allows fetching or deleting the backup of the rotated unseal keys. operationId: deleteSysRekeyRecoveryKeyBackup parameters: [] responses: '204': description: empty body headers: {} content: {} deprecated: false /sys/rekey/update: post: tags: - system summary: postSysRekeyUpdate description: '' operationId: postSysRekeyUpdate parameters: [] requestBody: description: '' content: application/json: schema: $ref: '#/components/schemas/SysRekeyUpdateRequest' required: false responses: '200': description: OK headers: {} content: {} deprecated: false /sys/rekey/verify: get: tags: - system summary: getSysRekeyVerify description: '' operationId: getSysRekeyVerify parameters: [] responses: '200': description: OK headers: {} content: {} deprecated: false post: tags: - system summary: postSysRekeyVerify description: '' operationId: postSysRekeyVerify parameters: [] requestBody: description: '' content: application/json: schema: $ref: '#/components/schemas/SysRekeyVerifyRequest' required: false responses: '200': description: OK headers: {} content: {} deprecated: false delete: tags: - system summary: deleteSysRekeyVerify description: This clears any progress made and resets the nonce. Unlike a `DELETE` against `sys/rekey/init`, this only resets the current verification operation, not the entire rekey atttempt. operationId: deleteSysRekeyVerify parameters: [] responses: '204': description: empty body headers: {} content: {} deprecated: false /sys/remount: post: tags: - system summary: postSysRemount description: Move the mount point of an already-mounted backend. operationId: postSysRemount parameters: [] requestBody: description: '' content: application/json: schema: $ref: '#/components/schemas/SysRemountRequest' required: false responses: '200': description: OK headers: {} content: {} deprecated: false /sys/renew: post: tags: - system summary: postSysRenew description: Renew a lease on a secret operationId: postSysRenew parameters: [] requestBody: description: '' content: application/json: schema: $ref: '#/components/schemas/SysRenewRequest' required: false responses: '200': description: OK headers: {} content: {} deprecated: false /sys/renew/{url_lease_id}: post: tags: - system summary: postSysRenewUrl_lease_id description: Renew a lease on a secret operationId: postSysRenewUrl_lease_id parameters: - name: url_lease_id in: path description: The lease identifier to renew. This is included with a lease. required: true style: simple schema: type: string requestBody: description: '' content: application/json: schema: $ref: '#/components/schemas/SysRenewRequest1' required: false responses: '200': description: OK headers: {} content: {} deprecated: false /sys/replication/dr/primary/demote: post: tags: - system summary: postSysReplicationDrPrimaryDemote description: '' operationId: postSysReplicationDrPrimaryDemote parameters: [] responses: '200': description: OK headers: {} content: {} deprecated: false /sys/replication/dr/primary/disable: post: tags: - system summary: postSysReplicationDrPrimaryDisable description: '' operationId: postSysReplicationDrPrimaryDisable parameters: [] responses: '200': description: OK headers: {} content: {} deprecated: false /sys/replication/dr/primary/enable: post: tags: - system summary: postSysReplicationDrPrimaryEnable description: '' operationId: postSysReplicationDrPrimaryEnable parameters: [] requestBody: description: '' content: application/json: schema: $ref: '#/components/schemas/SysReplicationDrPrimaryEnableRequest' required: false responses: '200': description: OK headers: {} content: {} deprecated: false /sys/replication/dr/primary/revoke-secondary: post: tags: - system summary: postSysReplicationDrPrimaryRevokeSecondary description: '' operationId: postSysReplicationDrPrimaryRevokeSecondary parameters: [] requestBody: description: '' content: application/json: schema: $ref: '#/components/schemas/SysReplicationDrPrimaryRevokeSecondaryRequest' required: false responses: '200': description: OK headers: {} content: {} deprecated: false /sys/replication/dr/primary/secondary-token: post: tags: - system summary: postSysReplicationDrPrimarySecondaryToken description: '' operationId: postSysReplicationDrPrimarySecondaryToken parameters: [] requestBody: description: '' content: application/json: schema: $ref: '#/components/schemas/SysReplicationDrPrimarySecondaryTokenRequest' required: false responses: '200': description: OK headers: {} content: {} deprecated: false /sys/replication/dr/secondary/disable: post: tags: - system summary: postSysReplicationDrSecondaryDisable description: '' operationId: postSysReplicationDrSecondaryDisable parameters: [] requestBody: description: '' content: application/json: schema: $ref: '#/components/schemas/SysReplicationDrSecondaryDisableRequest' required: false responses: '200': description: OK headers: {} content: {} deprecated: false /sys/replication/dr/secondary/enable: post: tags: - system summary: postSysReplicationDrSecondaryEnable description: '' operationId: postSysReplicationDrSecondaryEnable parameters: [] requestBody: description: '' content: application/json: schema: $ref: '#/components/schemas/SysReplicationDrSecondaryEnableRequest' required: false responses: '200': description: OK headers: {} content: {} deprecated: false /sys/replication/dr/secondary/generate-public-key: post: tags: - system summary: postSysReplicationDrSecondaryGeneratePublicKey description: '' operationId: postSysReplicationDrSecondaryGeneratePublicKey parameters: [] responses: '200': description: OK headers: {} content: {} deprecated: false /sys/replication/dr/secondary/license: get: tags: - system summary: getSysReplicationDrSecondaryLicense description: The path responds to the following HTTP methods. GET / Returns information on the installed license POST Sets the license for the server operationId: getSysReplicationDrSecondaryLicense parameters: [] responses: '200': description: OK headers: {} content: {} deprecated: false post: tags: - system summary: postSysReplicationDrSecondaryLicense description: The path responds to the following HTTP methods. GET / Returns information on the installed license POST Sets the license for the server operationId: postSysReplicationDrSecondaryLicense parameters: [] requestBody: description: '' content: application/json: schema: $ref: '#/components/schemas/SysReplicationDrSecondaryLicenseRequest' required: false responses: '200': description: OK headers: {} content: {} deprecated: false /sys/replication/dr/secondary/operation-token/delete: post: tags: - system summary: postSysReplicationDrSecondaryOperationTokenDelete description: '' operationId: postSysReplicationDrSecondaryOperationTokenDelete parameters: [] requestBody: description: '' content: application/json: schema: $ref: '#/components/schemas/SysReplicationDrSecondaryOperationTokenDeleteRequest' required: false responses: '200': description: OK headers: {} content: {} deprecated: false /sys/replication/dr/secondary/promote: post: tags: - system summary: postSysReplicationDrSecondaryPromote description: '' operationId: postSysReplicationDrSecondaryPromote parameters: [] requestBody: description: '' content: application/json: schema: $ref: '#/components/schemas/SysReplicationDrSecondaryPromoteRequest' required: false responses: '200': description: OK headers: {} content: {} deprecated: false /sys/replication/dr/secondary/recover: post: tags: - system summary: postSysReplicationDrSecondaryRecover description: '' operationId: postSysReplicationDrSecondaryRecover parameters: [] requestBody: description: '' content: application/json: schema: $ref: '#/components/schemas/SysReplicationDrSecondaryRecoverRequest' required: false responses: '200': description: OK headers: {} content: {} deprecated: false /sys/replication/dr/secondary/reindex: post: tags: - system summary: postSysReplicationDrSecondaryReindex description: '' operationId: postSysReplicationDrSecondaryReindex parameters: [] requestBody: description: '' content: application/json: schema: $ref: '#/components/schemas/SysReplicationDrSecondaryReindexRequest' required: false responses: '200': description: OK headers: {} content: {} deprecated: false /sys/replication/dr/secondary/update-primary: post: tags: - system summary: postSysReplicationDrSecondaryUpdatePrimary description: '' operationId: postSysReplicationDrSecondaryUpdatePrimary parameters: [] requestBody: description: '' content: application/json: schema: $ref: '#/components/schemas/SysReplicationDrSecondaryUpdatePrimaryRequest' required: false responses: '200': description: OK headers: {} content: {} deprecated: false /sys/replication/dr/status: get: tags: - system summary: getSysReplicationDrStatus description: '' operationId: getSysReplicationDrStatus parameters: [] responses: '200': description: OK headers: {} content: {} deprecated: false /sys/replication/performance/primary/demote: post: tags: - system summary: postSysReplicationPerformancePrimaryDemote description: '' operationId: postSysReplicationPerformancePrimaryDemote parameters: [] responses: '200': description: OK headers: {} content: {} deprecated: false /sys/replication/performance/primary/disable: post: tags: - system summary: postSysReplicationPerformancePrimaryDisable description: '' operationId: postSysReplicationPerformancePrimaryDisable parameters: [] responses: '200': description: OK headers: {} content: {} deprecated: false /sys/replication/performance/primary/dynamic-filter/{id}: get: tags: - system summary: getSysReplicationPerformancePrimaryDynamicFilterId description: '' operationId: getSysReplicationPerformancePrimaryDynamicFilterId parameters: - name: id in: path description: The opaque identifier used to identify the secondary. required: true style: simple schema: pattern: '\w([\w-.]*\w)?' type: string responses: '200': description: OK headers: {} content: {} deprecated: false /sys/replication/performance/primary/enable: post: tags: - system summary: postSysReplicationPerformancePrimaryEnable description: '' operationId: postSysReplicationPerformancePrimaryEnable parameters: [] requestBody: description: '' content: application/json: schema: $ref: '#/components/schemas/SysReplicationPerformancePrimaryEnableRequest' required: false responses: '200': description: OK headers: {} content: {} deprecated: false /sys/replication/performance/primary/mount-filter/{id}: get: tags: - system summary: getSysReplicationPerformancePrimaryMountFilterId description: '' operationId: getSysReplicationPerformancePrimaryMountFilterId parameters: - name: id in: path description: The opaque identifier used to identify the secondary. required: true style: simple schema: pattern: '\w([\w-.]*\w)?' type: string responses: '200': description: OK headers: {} content: {} deprecated: false post: tags: - system summary: postSysReplicationPerformancePrimaryMountFilterId description: '' operationId: postSysReplicationPerformancePrimaryMountFilterId parameters: - name: id in: path description: The opaque identifier used to identify the secondary. required: true style: simple schema: pattern: '\w([\w-.]*\w)?' type: string requestBody: description: '' content: application/json: schema: $ref: '#/components/schemas/SysReplicationPerformancePrimaryMountFilterRequest' required: false responses: '200': description: OK headers: {} content: {} deprecated: false delete: tags: - system summary: deleteSysReplicationPerformancePrimaryMountFilterId description: '' operationId: deleteSysReplicationPerformancePrimaryMountFilterId parameters: - name: id in: path description: The opaque identifier used to identify the secondary. required: true style: simple schema: pattern: '\w([\w-.]*\w)?' type: string responses: '204': description: empty body headers: {} content: {} deprecated: false /sys/replication/performance/primary/paths-filter/{id}: get: tags: - system summary: getSysReplicationPerformancePrimaryPathsFilterId description: '' operationId: getSysReplicationPerformancePrimaryPathsFilterId parameters: - name: id in: path description: The opaque identifier used to identify the secondary. required: true style: simple schema: pattern: '\w([\w-.]*\w)?' type: string responses: '200': description: OK headers: {} content: {} deprecated: false post: tags: - system summary: postSysReplicationPerformancePrimaryPathsFilterId description: '' operationId: postSysReplicationPerformancePrimaryPathsFilterId parameters: - name: id in: path description: The opaque identifier used to identify the secondary. required: true style: simple schema: pattern: '\w([\w-.]*\w)?' type: string requestBody: description: '' content: application/json: schema: $ref: '#/components/schemas/SysReplicationPerformancePrimaryPathsFilterRequest' required: false responses: '200': description: OK headers: {} content: {} deprecated: false delete: tags: - system summary: deleteSysReplicationPerformancePrimaryPathsFilterId description: '' operationId: deleteSysReplicationPerformancePrimaryPathsFilterId parameters: - name: id in: path description: The opaque identifier used to identify the secondary. required: true style: simple schema: pattern: '\w([\w-.]*\w)?' type: string responses: '204': description: empty body headers: {} content: {} deprecated: false /sys/replication/performance/primary/revoke-secondary: post: tags: - system summary: postSysReplicationPerformancePrimaryRevokeSecondary description: '' operationId: postSysReplicationPerformancePrimaryRevokeSecondary parameters: [] requestBody: description: '' content: application/json: schema: $ref: '#/components/schemas/SysReplicationPerformancePrimaryRevokeSecondaryRequest' required: false responses: '200': description: OK headers: {} content: {} deprecated: false /sys/replication/performance/primary/secondary-token: post: tags: - system summary: postSysReplicationPerformancePrimarySecondaryToken description: '' operationId: postSysReplicationPerformancePrimarySecondaryToken parameters: [] requestBody: description: '' content: application/json: schema: $ref: '#/components/schemas/SysReplicationPerformancePrimarySecondaryTokenRequest' required: false responses: '200': description: OK headers: {} content: {} deprecated: false /sys/replication/performance/secondary/disable: post: tags: - system summary: postSysReplicationPerformanceSecondaryDisable description: '' operationId: postSysReplicationPerformanceSecondaryDisable parameters: [] responses: '200': description: OK headers: {} content: {} deprecated: false /sys/replication/performance/secondary/dynamic-filter/{id}: get: tags: - system summary: getSysReplicationPerformanceSecondaryDynamicFilterId description: '' operationId: getSysReplicationPerformanceSecondaryDynamicFilterId parameters: - name: id in: path description: The opaque identifier used to identify the secondary. required: true style: simple schema: pattern: '\w([\w-.]*\w)?' type: string responses: '200': description: OK headers: {} content: {} deprecated: false /sys/replication/performance/secondary/enable: post: tags: - system summary: postSysReplicationPerformanceSecondaryEnable description: '' operationId: postSysReplicationPerformanceSecondaryEnable parameters: [] requestBody: description: '' content: application/json: schema: $ref: '#/components/schemas/SysReplicationPerformanceSecondaryEnableRequest' required: false responses: '200': description: OK headers: {} content: {} deprecated: false /sys/replication/performance/secondary/generate-public-key: post: tags: - system summary: postSysReplicationPerformanceSecondaryGeneratePublicKey description: '' operationId: postSysReplicationPerformanceSecondaryGeneratePublicKey parameters: [] responses: '200': description: OK headers: {} content: {} deprecated: false /sys/replication/performance/secondary/promote: post: tags: - system summary: postSysReplicationPerformanceSecondaryPromote description: '' operationId: postSysReplicationPerformanceSecondaryPromote parameters: [] requestBody: description: '' content: application/json: schema: $ref: '#/components/schemas/SysReplicationPerformanceSecondaryPromoteRequest' required: false responses: '200': description: OK headers: {} content: {} deprecated: false /sys/replication/performance/secondary/update-primary: post: tags: - system summary: postSysReplicationPerformanceSecondaryUpdatePrimary description: '' operationId: postSysReplicationPerformanceSecondaryUpdatePrimary parameters: [] requestBody: description: '' content: application/json: schema: $ref: '#/components/schemas/SysReplicationPerformanceSecondaryUpdatePrimaryRequest' required: false responses: '200': description: OK headers: {} content: {} deprecated: false /sys/replication/performance/status: get: tags: - system summary: getSysReplicationPerformanceStatus description: '' operationId: getSysReplicationPerformanceStatus parameters: [] responses: '200': description: OK headers: {} content: {} deprecated: false /sys/replication/primary/demote: post: tags: - system summary: postSysReplicationPrimaryDemote description: '' operationId: postSysReplicationPrimaryDemote parameters: [] responses: '200': description: OK headers: {} content: {} deprecated: false /sys/replication/primary/disable: post: tags: - system summary: postSysReplicationPrimaryDisable description: '' operationId: postSysReplicationPrimaryDisable parameters: [] responses: '200': description: OK headers: {} content: {} deprecated: false /sys/replication/primary/enable: post: tags: - system summary: postSysReplicationPrimaryEnable description: '' operationId: postSysReplicationPrimaryEnable parameters: [] requestBody: description: '' content: application/json: schema: $ref: '#/components/schemas/SysReplicationPrimaryEnableRequest' required: false responses: '200': description: OK headers: {} content: {} deprecated: false /sys/replication/primary/revoke-secondary: post: tags: - system summary: postSysReplicationPrimaryRevokeSecondary description: '' operationId: postSysReplicationPrimaryRevokeSecondary parameters: [] requestBody: description: '' content: application/json: schema: $ref: '#/components/schemas/SysReplicationPrimaryRevokeSecondaryRequest' required: false responses: '200': description: OK headers: {} content: {} deprecated: false /sys/replication/primary/secondary-token: post: tags: - system summary: postSysReplicationPrimarySecondaryToken description: '' operationId: postSysReplicationPrimarySecondaryToken parameters: [] requestBody: description: '' content: application/json: schema: $ref: '#/components/schemas/SysReplicationPrimarySecondaryTokenRequest' required: false responses: '200': description: OK headers: {} content: {} deprecated: false /sys/replication/recover: post: tags: - system summary: postSysReplicationRecover description: '' operationId: postSysReplicationRecover parameters: [] responses: '200': description: OK headers: {} content: {} deprecated: false /sys/replication/reindex: post: tags: - system summary: postSysReplicationReindex description: '' operationId: postSysReplicationReindex parameters: [] requestBody: description: '' content: application/json: schema: $ref: '#/components/schemas/SysReplicationReindexRequest' required: false responses: '200': description: OK headers: {} content: {} deprecated: false /sys/replication/secondary/disable: post: tags: - system summary: postSysReplicationSecondaryDisable description: '' operationId: postSysReplicationSecondaryDisable parameters: [] responses: '200': description: OK headers: {} content: {} deprecated: false /sys/replication/secondary/enable: post: tags: - system summary: postSysReplicationSecondaryEnable description: '' operationId: postSysReplicationSecondaryEnable parameters: [] requestBody: description: '' content: application/json: schema: $ref: '#/components/schemas/SysReplicationSecondaryEnableRequest' required: false responses: '200': description: OK headers: {} content: {} deprecated: false /sys/replication/secondary/promote: post: tags: - system summary: postSysReplicationSecondaryPromote description: '' operationId: postSysReplicationSecondaryPromote parameters: [] requestBody: description: '' content: application/json: schema: $ref: '#/components/schemas/SysReplicationSecondaryPromoteRequest' required: false responses: '200': description: OK headers: {} content: {} deprecated: false /sys/replication/secondary/update-primary: post: tags: - system summary: postSysReplicationSecondaryUpdatePrimary description: '' operationId: postSysReplicationSecondaryUpdatePrimary parameters: [] requestBody: description: '' content: application/json: schema: $ref: '#/components/schemas/SysReplicationSecondaryUpdatePrimaryRequest' required: false responses: '200': description: OK headers: {} content: {} deprecated: false /sys/replication/status: get: tags: - system summary: getSysReplicationStatus description: '' operationId: getSysReplicationStatus parameters: [] responses: '200': description: OK headers: {} content: {} deprecated: false /sys/revoke: post: tags: - system summary: postSysRevoke description: Revoke a leased secret immediately operationId: postSysRevoke parameters: [] requestBody: description: '' content: application/json: schema: $ref: '#/components/schemas/SysRevokeRequest' required: false responses: '200': description: OK headers: {} content: {} deprecated: false /sys/revoke-force/{prefix}: post: tags: - system summary: postSysRevokeForcePrefix description: >- Unlike `/sys/leases/revoke-prefix`, this path ignores backend errors encountered during revocation. This is potentially very dangerous and should only be used in specific emergency situations where errors in the backend or the connected backend service prevent normal revocation. By ignoring these errors, Vault abdicates responsibility for ensuring that the issued credentials or secrets are properly revoked and/or cleaned up. Access to this endpoint should be tightly controlled. operationId: postSysRevokeForcePrefix parameters: - name: prefix in: path description: 'The path to revoke keys under. Example: "prod/aws/ops"' required: true style: simple schema: type: string responses: '200': description: OK headers: {} content: {} deprecated: false /sys/revoke-prefix/{prefix}: post: tags: - system summary: postSysRevokePrefixPrefix description: Revoke all secrets generated in a given prefix operationId: postSysRevokePrefixPrefix parameters: - name: prefix in: path description: 'The path to revoke keys under. Example: "prod/aws/ops"' required: true style: simple schema: type: string requestBody: description: '' content: application/json: schema: $ref: '#/components/schemas/SysRevokePrefixRequest' required: false responses: '200': description: OK headers: {} content: {} deprecated: false /sys/revoke/{url_lease_id}: post: tags: - system summary: postSysRevokeUrl_lease_id description: Revoke a leased secret immediately operationId: postSysRevokeUrl_lease_id parameters: - name: url_lease_id in: path description: The lease identifier to renew. This is included with a lease. required: true style: simple schema: type: string requestBody: description: '' content: application/json: schema: $ref: '#/components/schemas/SysRevokeRequest1' required: false responses: '200': description: OK headers: {} content: {} deprecated: false /sys/rotate: post: tags: - system summary: postSysRotate description: Rotates the backend encryption key used to persist data. operationId: postSysRotate parameters: [] responses: '200': description: OK headers: {} content: {} deprecated: false /sys/seal: post: tags: - system summary: postSysSeal description: Seals the Vault. operationId: postSysSeal parameters: [] responses: '200': description: OK headers: {} content: {} deprecated: false /sys/seal-status: get: tags: - system summary: getSysSealStatus description: Returns the seal status of the Vault. operationId: getSysSealStatus parameters: [] responses: '200': description: OK headers: {} content: {} deprecated: false /sys/sealwrap/rewrap: get: tags: - system summary: getSysSealwrapRewrap description: Rewrap all seal wrapped items with the latest seal key operationId: getSysSealwrapRewrap parameters: [] responses: '200': description: OK headers: {} content: {} deprecated: false post: tags: - system summary: postSysSealwrapRewrap description: Rewrap all seal wrapped items with the latest seal key operationId: postSysSealwrapRewrap parameters: [] responses: '200': description: OK headers: {} content: {} deprecated: false /sys/step-down: post: tags: - system summary: postSysStepDown description: This endpoint forces the node to give up active status. If the node does not have active status, this endpoint does nothing. Note that the node will sleep for ten seconds before attempting to grab the active lock again, but if no standby nodes grab the active lock in the interim, the same node may become the active node again. operationId: postSysStepDown parameters: [] responses: '204': description: empty body headers: {} content: {} deprecated: false /sys/storage/raft/bootstrap/answer: post: tags: - system summary: postSysStorageRaftBootstrapAnswer description: Accepts an answer from the peer to be joined to the fact cluster. operationId: postSysStorageRaftBootstrapAnswer parameters: [] requestBody: description: '' content: application/json: schema: $ref: '#/components/schemas/SysStorageRaftBootstrapAnswerRequest' required: false responses: '200': description: OK headers: {} content: {} deprecated: false /sys/storage/raft/bootstrap/challenge: post: tags: - system summary: postSysStorageRaftBootstrapChallenge description: Creates a challenge for the new peer to be joined to the raft cluster. operationId: postSysStorageRaftBootstrapChallenge parameters: [] requestBody: description: '' content: application/json: schema: $ref: '#/components/schemas/SysStorageRaftBootstrapChallengeRequest' required: false responses: '200': description: OK headers: {} content: {} deprecated: false /sys/storage/raft/configuration: get: tags: - system summary: getSysStorageRaftConfiguration description: Returns the raft cluster configuration. operationId: getSysStorageRaftConfiguration parameters: [] responses: '200': description: OK headers: {} content: {} deprecated: false /sys/storage/raft/remove-peer: post: tags: - system summary: postSysStorageRaftRemovePeer description: Removes a peer from the raft cluster. operationId: postSysStorageRaftRemovePeer parameters: [] requestBody: description: '' content: application/json: schema: $ref: '#/components/schemas/SysStorageRaftRemovePeerRequest' required: false responses: '200': description: OK headers: {} content: {} deprecated: false /sys/storage/raft/snapshot: get: tags: - system summary: getSysStorageRaftSnapshot description: Restores and saves snapshots from the raft cluster. operationId: getSysStorageRaftSnapshot parameters: [] responses: '200': description: OK headers: {} content: {} deprecated: false post: tags: - system summary: postSysStorageRaftSnapshot description: Restores and saves snapshots from the raft cluster. operationId: postSysStorageRaftSnapshot parameters: [] responses: '200': description: OK headers: {} content: {} deprecated: false /sys/storage/raft/snapshot-force: post: tags: - system summary: postSysStorageRaftSnapshotForce description: Force restore a raft cluster snapshot operationId: postSysStorageRaftSnapshotForce parameters: [] responses: '200': description: OK headers: {} content: {} deprecated: false /sys/tools/hash: post: tags: - system summary: postSysToolsHash description: Generate a hash sum for input data operationId: postSysToolsHash parameters: [] requestBody: description: '' content: application/json: schema: $ref: '#/components/schemas/SysToolsHashRequest' required: false responses: '200': description: OK headers: {} content: {} deprecated: false /sys/tools/hash/{urlalgorithm}: post: tags: - system summary: postSysToolsHashUrlalgorithm description: Generate a hash sum for input data operationId: postSysToolsHashUrlalgorithm parameters: - name: urlalgorithm in: path description: Algorithm to use (POST URL parameter) required: true style: simple schema: type: string requestBody: description: '' content: application/json: schema: $ref: '#/components/schemas/SysToolsHashRequest1' required: false responses: '200': description: OK headers: {} content: {} deprecated: false /sys/tools/random: post: tags: - system summary: postSysToolsRandom description: Generate random bytes operationId: postSysToolsRandom parameters: [] requestBody: description: '' content: application/json: schema: $ref: '#/components/schemas/SysToolsRandomRequest' required: false responses: '200': description: OK headers: {} content: {} deprecated: false /sys/tools/random/{urlbytes}: post: tags: - system summary: postSysToolsRandomUrlbytes description: Generate random bytes operationId: postSysToolsRandomUrlbytes parameters: - name: urlbytes in: path description: The number of bytes to generate (POST URL parameter) required: true style: simple schema: type: string requestBody: description: '' content: application/json: schema: $ref: '#/components/schemas/SysToolsRandomRequest1' required: false responses: '200': description: OK headers: {} content: {} deprecated: false /sys/unseal: post: tags: - system summary: postSysUnseal description: Unseals the Vault. operationId: postSysUnseal parameters: [] requestBody: description: '' content: application/json: schema: $ref: '#/components/schemas/SysUnsealRequest' required: false responses: '200': description: OK headers: {} content: {} deprecated: false /sys/wrapping/lookup: get: tags: - system summary: getSysWrappingLookup description: Looks up the properties of a response-wrapped token. operationId: getSysWrappingLookup parameters: [] responses: '200': description: OK headers: {} content: {} deprecated: false post: tags: - system summary: postSysWrappingLookup description: Looks up the properties of a response-wrapped token. operationId: postSysWrappingLookup parameters: [] requestBody: description: '' content: application/json: schema: $ref: '#/components/schemas/SysWrappingLookupRequest' required: false responses: '200': description: OK headers: {} content: {} deprecated: false /sys/wrapping/rewrap: post: tags: - system summary: postSysWrappingRewrap description: Rotates a response-wrapped token. operationId: postSysWrappingRewrap parameters: [] requestBody: description: '' content: application/json: schema: $ref: '#/components/schemas/SysWrappingRewrapRequest' required: false responses: '200': description: OK headers: {} content: {} deprecated: false /sys/wrapping/unwrap: post: tags: - system summary: postSysWrappingUnwrap description: Unwraps a response-wrapped token. operationId: postSysWrappingUnwrap parameters: [] requestBody: description: '' content: application/json: schema: $ref: '#/components/schemas/SysWrappingUnwrapRequest' required: false responses: '200': description: OK headers: {} content: {} deprecated: false /sys/wrapping/wrap: post: tags: - system summary: postSysWrappingWrap description: Response-wraps an arbitrary JSON object. operationId: postSysWrappingWrap parameters: [] responses: '200': description: OK headers: {} content: {} deprecated: false components: schemas: SkywalkerKvConfigRequest: title: SkywalkerKvConfigRequest type: object properties: cas_required: type: boolean description: If true, the backend will require the cas parameter to be set for each write delete_version_after: type: integer description: If set, the length of time before a version is deleted. A negative duration disables the use of delete_version_after on all keys. A zero duration clears the current setting. Accepts a Go duration format string. format: int32 max_versions: type: integer description: The number of versions to keep for each key. Defaults to 10 format: int32 SkywalkerKvDataRequest: title: SkywalkerKvDataRequest type: object properties: data: type: object description: The contents of the data map will be stored and returned on read. options: type: object description: Options for writing a KV entry. Set the "cas" value to use a Check-And-Set operation. If not set the write will be allowed. If set to 0 a write will only be allowed if the key doesn’t exist. If the index is non-zero the write will only be allowed if the key’s current version matches the version specified in the cas parameter. version: type: integer description: If provided during a read, the value at the version number will be returned format: int32 SkywalkerKvDeleteRequest: title: SkywalkerKvDeleteRequest type: object properties: versions: type: array items: type: integer format: int32 description: The versions to be archived. The versioned data will not be deleted, but it will no longer be returned in normal get requests. SkywalkerKvDestroyRequest: title: SkywalkerKvDestroyRequest type: object properties: versions: type: array items: type: integer format: int32 description: The versions to destroy. Their data will be permanently deleted. SkywalkerKvMetadataRequest: title: SkywalkerKvMetadataRequest type: object properties: cas_required: type: boolean description: If true the key will require the cas parameter to be set on all write requests. If false, the backend’s configuration will be used. delete_version_after: type: integer description: The length of time before a version is deleted. If not set, the backend's configured delete_version_after is used. Cannot be greater than the backend's delete_version_after. A zero duration clears the current setting. A negative duration will cause an error. format: int32 max_versions: type: integer description: The number of versions to keep. If not set, the backend’s configured max version is used. format: int32 SkywalkerKvUndeleteRequest: title: SkywalkerKvUndeleteRequest type: object properties: versions: type: array items: type: integer format: int32 description: The versions to unarchive. The versions will be restored and their data will be returned on normal get requests. AuthApproleLoginRequest: title: AuthApproleLoginRequest type: object properties: role_id: type: string description: Unique identifier of the Role. Required to be supplied when the 'bind_secret_id' constraint is set. secret_id: type: string description: SecretID belong to the App role AuthApproleRoleRequest: title: AuthApproleRoleRequest type: object properties: bind_secret_id: type: boolean description: Impose secret_id to be presented when logging in using this role. Defaults to 'true'. default: true bound_cidr_list: type: array items: type: string description: Use "secret_id_bound_cidrs" instead. deprecated: true local_secret_ids: type: boolean description: If set, the secret IDs generated using this role will be cluster local. This can only be set during role creation and once set, it can't be reset later. period: type: integer description: Use "token_period" instead. If this and "token_period" are both specified, only "token_period" will be used. format: int32 deprecated: true policies: type: array items: type: string description: Use "token_policies" instead. If this and "token_policies" are both specified, only "token_policies" will be used. deprecated: true role_id: type: string description: Identifier of the role. Defaults to a UUID. secret_id_bound_cidrs: type: array items: type: string description: Comma separated string or list of CIDR blocks. If set, specifies the blocks of IP addresses which can perform the login operation. secret_id_num_uses: type: integer description: Number of times a SecretID can access the role, after which the SecretID will expire. Defaults to 0 meaning that the the secret_id is of unlimited use. format: int32 secret_id_ttl: type: integer description: Duration in seconds after which the issued SecretID should expire. Defaults to 0, meaning no expiration. format: int32 token_bound_cidrs: type: array items: type: string description: Comma separated string or JSON list of CIDR blocks. If set, specifies the blocks of IP addresses which are allowed to use the generated token. token_explicit_max_ttl: type: integer description: If set, tokens created via this role carry an explicit maximum TTL. During renewal, the current maximum TTL values of the role and the mount are not checked for changes, and any updates to these values will have no effect on the token being renewed. format: int32 token_max_ttl: type: integer description: The maximum lifetime of the generated token format: int32 token_no_default_policy: type: boolean description: If true, the 'default' policy will not automatically be added to generated tokens token_num_uses: type: integer description: The maximum number of times a token may be used, a value of zero means unlimited format: int32 token_period: type: integer description: If set, tokens created via this role will have no max lifetime; instead, their renewal period will be fixed to this value. This takes an integer number of seconds, or a string duration (e.g. "24h"). format: int32 token_policies: type: array items: type: string description: Comma-separated list of policies token_ttl: type: integer description: The initial ttl of the token to generate format: int32 token_type: type: string description: The type of token to generate, service or batch default: default-service AuthApproleRoleBindSecretIdRequest: title: AuthApproleRoleBindSecretIdRequest type: object properties: bind_secret_id: type: boolean description: Impose secret_id to be presented when logging in using this role. default: true AuthApproleRoleBoundCidrListRequest: title: AuthApproleRoleBoundCidrListRequest type: object properties: bound_cidr_list: type: array items: type: string description: 'Deprecated: Please use "secret_id_bound_cidrs" instead. Comma separated string or list of CIDR blocks. If set, specifies the blocks of IP addresses which can perform the login operation.' AuthApproleRoleCustomSecretIdRequest: title: AuthApproleRoleCustomSecretIdRequest type: object properties: cidr_list: type: array items: type: string description: Comma separated string or list of CIDR blocks enforcing secret IDs to be used from specific set of IP addresses. If 'bound_cidr_list' is set on the role, then the list of CIDR blocks listed here should be a subset of the CIDR blocks listed on the role. metadata: type: string description: Metadata to be tied to the SecretID. This should be a JSON formatted string containing metadata in key value pairs. secret_id: type: string description: SecretID to be attached to the role. token_bound_cidrs: type: array items: type: string description: Comma separated string or list of CIDR blocks. If set, specifies the blocks of IP addresses which can use the returned token. Should be a subset of the token CIDR blocks listed on the role, if any. AuthApproleRolePeriodRequest: title: AuthApproleRolePeriodRequest type: object properties: period: type: integer description: Use "token_period" instead. If this and "token_period" are both specified, only "token_period" will be used. format: int32 deprecated: true token_period: type: integer description: If set, tokens created via this role will have no max lifetime; instead, their renewal period will be fixed to this value. This takes an integer number of seconds, or a string duration (e.g. "24h"). format: int32 AuthApproleRolePoliciesRequest: title: AuthApproleRolePoliciesRequest type: object properties: policies: type: array items: type: string description: Use "token_policies" instead. If this and "token_policies" are both specified, only "token_policies" will be used. deprecated: true token_policies: type: array items: type: string description: Comma-separated list of policies AuthApproleRoleRoleIdRequest: title: AuthApproleRoleRoleIdRequest type: object properties: role_id: type: string description: Identifier of the role. Defaults to a UUID. AuthApproleRoleSecretIdRequest: title: AuthApproleRoleSecretIdRequest type: object properties: cidr_list: type: array items: type: string description: Comma separated string or list of CIDR blocks enforcing secret IDs to be used from specific set of IP addresses. If 'bound_cidr_list' is set on the role, then the list of CIDR blocks listed here should be a subset of the CIDR blocks listed on the role. metadata: type: string description: Metadata to be tied to the SecretID. This should be a JSON formatted string containing the metadata in key value pairs. token_bound_cidrs: type: array items: type: string description: Comma separated string or JSON list of CIDR blocks. If set, specifies the blocks of IP addresses which are allowed to use the generated token. AuthApproleRoleSecretIdAccessorDestroyRequest: title: AuthApproleRoleSecretIdAccessorDestroyRequest type: object properties: secret_id_accessor: type: string description: Accessor of the SecretID AuthApproleRoleSecretIdAccessorLookupRequest: title: AuthApproleRoleSecretIdAccessorLookupRequest type: object properties: secret_id_accessor: type: string description: Accessor of the SecretID AuthApproleRoleSecretIdBoundCidrsRequest: title: AuthApproleRoleSecretIdBoundCidrsRequest type: object properties: secret_id_bound_cidrs: type: array items: type: string description: Comma separated string or list of CIDR blocks. If set, specifies the blocks of IP addresses which can perform the login operation. AuthApproleRoleSecretIdNumUsesRequest: title: AuthApproleRoleSecretIdNumUsesRequest type: object properties: secret_id_num_uses: type: integer description: Number of times a SecretID can access the role, after which the SecretID will expire. format: int32 AuthApproleRoleSecretIdTtlRequest: title: AuthApproleRoleSecretIdTtlRequest type: object properties: secret_id_ttl: type: integer description: Duration in seconds after which the issued SecretID should expire. Defaults to 0, meaning no expiration. format: int32 AuthApproleRoleSecretIdDestroyRequest: title: AuthApproleRoleSecretIdDestroyRequest type: object properties: secret_id: type: string description: SecretID attached to the role. AuthApproleRoleSecretIdLookupRequest: title: AuthApproleRoleSecretIdLookupRequest type: object properties: secret_id: type: string description: SecretID attached to the role. AuthApproleRoleTokenBoundCidrsRequest: title: AuthApproleRoleTokenBoundCidrsRequest type: object properties: token_bound_cidrs: type: array items: type: string description: Comma separated string or JSON list of CIDR blocks. If set, specifies the blocks of IP addresses which are allowed to use the generated token. AuthApproleRoleTokenMaxTtlRequest: title: AuthApproleRoleTokenMaxTtlRequest type: object properties: token_max_ttl: type: integer description: The maximum lifetime of the generated token format: int32 AuthApproleRoleTokenNumUsesRequest: title: AuthApproleRoleTokenNumUsesRequest type: object properties: token_num_uses: type: integer description: The maximum number of times a token may be used, a value of zero means unlimited format: int32 AuthApproleRoleTokenTtlRequest: title: AuthApproleRoleTokenTtlRequest type: object properties: token_ttl: type: integer description: The initial ttl of the token to generate format: int32 AuthLdapConfigRequest: title: AuthLdapConfigRequest type: object properties: anonymous_group_search: type: boolean description: Use anonymous binds when performing LDAP group searches (if true the initial credentials will still be used for the initial connection test). default: false binddn: type: string description: LDAP DN for searching for the user DN (optional) bindpass: type: string description: LDAP password for searching for the user DN (optional) case_sensitive_names: type: boolean description: If true, case sensitivity will be used when comparing usernames and groups for matching policies. certificate: type: string description: CA certificate to use when verifying LDAP server certificate, must be x509 PEM encoded (optional) client_tls_cert: type: string description: Client certificate to provide to the LDAP server, must be x509 PEM encoded (optional) client_tls_key: type: string description: Client certificate key to provide to the LDAP server, must be x509 PEM encoded (optional) deny_null_bind: type: boolean description: Denies an unauthenticated LDAP bind request if the user's password is empty; defaults to true default: true discoverdn: type: boolean description: Use anonymous bind to discover the bind DN of a user (optional) groupattr: type: string description: 'LDAP attribute to follow on objects returned by in order to enumerate user group membership. Examples: "cn" or "memberOf", etc. Default: cn' default: cn groupdn: type: string description: 'LDAP search base to use for group membership search (eg: ou=Groups,dc=example,dc=org)' groupfilter: type: string description: 'Go template for querying group membership of user (optional) The template can access the following context variables: UserDN, Username Example: (&(objectClass=group)(member:1.2.840.113556.1.4.1941:={{.UserDN}})) Default: (|(memberUid={{.Username}})(member={{.UserDN}})(uniqueMember={{.UserDN}}))' default: (|(memberUid={{.Username}})(member={{.UserDN}})(uniqueMember={{.UserDN}})) insecure_tls: type: boolean description: Skip LDAP server SSL Certificate verification - VERY insecure (optional) request_timeout: type: integer description: Timeout, in seconds, for the connection when making requests against the server before returning back an error. format: int32 starttls: type: boolean description: Issue a StartTLS command after establishing unencrypted connection (optional) tls_max_version: allOf: - $ref: '#/components/schemas/TlsMaxVersion' - description: Maximum TLS version to use. Accepted values are 'tls10', 'tls11', 'tls12' or 'tls13'. Defaults to 'tls12' tls_min_version: allOf: - $ref: '#/components/schemas/TlsMinVersion' - description: Minimum TLS version to use. Accepted values are 'tls10', 'tls11', 'tls12' or 'tls13'. Defaults to 'tls12' token_bound_cidrs: type: array items: type: string description: Comma separated string or JSON list of CIDR blocks. If set, specifies the blocks of IP addresses which are allowed to use the generated token. token_explicit_max_ttl: type: integer description: If set, tokens created via this role carry an explicit maximum TTL. During renewal, the current maximum TTL values of the role and the mount are not checked for changes, and any updates to these values will have no effect on the token being renewed. format: int32 token_max_ttl: type: integer description: The maximum lifetime of the generated token format: int32 token_no_default_policy: type: boolean description: If true, the 'default' policy will not automatically be added to generated tokens token_num_uses: type: integer description: The maximum number of times a token may be used, a value of zero means unlimited format: int32 token_period: type: integer description: If set, tokens created via this role will have no max lifetime; instead, their renewal period will be fixed to this value. This takes an integer number of seconds, or a string duration (e.g. "24h"). format: int32 token_policies: type: array items: type: string description: Comma-separated list of policies. This will apply to all tokens generated by this auth method, in addition to any configured for specific users/groups. token_ttl: type: integer description: The initial ttl of the token to generate format: int32 token_type: type: string description: The type of token to generate, service or batch default: default-service upndomain: type: string description: Enables userPrincipalDomain login with [username]@UPNDomain (optional) url: type: string description: 'LDAP URL to connect to (default: ldap://127.0.0.1). Multiple URLs can be specified by concatenating them with commas; they will be tried in-order.' default: ldap://127.0.0.1 use_pre111_group_cn_behavior: type: boolean description: In Vault 1.1.1 a fix for handling group CN values of different cases unfortunately introduced a regression that could cause previously defined groups to not be found due to a change in the resulting name. If set true, the pre-1.1.1 behavior for matching group CNs will be used. This is only needed in some upgrade scenarios for backwards compatibility. It is enabled by default if the config is upgraded but disabled by default on new configurations. use_token_groups: type: boolean description: If true, use the Active Directory tokenGroups constructed attribute of the user to find the group memberships. This will find all security groups including nested ones. default: false userattr: type: string description: 'Attribute used for users (default: cn)' default: cn userdn: type: string description: 'LDAP domain to use for users (eg: ou=People,dc=example,dc=org)' TlsMaxVersion: title: TlsMaxVersion enum: - tls10 - tls11 - tls12 - tls13 type: string description: Maximum TLS version to use. Accepted values are 'tls10', 'tls11', 'tls12' or 'tls13'. Defaults to 'tls12' TlsMinVersion: title: TlsMinVersion enum: - tls10 - tls11 - tls12 - tls13 type: string description: Minimum TLS version to use. Accepted values are 'tls10', 'tls11', 'tls12' or 'tls13'. Defaults to 'tls12' AuthLdapDuoAccessRequest: title: AuthLdapDuoAccessRequest type: object properties: host: type: string description: Duo api host ikey: type: string description: Duo integration key skey: type: string description: Duo secret key AuthLdapDuoConfigRequest: title: AuthLdapDuoConfigRequest type: object properties: push_info: type: string description: A string of URL-encoded key/value pairs that provides additional context about the authentication attempt in the Duo Mobile app user_agent: type: string description: User agent to connect to Duo (default "") username_format: type: string description: Format string given auth method username as argument to create Duo username (default '%s') AuthLdapGroupsRequest: title: AuthLdapGroupsRequest type: object properties: policies: type: array items: type: string description: Comma-separated list of policies associated to the group. AuthLdapLoginRequest: title: AuthLdapLoginRequest type: object properties: method: type: string description: Multi-factor auth method to use (optional) passcode: type: string description: One time passcode (optional) password: type: string description: Password for this user. AuthLdapMfaConfigRequest: title: AuthLdapMfaConfigRequest type: object properties: type: type: string description: 'Enables MFA with given backend (available: duo)' AuthLdapUsersRequest: title: AuthLdapUsersRequest type: object properties: groups: type: array items: type: string description: Comma-separated list of additional groups associated with the user. policies: type: array items: type: string description: Comma-separated list of policies associated with the user. AuthRancherConfigRequest: title: AuthRancherConfigRequest type: object properties: disable_iss_validation: type: boolean description: Disable JWT issuer validation. Allows to skip ISS validation. default: false issuer: type: string description: Optional JWT issuer. If no issuer is specified, then this plugin will use kubernetes.io/serviceaccount as the default issuer. kubernetes_ca_cert: type: string description: PEM encoded CA cert for use by the TLS client used to talk with the API. kubernetes_host: type: string description: Host must be a host string, a host:port pair, or a URL to the base of the Kubernetes API server. pem_keys: type: array items: type: string description: Optional list of PEM-formated public keys or certificates used to verify the signatures of kubernetes service account JWTs. If a certificate is given, its public key will be extracted. Not every installation of Kuberentes exposes these keys. token_reviewer_jwt: type: string description: A service account JWT used to access the TokenReview API to validate other JWTs during login. If not set the JWT used for login will be used to access the API. AuthRancherLoginRequest: title: AuthRancherLoginRequest type: object properties: jwt: type: string description: A signed JWT for authenticating a service account. This field is required. role: type: string description: Name of the role against which the login is being attempted. This field is required AuthRancherRoleRequest: title: AuthRancherRoleRequest type: object properties: audience: type: string description: Optional Audience claim to verify in the jwt. bound_cidrs: type: array items: type: string description: Use "token_bound_cidrs" instead. If this and "token_bound_cidrs" are both specified, only "token_bound_cidrs" will be used. deprecated: true bound_service_account_names: type: array items: type: string description: List of service account names able to access this role. If set to "*" all names are allowed. bound_service_account_namespaces: type: array items: type: string description: List of namespaces allowed to access this role. If set to "*" all namespaces are allowed. max_ttl: type: integer description: Use "token_max_ttl" instead. If this and "token_max_ttl" are both specified, only "token_max_ttl" will be used. format: int32 deprecated: true num_uses: type: integer description: Use "token_num_uses" instead. If this and "token_num_uses" are both specified, only "token_num_uses" will be used. format: int32 deprecated: true period: type: integer description: Use "token_period" instead. If this and "token_period" are both specified, only "token_period" will be used. format: int32 deprecated: true policies: type: array items: type: string description: Use "token_policies" instead. If this and "token_policies" are both specified, only "token_policies" will be used. deprecated: true token_bound_cidrs: type: array items: type: string description: Comma separated string or JSON list of CIDR blocks. If set, specifies the blocks of IP addresses which are allowed to use the generated token. token_explicit_max_ttl: type: integer description: If set, tokens created via this role carry an explicit maximum TTL. During renewal, the current maximum TTL values of the role and the mount are not checked for changes, and any updates to these values will have no effect on the token being renewed. format: int32 token_max_ttl: type: integer description: The maximum lifetime of the generated token format: int32 token_no_default_policy: type: boolean description: If true, the 'default' policy will not automatically be added to generated tokens token_num_uses: type: integer description: The maximum number of times a token may be used, a value of zero means unlimited format: int32 token_period: type: integer description: If set, tokens created via this role will have no max lifetime; instead, their renewal period will be fixed to this value. This takes an integer number of seconds, or a string duration (e.g. "24h"). format: int32 token_policies: type: array items: type: string description: Comma-separated list of policies token_ttl: type: integer description: The initial ttl of the token to generate format: int32 token_type: type: string description: The type of token to generate, service or batch default: default-service ttl: type: integer description: Use "token_ttl" instead. If this and "token_ttl" are both specified, only "token_ttl" will be used. format: int32 deprecated: true AuthTokenLookupRequest: title: AuthTokenLookupRequest type: object properties: token: type: string description: Token to lookup (POST request body) AuthTokenLookupAccessorRequest: title: AuthTokenLookupAccessorRequest type: object properties: accessor: type: string description: Accessor of the token to look up (request body) AuthTokenLookupSelfRequest: title: AuthTokenLookupSelfRequest type: object properties: token: type: string description: Token to look up (unused, does not need to be set) AuthTokenRenewRequest: title: AuthTokenRenewRequest type: object properties: increment: type: integer description: The desired increment in seconds to the token expiration format: int32 default: 0 token: type: string description: Token to renew (request body) AuthTokenRenewAccessorRequest: title: AuthTokenRenewAccessorRequest type: object properties: accessor: type: string description: Accessor of the token to renew (request body) increment: type: integer description: The desired increment in seconds to the token expiration format: int32 default: 0 AuthTokenRenewSelfRequest: title: AuthTokenRenewSelfRequest type: object properties: increment: type: integer description: The desired increment in seconds to the token expiration format: int32 default: 0 token: type: string description: Token to renew (unused, does not need to be set) AuthTokenRevokeRequest: title: AuthTokenRevokeRequest type: object properties: token: type: string description: Token to revoke (request body) AuthTokenRevokeAccessorRequest: title: AuthTokenRevokeAccessorRequest type: object properties: accessor: type: string description: Accessor of the token (request body) AuthTokenRevokeOrphanRequest: title: AuthTokenRevokeOrphanRequest type: object properties: token: type: string description: Token to revoke (request body) AuthTokenRolesRequest: title: AuthTokenRolesRequest type: object properties: allowed_entity_aliases: type: array items: type: string description: String or JSON list of allowed entity aliases. If set, specifies the entity aliases which are allowed to be used during token generation. This field supports globbing. allowed_policies: type: array items: type: string description: If set, tokens can be created with any subset of the policies in this list, rather than the normal semantics of tokens being a subset of the calling token's policies. The parameter is a comma-delimited string of policy names. bound_cidrs: type: array items: type: string description: Use 'token_bound_cidrs' instead. deprecated: true disallowed_policies: type: array items: type: string description: If set, successful token creation via this role will require that no policies in the given list are requested. The parameter is a comma-delimited string of policy names. explicit_max_ttl: type: integer description: Use 'token_explicit_max_ttl' instead. format: int32 deprecated: true orphan: type: boolean description: If true, tokens created via this role will be orphan tokens (have no parent) path_suffix: type: string description: If set, tokens created via this role will contain the given suffix as a part of their path. This can be used to assist use of the 'revoke-prefix' endpoint later on. The given suffix must match the regular expression.\w[\w-.]+\w period: type: integer description: Use 'token_period' instead. format: int32 deprecated: true renewable: type: boolean description: Tokens created via this role will be renewable or not according to this value. Defaults to "true". default: true token_bound_cidrs: type: array items: type: string description: Comma separated string or JSON list of CIDR blocks. If set, specifies the blocks of IP addresses which are allowed to use the generated token. token_explicit_max_ttl: type: integer description: If set, tokens created via this role carry an explicit maximum TTL. During renewal, the current maximum TTL values of the role and the mount are not checked for changes, and any updates to these values will have no effect on the token being renewed. format: int32 token_no_default_policy: type: boolean description: If true, the 'default' policy will not automatically be added to generated tokens token_num_uses: type: integer description: The maximum number of times a token may be used, a value of zero means unlimited format: int32 token_period: type: integer description: If set, tokens created via this role will have no max lifetime; instead, their renewal period will be fixed to this value. This takes an integer number of seconds, or a string duration (e.g. "24h"). format: int32 token_type: type: string description: The type of token to generate, service or batch default: default-service IdentityAliasRequest: title: IdentityAliasRequest type: object properties: canonical_id: type: string description: Entity ID to which this alias belongs to entity_id: type: string description: Entity ID to which this alias belongs to. This field is deprecated in favor of 'canonical_id'. id: type: string description: ID of the alias mount_accessor: type: string description: Mount accessor to which this alias belongs to name: type: string description: Name of the alias IdentityAliasIdRequest: title: IdentityAliasIdRequest type: object properties: canonical_id: type: string description: Entity ID to which this alias should be tied to entity_id: type: string description: Entity ID to which this alias should be tied to. This field is deprecated in favor of 'canonical_id'. mount_accessor: type: string description: Mount accessor to which this alias belongs to name: type: string description: Name of the alias IdentityEntityRequest: title: IdentityEntityRequest type: object properties: disabled: type: boolean description: If set true, tokens tied to this identity will not be able to be used (but will not be revoked). id: type: string description: ID of the entity. If set, updates the corresponding existing entity. metadata: type: object description: 'Metadata to be associated with the entity. In CLI, this parameter can be repeated multiple times, and it all gets merged together. For example: vault metadata=key1=value1 metadata=key2=value2' name: type: string description: Name of the entity policies: type: array items: type: string description: Policies to be tied to the entity. IdentityEntityAliasRequest: title: IdentityEntityAliasRequest type: object properties: canonical_id: type: string description: Entity ID to which this alias belongs entity_id: type: string description: Entity ID to which this alias belongs. This field is deprecated, use canonical_id. id: type: string description: ID of the entity alias. If set, updates the corresponding entity alias. mount_accessor: type: string description: Mount accessor to which this alias belongs to; unused for a modify name: type: string description: Name of the alias; unused for a modify IdentityEntityAliasIdRequest: title: IdentityEntityAliasIdRequest type: object properties: canonical_id: type: string description: Entity ID to which this alias should be tied to entity_id: type: string description: Entity ID to which this alias belongs to. This field is deprecated, use canonical_id. mount_accessor: type: string description: (Unused) name: type: string description: (Unused) IdentityEntityBatchDeleteRequest: title: IdentityEntityBatchDeleteRequest type: object properties: entity_ids: type: array items: type: string description: Entity IDs to delete IdentityEntityIdRequest: title: IdentityEntityIdRequest type: object properties: disabled: type: boolean description: If set true, tokens tied to this identity will not be able to be used (but will not be revoked). metadata: type: object description: 'Metadata to be associated with the entity. In CLI, this parameter can be repeated multiple times, and it all gets merged together. For example: vault metadata=key1=value1 metadata=key2=value2' name: type: string description: Name of the entity policies: type: array items: type: string description: Policies to be tied to the entity. IdentityEntityMergeRequest: title: IdentityEntityMergeRequest type: object properties: force: type: boolean description: Setting this will follow the 'mine' strategy for merging MFA secrets. If there are secrets of the same type both in entities that are merged from and in entity into which all others are getting merged, secrets in the destination will be unaltered. If not set, this API will throw an error containing all the conflicts. from_entity_ids: type: array items: type: string description: Entity IDs which needs to get merged to_entity_id: type: string description: Entity ID into which all the other entities need to get merged IdentityEntityNameRequest: title: IdentityEntityNameRequest type: object properties: disabled: type: boolean description: If set true, tokens tied to this identity will not be able to be used (but will not be revoked). id: type: string description: ID of the entity. If set, updates the corresponding existing entity. metadata: type: object description: 'Metadata to be associated with the entity. In CLI, this parameter can be repeated multiple times, and it all gets merged together. For example: vault metadata=key1=value1 metadata=key2=value2' policies: type: array items: type: string description: Policies to be tied to the entity. IdentityGroupRequest: title: IdentityGroupRequest type: object properties: id: type: string description: ID of the group. If set, updates the corresponding existing group. member_entity_ids: type: array items: type: string description: Entity IDs to be assigned as group members. member_group_ids: type: array items: type: string description: Group IDs to be assigned as group members. metadata: type: object description: 'Metadata to be associated with the group. In CLI, this parameter can be repeated multiple times, and it all gets merged together. For example: vault metadata=key1=value1 metadata=key2=value2' name: type: string description: Name of the group. policies: type: array items: type: string description: Policies to be tied to the group. type: type: string description: Type of the group, 'internal' or 'external'. Defaults to 'internal' IdentityGroupAliasRequest: title: IdentityGroupAliasRequest type: object properties: canonical_id: type: string description: ID of the group to which this is an alias. id: type: string description: ID of the group alias. mount_accessor: type: string description: Mount accessor to which this alias belongs to. name: type: string description: Alias of the group. IdentityGroupAliasIdRequest: title: IdentityGroupAliasIdRequest type: object properties: canonical_id: type: string description: ID of the group to which this is an alias. mount_accessor: type: string description: Mount accessor to which this alias belongs to. name: type: string description: Alias of the group. IdentityGroupIdRequest: title: IdentityGroupIdRequest type: object properties: member_entity_ids: type: array items: type: string description: Entity IDs to be assigned as group members. member_group_ids: type: array items: type: string description: Group IDs to be assigned as group members. metadata: type: object description: 'Metadata to be associated with the group. In CLI, this parameter can be repeated multiple times, and it all gets merged together. For example: vault metadata=key1=value1 metadata=key2=value2' name: type: string description: Name of the group. policies: type: array items: type: string description: Policies to be tied to the group. type: type: string description: Type of the group, 'internal' or 'external'. Defaults to 'internal' IdentityGroupNameRequest: title: IdentityGroupNameRequest type: object properties: id: type: string description: ID of the group. If set, updates the corresponding existing group. member_entity_ids: type: array items: type: string description: Entity IDs to be assigned as group members. member_group_ids: type: array items: type: string description: Group IDs to be assigned as group members. metadata: type: object description: 'Metadata to be associated with the group. In CLI, this parameter can be repeated multiple times, and it all gets merged together. For example: vault metadata=key1=value1 metadata=key2=value2' policies: type: array items: type: string description: Policies to be tied to the group. type: type: string description: Type of the group, 'internal' or 'external'. Defaults to 'internal' IdentityLookupEntityRequest: title: IdentityLookupEntityRequest type: object properties: alias_id: type: string description: ID of the alias. alias_mount_accessor: type: string description: Accessor of the mount to which the alias belongs to. This should be supplied in conjunction with 'alias_name'. alias_name: type: string description: Name of the alias. This should be supplied in conjunction with 'alias_mount_accessor'. id: type: string description: ID of the entity. name: type: string description: Name of the entity. IdentityLookupGroupRequest: title: IdentityLookupGroupRequest type: object properties: alias_id: type: string description: ID of the alias. alias_mount_accessor: type: string description: Accessor of the mount to which the alias belongs to. This should be supplied in conjunction with 'alias_name'. alias_name: type: string description: Name of the alias. This should be supplied in conjunction with 'alias_mount_accessor'. id: type: string description: ID of the group. name: type: string description: Name of the group. IdentityOidcConfigRequest: title: IdentityOidcConfigRequest type: object properties: issuer: type: string description: Issuer URL to be used in the iss claim of the token. If not set, Vault's app_addr will be used. IdentityOidcIntrospectRequest: title: IdentityOidcIntrospectRequest type: object properties: client_id: type: string description: Optional client_id to verify token: type: string description: Token to verify IdentityOidcKeyRequest: title: IdentityOidcKeyRequest type: object properties: algorithm: type: string description: Signing algorithm to use. This will default to RS256. default: RS256 allowed_client_ids: type: array items: type: string description: Comma separated string or array of role client ids allowed to use this key for signing. If empty no roles are allowed. If "*" all roles are allowed. rotation_period: type: integer description: How often to generate a new keypair. format: int32 verification_ttl: type: integer description: Controls how long the public portion of a key will be available for verification after being rotated. format: int32 IdentityOidcKeyRotateRequest: title: IdentityOidcKeyRotateRequest type: object properties: verification_ttl: type: integer description: Controls how long the public portion of a key will be available for verification after being rotated. Setting verification_ttl here will override the verification_ttl set on the key. format: int32 IdentityOidcRoleRequest: title: IdentityOidcRoleRequest type: object properties: client_id: type: string description: Optional client_id key: type: string description: The OIDC key to use for generating tokens. The specified key must already exist. template: type: string description: The template string to use for generating tokens. This may be in string-ified JSON or base64 format. ttl: type: integer description: TTL of the tokens generated against the role. format: int32 IdentityPersonaRequest: title: IdentityPersonaRequest type: object properties: entity_id: type: string description: Entity ID to which this persona belongs to id: type: string description: ID of the persona metadata: type: object description: 'Metadata to be associated with the persona. In CLI, this parameter can be repeated multiple times, and it all gets merged together. For example: vault metadata=key1=value1 metadata=key2=value2' mount_accessor: type: string description: Mount accessor to which this persona belongs to name: type: string description: Name of the persona IdentityPersonaIdRequest: title: IdentityPersonaIdRequest type: object properties: entity_id: type: string description: Entity ID to which this persona should be tied to metadata: type: object description: 'Metadata to be associated with the persona. In CLI, this parameter can be repeated multiple times, and it all gets merged together. For example: vault metadata=key1=value1 metadata=key2=value2' mount_accessor: type: string description: Mount accessor to which this persona belongs to name: type: string description: Name of the persona JediUsersConfigRequest: title: JediUsersConfigRequest type: object properties: cas_required: type: boolean description: If true, the backend will require the cas parameter to be set for each write delete_version_after: type: integer description: If set, the length of time before a version is deleted. A negative duration disables the use of delete_version_after on all keys. A zero duration clears the current setting. Accepts a Go duration format string. format: int32 max_versions: type: integer description: The number of versions to keep for each key. Defaults to 10 format: int32 JediUsersDataRequest: title: JediUsersDataRequest type: object properties: data: type: object description: The contents of the data map will be stored and returned on read. options: type: object description: Options for writing a KV entry. Set the "cas" value to use a Check-And-Set operation. If not set the write will be allowed. If set to 0 a write will only be allowed if the key doesn’t exist. If the index is non-zero the write will only be allowed if the key’s current version matches the version specified in the cas parameter. version: type: integer description: If provided during a read, the value at the version number will be returned format: int32 JediUsersDeleteRequest: title: JediUsersDeleteRequest type: object properties: versions: type: array items: type: integer format: int32 description: The versions to be archived. The versioned data will not be deleted, but it will no longer be returned in normal get requests. JediUsersDestroyRequest: title: JediUsersDestroyRequest type: object properties: versions: type: array items: type: integer format: int32 description: The versions to destroy. Their data will be permanently deleted. JediUsersMetadataRequest: title: JediUsersMetadataRequest type: object properties: cas_required: type: boolean description: If true the key will require the cas parameter to be set on all write requests. If false, the backend’s configuration will be used. delete_version_after: type: integer description: The length of time before a version is deleted. If not set, the backend's configured delete_version_after is used. Cannot be greater than the backend's delete_version_after. A zero duration clears the current setting. A negative duration will cause an error. format: int32 max_versions: type: integer description: The number of versions to keep. If not set, the backend’s configured max version is used. format: int32 JediUsersUndeleteRequest: title: JediUsersUndeleteRequest type: object properties: versions: type: array items: type: integer format: int32 description: The versions to unarchive. The versions will be restored and their data will be returned on normal get requests. KvConfigRequest: title: KvConfigRequest type: object properties: cas_required: type: boolean description: If true, the backend will require the cas parameter to be set for each write delete_version_after: type: integer description: If set, the length of time before a version is deleted. A negative duration disables the use of delete_version_after on all keys. A zero duration clears the current setting. Accepts a Go duration format string. format: int32 max_versions: type: integer description: The number of versions to keep for each key. Defaults to 10 format: int32 KvDataRequest: title: KvDataRequest type: object properties: data: type: object description: The contents of the data map will be stored and returned on read. options: type: object description: Options for writing a KV entry. Set the "cas" value to use a Check-And-Set operation. If not set the write will be allowed. If set to 0 a write will only be allowed if the key doesn’t exist. If the index is non-zero the write will only be allowed if the key’s current version matches the version specified in the cas parameter. version: type: integer description: If provided during a read, the value at the version number will be returned format: int32 KvDeleteRequest: title: KvDeleteRequest type: object properties: versions: type: array items: type: integer format: int32 description: The versions to be archived. The versioned data will not be deleted, but it will no longer be returned in normal get requests. KvDestroyRequest: title: KvDestroyRequest type: object properties: versions: type: array items: type: integer format: int32 description: The versions to destroy. Their data will be permanently deleted. KvMetadataRequest: title: KvMetadataRequest type: object properties: cas_required: type: boolean description: If true the key will require the cas parameter to be set on all write requests. If false, the backend’s configuration will be used. delete_version_after: type: integer description: The length of time before a version is deleted. If not set, the backend's configured delete_version_after is used. Cannot be greater than the backend's delete_version_after. A zero duration clears the current setting. A negative duration will cause an error. format: int32 max_versions: type: integer description: The number of versions to keep. If not set, the backend’s configured max version is used. format: int32 KvUndeleteRequest: title: KvUndeleteRequest type: object properties: versions: type: array items: type: integer format: int32 description: The versions to unarchive. The versions will be restored and their data will be returned on normal get requests. PkiConfigCaRequest: title: PkiConfigCaRequest type: object properties: pem_bundle: type: string description: PEM-format, concatenated unencrypted secret key and certificate. PkiConfigCrlRequest: title: PkiConfigCrlRequest type: object properties: disable: type: boolean description: If set to true, disables generating the CRL entirely. expiry: type: string description: The amount of time the generated CRL should be valid; defaults to 72 hours default: 72h PkiConfigUrlsRequest: title: PkiConfigUrlsRequest type: object properties: crl_distribution_points: type: array items: type: string description: Comma-separated list of URLs to be used for the CRL distribution points attribute issuing_certificates: type: array items: type: string description: Comma-separated list of URLs to be used for the issuing certificate attribute ocsp_servers: type: array items: type: string description: Comma-separated list of URLs to be used for the OCSP servers attribute PkiIntermediateGenerateRequest: title: PkiIntermediateGenerateRequest type: object properties: add_basic_constraints: type: boolean description: 'Whether to add a Basic Constraints extension with CA: true. Only needed as a workaround in some compatibility scenarios with Active Directory Certificate Services.' alt_names: type: string description: The requested Subject Alternative Names, if any, in a comma-delimited list. May contain both DNS names and email addresses. common_name: type: string description: The requested common name; if you want more than one, specify the alternative names in the alt_names map. If not specified when signing, the common name will be taken from the CSR; other names must still be specified in alt_names or ip_sans. country: type: array items: type: string description: If set, Country will be set to this value. exclude_cn_from_sans: type: boolean description: If true, the Common Name will not be included in DNS or Email Subject Alternate Names. Defaults to false (CN is included). default: false format: allOf: - $ref: '#/components/schemas/Format' - description: Format for returned data. Can be "pem", "der", or "pem_bundle". If "pem_bundle" any private key and issuing cert will be appended to the certificate pem. Defaults to "pem". ip_sans: type: array items: type: string description: The requested IP SANs, if any, in a comma-delimited list key_bits: type: integer description: The number of bits to use. You will almost certainly want to change this if you adjust the key_type. format: int32 default: 2048 key_type: allOf: - $ref: '#/components/schemas/KeyType' - description: The type of key to use; defaults to RSA. "rsa" and "ec" are the only valid values. locality: type: array items: type: string description: If set, Locality will be set to this value. organization: type: array items: type: string description: If set, O (Organization) will be set to this value. other_sans: type: array items: type: string description: Requested other SANs, in an array with the format ;UTF8: for each entry. ou: type: array items: type: string description: If set, OU (OrganizationalUnit) will be set to this value. postal_code: type: array items: type: string description: If set, Postal Code will be set to this value. private_key_format: allOf: - $ref: '#/components/schemas/PrivateKeyFormat' - description: Format for the returned private key. Generally the default will be controlled by the "format" parameter as either base64-encoded DER or PEM-encoded DER. However, this can be set to "pkcs8" to have the returned private key contain base64-encoded pkcs8 or PEM-encoded pkcs8 instead. Defaults to "der". province: type: array items: type: string description: If set, Province will be set to this value. serial_number: type: string description: The requested serial number, if any. If you want more than one, specify alternative names in the alt_names map using OID 2.5.4.5. street_address: type: array items: type: string description: If set, Street Address will be set to this value. ttl: type: integer description: 'The requested Time To Live for the certificate; sets the expiration date. If not specified the role default, backend default, or system default TTL is used, in that order. Cannot be larger than the mount max TTL. Note: this only has an effect when generating a CA cert or signing a CA cert, not when generating a CSR for an intermediate CA.' format: int32 uri_sans: type: array items: type: string description: The requested URI SANs, if any, in a comma-delimited list. Format: title: Format enum: - pem - der - pem_bundle type: string description: Format for returned data. Can be "pem", "der", or "pem_bundle". If "pem_bundle" any private key and issuing cert will be appended to the certificate pem. Defaults to "pem". KeyType: title: KeyType enum: - rsa - ec type: string description: The type of key to use; defaults to RSA. "rsa" and "ec" are the only valid values. PrivateKeyFormat: title: PrivateKeyFormat enum: - der - pem - pkcs8 type: string description: Format for the returned private key. Generally the default will be controlled by the "format" parameter as either base64-encoded DER or PEM-encoded DER. However, this can be set to "pkcs8" to have the returned private key contain base64-encoded pkcs8 or PEM-encoded pkcs8 instead. Defaults to "der". PkiIntermediateSetSignedRequest: title: PkiIntermediateSetSignedRequest type: object properties: certificate: type: string description: PEM-format certificate. This must be a CA certificate with a public key matching the previously-generated key from the generation endpoint. PkiIssueRequest: title: PkiIssueRequest type: object properties: alt_names: type: string description: The requested Subject Alternative Names, if any, in a comma-delimited list. If email protection is enabled for the role, this may contain email addresses. common_name: type: string description: The requested common name; if you want more than one, specify the alternative names in the alt_names map. If email protection is enabled in the role, this may be an email address. exclude_cn_from_sans: type: boolean description: If true, the Common Name will not be included in DNS or Email Subject Alternate Names. Defaults to false (CN is included). default: false format: allOf: - $ref: '#/components/schemas/Format' - description: Format for returned data. Can be "pem", "der", or "pem_bundle". If "pem_bundle" any private key and issuing cert will be appended to the certificate pem. Defaults to "pem". ip_sans: type: array items: type: string description: The requested IP SANs, if any, in a comma-delimited list other_sans: type: array items: type: string description: Requested other SANs, in an array with the format ;UTF8: for each entry. private_key_format: allOf: - $ref: '#/components/schemas/PrivateKeyFormat' - description: Format for the returned private key. Generally the default will be controlled by the "format" parameter as either base64-encoded DER or PEM-encoded DER. However, this can be set to "pkcs8" to have the returned private key contain base64-encoded pkcs8 or PEM-encoded pkcs8 instead. Defaults to "der". serial_number: type: string description: The requested serial number, if any. If you want more than one, specify alternative names in the alt_names map using OID 2.5.4.5. ttl: type: integer description: The requested Time To Live for the certificate; sets the expiration date. If not specified the role default, backend default, or system default TTL is used, in that order. Cannot be larger than the role max TTL. format: int32 uri_sans: type: array items: type: string description: The requested URI SANs, if any, in a comma-delimited list. PkiRevokeRequest: title: PkiRevokeRequest type: object properties: serial_number: type: string description: Certificate serial number, in colon- or hyphen-separated octal PkiRolesRequest: title: PkiRolesRequest type: object properties: allow_any_name: type: boolean description: If set, clients can request certificates for any CN they like. See the documentation for more information. allow_bare_domains: type: boolean description: If set, clients can request certificates for the base domains themselves, e.g. "example.com". This is a separate option as in some cases this can be considered a security threat. allow_glob_domains: type: boolean description: If set, domains specified in "allowed_domains" can include glob patterns, e.g. "ftp*.example.com". See the documentation for more information. allow_ip_sans: type: boolean description: If set, IP Subject Alternative Names are allowed. Any valid IP is accepted. default: true allow_localhost: type: boolean description: Whether to allow "localhost" as a valid common name in a request default: true allow_subdomains: type: boolean description: If set, clients can request certificates for subdomains of the CNs allowed by the other role options, including wildcard subdomains. See the documentation for more information. allowed_domains: type: array items: type: string description: If set, clients can request certificates for subdomains directly beneath these domains, including the wildcard subdomains. See the documentation for more information. This parameter accepts a comma-separated string or list of domains. allowed_domains_template: type: boolean description: If set, Allowed domains can be specified using identity template policies. Non-templated domains are also permitted. default: false allowed_other_sans: type: array items: type: string description: If set, an array of allowed other names to put in SANs. These values support globbing and must be in the format ;:. Currently only "utf8" is a valid type. All values, including globbing values, must use this syntax, with the exception being a single "*" which allows any OID and any value (but type must still be utf8). allowed_serial_numbers: type: array items: type: string description: If set, an array of allowed serial numbers to put in Subject. These values support globbing. allowed_uri_sans: type: array items: type: string description: If set, an array of allowed URIs to put in the URI Subject Alternative Names. Any valid URI is accepted, these values support globbing. backend: type: string description: Backend Type basic_constraints_valid_for_non_ca: type: boolean description: Mark Basic Constraints valid when issuing non-CA certificates. client_flag: type: boolean description: If set, certificates are flagged for client auth use. Defaults to true. default: true code_signing_flag: type: boolean description: If set, certificates are flagged for code signing use. Defaults to false. country: type: array items: type: string description: If set, Country will be set to this value in certificates issued by this role. email_protection_flag: type: boolean description: If set, certificates are flagged for email protection use. Defaults to false. enforce_hostnames: type: boolean description: If set, only valid host names are allowed for CN and SANs. Defaults to true. default: true ext_key_usage: type: array items: type: string description: A comma-separated string or list of extended key usages. Valid values can be found at https://golang.org/pkg/crypto/x509/#ExtKeyUsage -- simply drop the "ExtKeyUsage" part of the name. To remove all key usages from being set, set this value to an empty list. default: [] ext_key_usage_oids: type: array items: type: string description: A comma-separated string or list of extended key usage oids. generate_lease: type: boolean description: If set, certificates issued/signed against this role will have Vault leases attached to them. Defaults to "false". Certificates can be added to the CRL by "vault revoke " when certificates are associated with leases. It can also be done using the "pki/revoke" endpoint. However, when lease generation is disabled, invoking "pki/revoke" would be the only way to add the certificates to the CRL. When large number of certificates are generated with long lifetimes, it is recommended that lease generation be disabled, as large amount of leases adversely affect the startup time of Vault. key_bits: type: integer description: The number of bits to use. You will almost certainly want to change this if you adjust the key_type. format: int32 default: 2048 key_type: allOf: - $ref: '#/components/schemas/KeyType' - description: The type of key to use; defaults to RSA. "rsa" and "ec" are the only valid values. key_usage: type: array items: type: string description: A comma-separated string or list of key usages (not extended key usages). Valid values can be found at https://golang.org/pkg/crypto/x509/#KeyUsage -- simply drop the "KeyUsage" part of the name. To remove all key usages from being set, set this value to an empty list. default: - DigitalSignature - KeyAgreement - KeyEncipherment locality: type: array items: type: string description: If set, Locality will be set to this value in certificates issued by this role. max_ttl: type: integer description: The maximum allowed lease duration format: int32 no_store: type: boolean description: If set, certificates issued/signed against this role will not be stored in the storage backend. This can improve performance when issuing large numbers of certificates. However, certificates issued in this way cannot be enumerated or revoked, so this option is recommended only for certificates that are non-sensitive, or extremely short-lived. This option implies a value of "false" for "generate_lease". not_before_duration: type: integer description: The duration before now the cert needs to be created / signed. format: int32 default: 30 organization: type: array items: type: string description: If set, O (Organization) will be set to this value in certificates issued by this role. ou: type: array items: type: string description: If set, OU (OrganizationalUnit) will be set to this value in certificates issued by this role. policy_identifiers: type: array items: type: string description: A comma-separated string or list of policy oids. postal_code: type: array items: type: string description: If set, Postal Code will be set to this value in certificates issued by this role. province: type: array items: type: string description: If set, Province will be set to this value in certificates issued by this role. require_cn: type: boolean description: If set to false, makes the 'common_name' field optional while generating a certificate. default: true server_flag: type: boolean description: If set, certificates are flagged for server auth use. Defaults to true. default: true street_address: type: array items: type: string description: If set, Street Address will be set to this value in certificates issued by this role. ttl: type: integer description: The lease duration if no specific lease duration is requested. The lease duration controls the expiration of certificates issued by this backend. Defaults to the value of max_ttl. format: int32 use_csr_common_name: type: boolean description: If set, when used with a signing profile, the common name in the CSR will be used. This does *not* include any requested Subject Alternative Names. Defaults to true. default: true use_csr_sans: type: boolean description: If set, when used with a signing profile, the SANs in the CSR will be used. This does *not* include the Common Name (cn). Defaults to true. default: true PkiRootGenerateRequest: title: PkiRootGenerateRequest type: object properties: alt_names: type: string description: The requested Subject Alternative Names, if any, in a comma-delimited list. May contain both DNS names and email addresses. common_name: type: string description: The requested common name; if you want more than one, specify the alternative names in the alt_names map. If not specified when signing, the common name will be taken from the CSR; other names must still be specified in alt_names or ip_sans. country: type: array items: type: string description: If set, Country will be set to this value. exclude_cn_from_sans: type: boolean description: If true, the Common Name will not be included in DNS or Email Subject Alternate Names. Defaults to false (CN is included). default: false format: allOf: - $ref: '#/components/schemas/Format' - description: Format for returned data. Can be "pem", "der", or "pem_bundle". If "pem_bundle" any private key and issuing cert will be appended to the certificate pem. Defaults to "pem". ip_sans: type: array items: type: string description: The requested IP SANs, if any, in a comma-delimited list key_bits: type: integer description: The number of bits to use. You will almost certainly want to change this if you adjust the key_type. format: int32 default: 2048 key_type: allOf: - $ref: '#/components/schemas/KeyType' - description: The type of key to use; defaults to RSA. "rsa" and "ec" are the only valid values. locality: type: array items: type: string description: If set, Locality will be set to this value. max_path_length: type: integer description: The maximum allowable path length format: int32 default: -1 organization: type: array items: type: string description: If set, O (Organization) will be set to this value. other_sans: type: array items: type: string description: Requested other SANs, in an array with the format ;UTF8: for each entry. ou: type: array items: type: string description: If set, OU (OrganizationalUnit) will be set to this value. permitted_dns_domains: type: array items: type: string description: Domains for which this certificate is allowed to sign or issue child certificates. If set, all DNS names (subject and alt) on child certs must be exact matches or subsets of the given domains (see https://tools.ietf.org/html/rfc5280#section-4.2.1.10). postal_code: type: array items: type: string description: If set, Postal Code will be set to this value. private_key_format: allOf: - $ref: '#/components/schemas/PrivateKeyFormat' - description: Format for the returned private key. Generally the default will be controlled by the "format" parameter as either base64-encoded DER or PEM-encoded DER. However, this can be set to "pkcs8" to have the returned private key contain base64-encoded pkcs8 or PEM-encoded pkcs8 instead. Defaults to "der". province: type: array items: type: string description: If set, Province will be set to this value. serial_number: type: string description: The requested serial number, if any. If you want more than one, specify alternative names in the alt_names map using OID 2.5.4.5. street_address: type: array items: type: string description: If set, Street Address will be set to this value. ttl: type: integer description: 'The requested Time To Live for the certificate; sets the expiration date. If not specified the role default, backend default, or system default TTL is used, in that order. Cannot be larger than the mount max TTL. Note: this only has an effect when generating a CA cert or signing a CA cert, not when generating a CSR for an intermediate CA.' format: int32 uri_sans: type: array items: type: string description: The requested URI SANs, if any, in a comma-delimited list. PkiRootSignIntermediateRequest: title: PkiRootSignIntermediateRequest type: object properties: alt_names: type: string description: The requested Subject Alternative Names, if any, in a comma-delimited list. May contain both DNS names and email addresses. common_name: type: string description: The requested common name; if you want more than one, specify the alternative names in the alt_names map. If not specified when signing, the common name will be taken from the CSR; other names must still be specified in alt_names or ip_sans. country: type: array items: type: string description: If set, Country will be set to this value. csr: type: string description: PEM-format CSR to be signed. exclude_cn_from_sans: type: boolean description: If true, the Common Name will not be included in DNS or Email Subject Alternate Names. Defaults to false (CN is included). default: false format: allOf: - $ref: '#/components/schemas/Format' - description: Format for returned data. Can be "pem", "der", or "pem_bundle". If "pem_bundle" any private key and issuing cert will be appended to the certificate pem. Defaults to "pem". ip_sans: type: array items: type: string description: The requested IP SANs, if any, in a comma-delimited list locality: type: array items: type: string description: If set, Locality will be set to this value. max_path_length: type: integer description: The maximum allowable path length format: int32 default: -1 organization: type: array items: type: string description: If set, O (Organization) will be set to this value. other_sans: type: array items: type: string description: Requested other SANs, in an array with the format ;UTF8: for each entry. ou: type: array items: type: string description: If set, OU (OrganizationalUnit) will be set to this value. permitted_dns_domains: type: array items: type: string description: Domains for which this certificate is allowed to sign or issue child certificates. If set, all DNS names (subject and alt) on child certs must be exact matches or subsets of the given domains (see https://tools.ietf.org/html/rfc5280#section-4.2.1.10). postal_code: type: array items: type: string description: If set, Postal Code will be set to this value. private_key_format: allOf: - $ref: '#/components/schemas/PrivateKeyFormat' - description: Format for the returned private key. Generally the default will be controlled by the "format" parameter as either base64-encoded DER or PEM-encoded DER. However, this can be set to "pkcs8" to have the returned private key contain base64-encoded pkcs8 or PEM-encoded pkcs8 instead. Defaults to "der". province: type: array items: type: string description: If set, Province will be set to this value. serial_number: type: string description: The requested serial number, if any. If you want more than one, specify alternative names in the alt_names map using OID 2.5.4.5. street_address: type: array items: type: string description: If set, Street Address will be set to this value. ttl: type: integer description: 'The requested Time To Live for the certificate; sets the expiration date. If not specified the role default, backend default, or system default TTL is used, in that order. Cannot be larger than the mount max TTL. Note: this only has an effect when generating a CA cert or signing a CA cert, not when generating a CSR for an intermediate CA.' format: int32 uri_sans: type: array items: type: string description: The requested URI SANs, if any, in a comma-delimited list. use_csr_values: type: boolean description: 'If true, then: 1) Subject information, including names and alternate names, will be preserved from the CSR rather than using values provided in the other parameters to this path; 2) Any key usages requested in the CSR will be added to the basic set of key usages used for CA certs signed by this path; for instance, the non-repudiation flag.' default: false PkiRootSignSelfIssuedRequest: title: PkiRootSignSelfIssuedRequest type: object properties: certificate: type: string description: PEM-format self-issued certificate to be signed. PkiSignVerbatimRequest: title: PkiSignVerbatimRequest type: object properties: alt_names: type: string description: The requested Subject Alternative Names, if any, in a comma-delimited list. If email protection is enabled for the role, this may contain email addresses. common_name: type: string description: The requested common name; if you want more than one, specify the alternative names in the alt_names map. If email protection is enabled in the role, this may be an email address. csr: type: string description: PEM-format CSR to be signed. Values will be taken verbatim from the CSR, except for basic constraints. exclude_cn_from_sans: type: boolean description: If true, the Common Name will not be included in DNS or Email Subject Alternate Names. Defaults to false (CN is included). default: false ext_key_usage: type: array items: type: string description: A comma-separated string or list of extended key usages. Valid values can be found at https://golang.org/pkg/crypto/x509/#ExtKeyUsage -- simply drop the "ExtKeyUsage" part of the name. To remove all key usages from being set, set this value to an empty list. default: [] ext_key_usage_oids: type: array items: type: string description: A comma-separated string or list of extended key usage oids. format: allOf: - $ref: '#/components/schemas/Format' - description: Format for returned data. Can be "pem", "der", or "pem_bundle". If "pem_bundle" any private key and issuing cert will be appended to the certificate pem. Defaults to "pem". ip_sans: type: array items: type: string description: The requested IP SANs, if any, in a comma-delimited list key_usage: type: array items: type: string description: A comma-separated string or list of key usages (not extended key usages). Valid values can be found at https://golang.org/pkg/crypto/x509/#KeyUsage -- simply drop the "KeyUsage" part of the name. To remove all key usages from being set, set this value to an empty list. default: - DigitalSignature - KeyAgreement - KeyEncipherment other_sans: type: array items: type: string description: Requested other SANs, in an array with the format ;UTF8: for each entry. private_key_format: allOf: - $ref: '#/components/schemas/PrivateKeyFormat' - description: Format for the returned private key. Generally the default will be controlled by the "format" parameter as either base64-encoded DER or PEM-encoded DER. However, this can be set to "pkcs8" to have the returned private key contain base64-encoded pkcs8 or PEM-encoded pkcs8 instead. Defaults to "der". role: type: string description: The desired role with configuration for this request serial_number: type: string description: The requested serial number, if any. If you want more than one, specify alternative names in the alt_names map using OID 2.5.4.5. ttl: type: integer description: The requested Time To Live for the certificate; sets the expiration date. If not specified the role default, backend default, or system default TTL is used, in that order. Cannot be larger than the role max TTL. format: int32 uri_sans: type: array items: type: string description: The requested URI SANs, if any, in a comma-delimited list. PkiSignVerbatimRequest1: title: PkiSignVerbatimRequest1 type: object properties: alt_names: type: string description: The requested Subject Alternative Names, if any, in a comma-delimited list. If email protection is enabled for the role, this may contain email addresses. common_name: type: string description: The requested common name; if you want more than one, specify the alternative names in the alt_names map. If email protection is enabled in the role, this may be an email address. csr: type: string description: PEM-format CSR to be signed. Values will be taken verbatim from the CSR, except for basic constraints. exclude_cn_from_sans: type: boolean description: If true, the Common Name will not be included in DNS or Email Subject Alternate Names. Defaults to false (CN is included). default: false ext_key_usage: type: array items: type: string description: A comma-separated string or list of extended key usages. Valid values can be found at https://golang.org/pkg/crypto/x509/#ExtKeyUsage -- simply drop the "ExtKeyUsage" part of the name. To remove all key usages from being set, set this value to an empty list. default: [] ext_key_usage_oids: type: array items: type: string description: A comma-separated string or list of extended key usage oids. format: allOf: - $ref: '#/components/schemas/Format' - description: Format for returned data. Can be "pem", "der", or "pem_bundle". If "pem_bundle" any private key and issuing cert will be appended to the certificate pem. Defaults to "pem". ip_sans: type: array items: type: string description: The requested IP SANs, if any, in a comma-delimited list key_usage: type: array items: type: string description: A comma-separated string or list of key usages (not extended key usages). Valid values can be found at https://golang.org/pkg/crypto/x509/#KeyUsage -- simply drop the "KeyUsage" part of the name. To remove all key usages from being set, set this value to an empty list. default: - DigitalSignature - KeyAgreement - KeyEncipherment other_sans: type: array items: type: string description: Requested other SANs, in an array with the format ;UTF8: for each entry. private_key_format: allOf: - $ref: '#/components/schemas/PrivateKeyFormat' - description: Format for the returned private key. Generally the default will be controlled by the "format" parameter as either base64-encoded DER or PEM-encoded DER. However, this can be set to "pkcs8" to have the returned private key contain base64-encoded pkcs8 or PEM-encoded pkcs8 instead. Defaults to "der". serial_number: type: string description: The requested serial number, if any. If you want more than one, specify alternative names in the alt_names map using OID 2.5.4.5. ttl: type: integer description: The requested Time To Live for the certificate; sets the expiration date. If not specified the role default, backend default, or system default TTL is used, in that order. Cannot be larger than the role max TTL. format: int32 uri_sans: type: array items: type: string description: The requested URI SANs, if any, in a comma-delimited list. PkiSignRequest: title: PkiSignRequest type: object properties: alt_names: type: string description: The requested Subject Alternative Names, if any, in a comma-delimited list. If email protection is enabled for the role, this may contain email addresses. common_name: type: string description: The requested common name; if you want more than one, specify the alternative names in the alt_names map. If email protection is enabled in the role, this may be an email address. csr: type: string description: PEM-format CSR to be signed. exclude_cn_from_sans: type: boolean description: If true, the Common Name will not be included in DNS or Email Subject Alternate Names. Defaults to false (CN is included). default: false format: allOf: - $ref: '#/components/schemas/Format' - description: Format for returned data. Can be "pem", "der", or "pem_bundle". If "pem_bundle" any private key and issuing cert will be appended to the certificate pem. Defaults to "pem". ip_sans: type: array items: type: string description: The requested IP SANs, if any, in a comma-delimited list other_sans: type: array items: type: string description: Requested other SANs, in an array with the format ;UTF8: for each entry. private_key_format: allOf: - $ref: '#/components/schemas/PrivateKeyFormat' - description: Format for the returned private key. Generally the default will be controlled by the "format" parameter as either base64-encoded DER or PEM-encoded DER. However, this can be set to "pkcs8" to have the returned private key contain base64-encoded pkcs8 or PEM-encoded pkcs8 instead. Defaults to "der". serial_number: type: string description: The requested serial number, if any. If you want more than one, specify alternative names in the alt_names map using OID 2.5.4.5. ttl: type: integer description: The requested Time To Live for the certificate; sets the expiration date. If not specified the role default, backend default, or system default TTL is used, in that order. Cannot be larger than the role max TTL. format: int32 uri_sans: type: array items: type: string description: The requested URI SANs, if any, in a comma-delimited list. PkiTidyRequest: title: PkiTidyRequest type: object properties: safety_buffer: type: integer description: The amount of extra time that must have passed beyond certificate expiration before it is removed from the backend storage and/or revocation list. Defaults to 72 hours. format: int32 default: 259200 tidy_cert_store: type: boolean description: Set to true to enable tidying up the certificate store tidy_revocation_list: type: boolean description: Deprecated; synonym for 'tidy_revoked_certs tidy_revoked_certs: type: boolean description: Set to true to expire all revoked and expired certificates, removing them both from the CRL and from storage. The CRL will be rotated if this causes any values to be removed. SysAuditHashRequest: title: SysAuditHashRequest type: object properties: input: type: string SysAuditRequest: title: SysAuditRequest type: object properties: description: type: string description: User-friendly description for this audit backend. local: type: boolean description: Mark the mount as a local mount, which is not replicated and is unaffected by replication. default: false options: type: object description: Configuration options for the audit backend. type: type: string description: 'The type of the backend. Example: "mysql"' SysAuthRequest: title: SysAuthRequest type: object properties: config: type: object description: Configuration for this mount, such as plugin_name. description: type: string description: User-friendly description for this credential backend. external_entropy_access: type: boolean description: Whether to give the mount access to Vault's external entropy. default: false local: type: boolean description: Mark the mount as a local mount, which is not replicated and is unaffected by replication. default: false options: type: object description: The options to pass into the backend. Should be a json object with string keys and values. plugin_name: type: string description: Name of the auth plugin to use based from the name in the plugin catalog. seal_wrap: type: boolean description: Whether to turn on seal wrapping for the mount. default: false type: type: string description: 'The type of the backend. Example: "userpass"' SysAuthTuneRequest: title: SysAuthTuneRequest type: object properties: allowed_response_headers: type: array items: type: string description: A list of headers to whitelist and allow a plugin to set on responses. audit_non_hmac_request_keys: type: array items: type: string description: The list of keys in the request data object that will not be HMAC'ed by audit devices. audit_non_hmac_response_keys: type: array items: type: string description: The list of keys in the response data object that will not be HMAC'ed by audit devices. default_lease_ttl: type: string description: The default lease TTL for this mount. description: type: string description: User-friendly description for this credential backend. listing_visibility: type: string description: Determines the visibility of the mount in the UI-specific listing endpoint. Accepted value are 'unauth' and ''. max_lease_ttl: type: string description: The max lease TTL for this mount. options: type: object description: The options to pass into the backend. Should be a json object with string keys and values. passthrough_request_headers: type: array items: type: string description: A list of headers to whitelist and pass from the request to the plugin. token_type: type: string description: The type of token to issue (service or batch). SysCapabilitiesRequest: title: SysCapabilitiesRequest type: object properties: path: type: array items: type: string description: Use 'paths' instead. deprecated: true paths: type: array items: type: string description: Paths on which capabilities are being queried. token: type: string description: Token for which capabilities are being queried. SysCapabilitiesAccessorRequest: title: SysCapabilitiesAccessorRequest type: object properties: accessor: type: string description: Accessor of the token for which capabilities are being queried. path: type: array items: type: string description: Use 'paths' instead. deprecated: true paths: type: array items: type: string description: Paths on which capabilities are being queried. SysCapabilitiesSelfRequest: title: SysCapabilitiesSelfRequest type: object properties: path: type: array items: type: string description: Use 'paths' instead. deprecated: true paths: type: array items: type: string description: Paths on which capabilities are being queried. token: type: string description: Token for which capabilities are being queried. SysConfigAuditingRequestHeadersRequest: title: SysConfigAuditingRequestHeadersRequest type: object properties: hmac: type: boolean SysConfigControlGroupRequest: title: SysConfigControlGroupRequest type: object properties: max_ttl: type: integer description: The max TTL for a control group token. format: int32 SysConfigCorsRequest: title: SysConfigCorsRequest type: object properties: allowed_headers: type: array items: type: string description: A comma-separated string or array of strings indicating headers that are allowed on cross-origin requests. allowed_origins: type: array items: type: string description: A comma-separated string or array of strings indicating origins that may make cross-origin requests. enable: type: boolean description: Enables or disables CORS headers on requests. SysConfigUiHeadersRequest: title: SysConfigUiHeadersRequest type: object properties: values: type: array items: type: string description: The values to set the header. SysControlGroupAuthorizeRequest: title: SysControlGroupAuthorizeRequest type: object properties: accessor: type: string description: The accessor of the request to authorize. SysControlGroupRequestRequest: title: SysControlGroupRequestRequest type: object properties: accessor: type: string description: The accessor of the request. SysGenerateRootRequest: title: SysGenerateRootRequest type: object properties: pgp_key: type: string description: Specifies a base64-encoded PGP public key. SysGenerateRootAttemptRequest: title: SysGenerateRootAttemptRequest type: object properties: pgp_key: type: string description: Specifies a base64-encoded PGP public key. SysGenerateRootUpdateRequest: title: SysGenerateRootUpdateRequest type: object properties: key: type: string description: Specifies a single master key share. nonce: type: string description: Specifies the nonce of the attempt. SysInitRequest: title: SysInitRequest type: object properties: pgp_keys: type: array items: type: string description: Specifies an array of PGP public keys used to encrypt the output unseal keys. Ordering is preserved. The keys must be base64-encoded from their original binary representation. The size of this array must be the same as `secret_shares`. recovery_pgp_keys: type: array items: type: string description: Specifies an array of PGP public keys used to encrypt the output recovery keys. Ordering is preserved. The keys must be base64-encoded from their original binary representation. The size of this array must be the same as `recovery_shares`. recovery_shares: type: integer description: Specifies the number of shares to split the recovery key into. format: int32 recovery_threshold: type: integer description: Specifies the number of shares required to reconstruct the recovery key. This must be less than or equal to `recovery_shares`. format: int32 root_token_pgp_key: type: string description: Specifies a PGP public key used to encrypt the initial root token. The key must be base64-encoded from its original binary representation. secret_shares: type: integer description: Specifies the number of shares to split the master key into. format: int32 secret_threshold: type: integer description: Specifies the number of shares required to reconstruct the master key. This must be less than or equal secret_shares. If using Vault HSM with auto-unsealing, this value must be the same as `secret_shares`. format: int32 stored_shares: type: integer description: Specifies the number of shares that should be encrypted by the HSM and stored for auto-unsealing. Currently must be the same as `secret_shares`. format: int32 SysLeasesLookupRequest: title: SysLeasesLookupRequest type: object properties: lease_id: type: string description: The lease identifier to renew. This is included with a lease. SysLeasesRenewRequest: title: SysLeasesRenewRequest type: object properties: increment: type: integer description: The desired increment in seconds to the lease format: int32 lease_id: type: string description: The lease identifier to renew. This is included with a lease. url_lease_id: type: string description: The lease identifier to renew. This is included with a lease. SysLeasesRenewRequest1: title: SysLeasesRenewRequest1 type: object properties: increment: type: integer description: The desired increment in seconds to the lease format: int32 lease_id: type: string description: The lease identifier to renew. This is included with a lease. SysLeasesRevokeRequest: title: SysLeasesRevokeRequest type: object properties: lease_id: type: string description: The lease identifier to renew. This is included with a lease. sync: type: boolean description: Whether or not to perform the revocation synchronously default: true url_lease_id: type: string description: The lease identifier to renew. This is included with a lease. SysLeasesRevokePrefixRequest: title: SysLeasesRevokePrefixRequest type: object properties: sync: type: boolean description: Whether or not to perform the revocation synchronously default: true SysLeasesRevokeRequest1: title: SysLeasesRevokeRequest1 type: object properties: lease_id: type: string description: The lease identifier to renew. This is included with a lease. sync: type: boolean description: Whether or not to perform the revocation synchronously default: true SysLicenseRequest: title: SysLicenseRequest type: object properties: text: type: string description: The text of the license. SysMfaMethodDuoRequest: title: SysMfaMethodDuoRequest type: object properties: api_hostname: type: string description: API host name for Duo. integration_key: type: string description: Integration key for Duo. mount_accessor: type: string description: The mount to tie this method to for use in automatic mappings. The mapping will use the Name field of Aliases associated with this mount as the username in the mapping. push_info: type: string description: Push information for Duo. secret_key: type: string description: Secret key for Duo. username_format: type: string description: "A format string for mapping Identity names to MFA method names. Values to subtitute should be placed in {{}}. For example, \"{{alias.name}}@example.com\". Currently-supported mappings: alias.name: The name returned by the mount configured via the mount_accessor parameter If blank, the Alias's name field will be used as-is." SysMfaMethodOktaRequest: title: SysMfaMethodOktaRequest type: object properties: api_token: type: string description: Okta API key. base_url: type: string description: The base domain to use for the Okta API. When not specified in the configuration, "okta.com" is used. mount_accessor: type: string description: The mount to tie this method to for use in automatic mappings. The mapping will use the Name field of Aliases associated with this mount as the username in the mapping. org_name: type: string description: Name of the organization to be used in the Okta API. primary_email: type: boolean description: If true, the username will only match the primary email for the account. Defaults to false. production: type: boolean description: (DEPRECATED) Use base_url instead. username_format: type: string description: "A format string for mapping Identity names to MFA method names. Values to subtitute should be placed in {{}}. For example, \"{{alias.name}}@example.com\". Currently-supported mappings: alias.name: The name returned by the mount configured via the mount_accessor parameter If blank, the Alias's name field will be used as-is." SysMfaMethodPingidRequest: title: SysMfaMethodPingidRequest type: object properties: mount_accessor: type: string description: The mount to tie this method to for use in automatic mappings. The mapping will use the Name field of Aliases associated with this mount as the username in the mapping. settings_file_base64: type: string description: The settings file provided by Ping, Base64-encoded. This must be a settings file suitable for third-party clients, not the PingID SDK or PingFederate. username_format: type: string description: "A format string for mapping Identity names to MFA method names. Values to subtitute should be placed in {{}}. For example, \"{{alias.name}}@example.com\". Currently-supported mappings: alias.name: The name returned by the mount configured via the mount_accessor parameter If blank, the Alias's name field will be used as-is." SysMfaMethodTotpRequest: title: SysMfaMethodTotpRequest type: object properties: algorithm: type: string description: The hashing algorithm used to generate the TOTP token. Options include SHA1, SHA256 and SHA512. default: SHA1 digits: type: integer description: The number of digits in the generated TOTP token. This value can either be 6 or 8. format: int32 default: 6 issuer: type: string description: The name of the key's issuing organization. key_size: type: integer description: Determines the size in bytes of the generated key. format: int32 default: 20 period: type: integer description: The length of time used to generate a counter for the TOTP token calculation. format: int32 default: 30 qr_size: type: integer description: The pixel size of the generated square QR code. format: int32 default: 200 skew: type: integer description: The number of delay periods that are allowed when validating a TOTP token. This value can either be 0 or 1. format: int32 default: 1 SysMfaMethodTotpAdminDestroyRequest: title: SysMfaMethodTotpAdminDestroyRequest type: object properties: entity_id: type: string description: Identifier of the entity from which the MFA method secret needs to be removed. SysMfaMethodTotpAdminGenerateRequest: title: SysMfaMethodTotpAdminGenerateRequest type: object properties: entity_id: type: string description: Entity ID on which the generated secret needs to get stored. SysMountsRequest: title: SysMountsRequest type: object properties: config: type: object description: Configuration for this mount, such as default_lease_ttl and max_lease_ttl. description: type: string description: User-friendly description for this mount. external_entropy_access: type: boolean description: Whether to give the mount access to Vault's external entropy. default: false local: type: boolean description: Mark the mount as a local mount, which is not replicated and is unaffected by replication. default: false options: type: object description: The options to pass into the backend. Should be a json object with string keys and values. plugin_name: type: string description: Name of the plugin to mount based from the name registered in the plugin catalog. seal_wrap: type: boolean description: Whether to turn on seal wrapping for the mount. default: false type: type: string description: 'The type of the backend. Example: "passthrough"' SysMountsTuneRequest: title: SysMountsTuneRequest type: object properties: allowed_response_headers: type: array items: type: string description: A list of headers to whitelist and allow a plugin to set on responses. audit_non_hmac_request_keys: type: array items: type: string description: The list of keys in the request data object that will not be HMAC'ed by audit devices. audit_non_hmac_response_keys: type: array items: type: string description: The list of keys in the response data object that will not be HMAC'ed by audit devices. default_lease_ttl: type: string description: The default lease TTL for this mount. description: type: string description: User-friendly description for this credential backend. listing_visibility: type: string description: Determines the visibility of the mount in the UI-specific listing endpoint. Accepted value are 'unauth' and ''. max_lease_ttl: type: string description: The max lease TTL for this mount. options: type: object description: The options to pass into the backend. Should be a json object with string keys and values. passthrough_request_headers: type: array items: type: string description: A list of headers to whitelist and pass from the request to the plugin. token_type: type: string description: The type of token to issue (service or batch). SysPluginsCatalogRequest: title: SysPluginsCatalogRequest type: object properties: args: type: array items: type: string description: The args passed to plugin command. command: type: string description: The command used to start the plugin. The executable defined in this command must exist in vault's plugin directory. env: type: array items: type: string description: The environment variables passed to plugin command. Each entry is of the form "key=value". sha256: type: string description: The SHA256 sum of the executable used in the command field. This should be HEX encoded. sha_256: type: string description: The SHA256 sum of the executable used in the command field. This should be HEX encoded. type: type: string description: The type of the plugin, may be auth, secret, or database SysPluginsCatalogRequest1: title: SysPluginsCatalogRequest1 type: object properties: args: type: array items: type: string description: The args passed to plugin command. command: type: string description: The command used to start the plugin. The executable defined in this command must exist in vault's plugin directory. env: type: array items: type: string description: The environment variables passed to plugin command. Each entry is of the form "key=value". sha256: type: string description: The SHA256 sum of the executable used in the command field. This should be HEX encoded. sha_256: type: string description: The SHA256 sum of the executable used in the command field. This should be HEX encoded. SysPluginsReloadBackendRequest: title: SysPluginsReloadBackendRequest type: object properties: mounts: type: array items: type: string description: The mount paths of the plugin backends to reload. plugin: type: string description: The name of the plugin to reload, as registered in the plugin catalog. scope: type: string SysPoliciesAclRequest: title: SysPoliciesAclRequest type: object properties: policy: type: string description: The rules of the policy. SysPoliciesEgpRequest: title: SysPoliciesEgpRequest type: object properties: enforcement_level: type: string description: The enforcement level to apply to the policy. paths: type: array items: type: string description: The paths on which the policy should be applied. policy: type: string description: The rules of the policy. SysPoliciesPasswordRequest: title: SysPoliciesPasswordRequest type: object properties: policy: type: string description: The password policy SysPoliciesRgpRequest: title: SysPoliciesRgpRequest type: object properties: enforcement_level: type: string description: The enforcement level to apply to the policy. policy: type: string description: The rules of the policy. SysPolicyRequest: title: SysPolicyRequest type: object properties: policy: type: string description: The rules of the policy. rules: type: string description: The rules of the policy. deprecated: true SysQuotasConfigRequest: title: SysQuotasConfigRequest type: object properties: enable_rate_limit_audit_logging: type: boolean description: If set, starts audit logging of requests that get rejected due to rate limit quota rule violations. SysQuotasLeaseCountRequest: title: SysQuotasLeaseCountRequest type: object properties: max_leases: type: integer description: Maximum number of leases allowed by the quota rule. format: int32 path: type: string description: Path including the applicable namespace prefix. type: type: string description: Type of the quota rule. SysQuotasRateLimitRequest: title: SysQuotasRateLimitRequest type: object properties: path: type: string description: Path of the mount or namespace to apply the quota. A blank path configures a global quota. For example namespace1/ adds a quota to a full namespace, namespace1/auth/userpass adds a quota to userpass in namespace1. rate: description: The maximum number of requests at any given second to be allowed by the quota rule. The 'rate' must be positive. type: type: string description: Type of the quota rule. SysRekeyInitRequest: title: SysRekeyInitRequest type: object properties: backup: type: boolean description: Specifies if using PGP-encrypted keys, whether Vault should also store a plaintext backup of the PGP-encrypted keys. pgp_keys: type: array items: type: string description: Specifies an array of PGP public keys used to encrypt the output unseal keys. Ordering is preserved. The keys must be base64-encoded from their original binary representation. The size of this array must be the same as secret_shares. require_verification: type: boolean description: Turns on verification functionality secret_shares: type: integer description: Specifies the number of shares to split the master key into. format: int32 secret_threshold: type: integer description: Specifies the number of shares required to reconstruct the master key. This must be less than or equal secret_shares. If using Vault HSM with auto-unsealing, this value must be the same as secret_shares. format: int32 SysRekeyUpdateRequest: title: SysRekeyUpdateRequest type: object properties: key: type: string description: Specifies a single master key share. nonce: type: string description: Specifies the nonce of the rekey attempt. SysRekeyVerifyRequest: title: SysRekeyVerifyRequest type: object properties: key: type: string description: Specifies a single master share key from the new set of shares. nonce: type: string description: Specifies the nonce of the rekey verification operation. SysRemountRequest: title: SysRemountRequest type: object properties: from: type: string description: The previous mount point. to: type: string description: The new mount point. SysRenewRequest: title: SysRenewRequest type: object properties: increment: type: integer description: The desired increment in seconds to the lease format: int32 lease_id: type: string description: The lease identifier to renew. This is included with a lease. url_lease_id: type: string description: The lease identifier to renew. This is included with a lease. SysRenewRequest1: title: SysRenewRequest1 type: object properties: increment: type: integer description: The desired increment in seconds to the lease format: int32 lease_id: type: string description: The lease identifier to renew. This is included with a lease. SysReplicationDrPrimaryEnableRequest: title: SysReplicationDrPrimaryEnableRequest type: object properties: primary_cluster_addr: type: string description: The address the secondary cluster should connect to. Defaults to the primary's cluster address. SysReplicationDrPrimaryRevokeSecondaryRequest: title: SysReplicationDrPrimaryRevokeSecondaryRequest type: object properties: id: type: string description: The secondary cluster ID to revoke SysReplicationDrPrimarySecondaryTokenRequest: title: SysReplicationDrPrimarySecondaryTokenRequest type: object properties: id: pattern: '\w([\w-.]*\w)?' type: string description: An opaque identifier that can be used to identify and revoke a secondary cluster's access later. secondary_public_key: type: string description: A base64-encoded public key generated by the secondary cluster. ttl: type: integer description: The TTL to use for the secondary activation token. Defaults to 30 minutes. format: int32 SysReplicationDrSecondaryDisableRequest: title: SysReplicationDrSecondaryDisableRequest type: object properties: dr_operation_token: type: string description: DR operation token used to authorize this request. SysReplicationDrSecondaryEnableRequest: title: SysReplicationDrSecondaryEnableRequest type: object properties: ca_file: type: string description: A path to a file containing a PEM-encoded CA certificate to verify the call against the primary's API address ca_path: type: string description: A path to a directory containing PEM-encoded CA certificates to verify the call against the primary's API address client_cert_pem: type: string description: 'The client certificate to use for authentication, in PEM format. Note: client authentication for this operation will always use TLS 1.2 or higher.' client_key_pem: type: string description: The client key to use for authentication, in PEM format. primary_api_addr: type: string description: The API address of the primary. If not set, the value the primary supplies in the token will be used, which is the primary's redirect address. token: type: string description: The token given by the primary to activate secondary status for this cluster. SysReplicationDrSecondaryLicenseRequest: title: SysReplicationDrSecondaryLicenseRequest type: object properties: dr_operation_token: type: string description: DR operation token used to authorize this request. text: type: string description: The text of the license. SysReplicationDrSecondaryOperationTokenDeleteRequest: title: SysReplicationDrSecondaryOperationTokenDeleteRequest type: object properties: dr_operation_token: type: string description: DR operation token used to authorize this request. SysReplicationDrSecondaryPromoteRequest: title: SysReplicationDrSecondaryPromoteRequest type: object properties: dr_operation_token: type: string description: DR operation token used to authorize this request. force: type: boolean description: Set to true if the cluster should be promoted despite replication being in an error state. This could mean some data was not replicated to the secondary primary_cluster_addr: type: string description: The address the secondary cluster should connect to. Defaults to the primary's cluster address. SysReplicationDrSecondaryRecoverRequest: title: SysReplicationDrSecondaryRecoverRequest type: object properties: dr_operation_token: type: string description: DR operation token used to authorize this request. SysReplicationDrSecondaryReindexRequest: title: SysReplicationDrSecondaryReindexRequest type: object properties: diff: type: boolean description: Enables a slower re-indexing which will perform a key level check to diagnose issues. Defaults false. dr_operation_token: type: string description: DR operation token used to authorize this request. force: type: boolean description: Forces a complete re-indexing which only scans data available in the storage. Defaults false. skip_flush: type: boolean description: Skips the tree flushing stage of the reindex process. This setting can be used to reduce the amount of time the tree is locked during a reindex process. If this node is killed before the full tree has been asynchronously flushed the reindex may not have applied fully and a new reindex may need to be done. Shutting down this node cleanly will cause the tree to be flushed prior to shutdown. Defaults false. SysReplicationDrSecondaryUpdatePrimaryRequest: title: SysReplicationDrSecondaryUpdatePrimaryRequest type: object properties: ca_file: type: string description: A path to a file containing a PEM-encoded CA certificate to verify the call against the primary's API address ca_path: type: string description: A path to a directory containing PEM-encoded CA certificates to verify the call against the primary's API address client_cert_pem: type: string description: 'The client certificate to use for authentication, in PEM format. Note: client authentication for this operation will always use TLS 1.2 or higher.' client_key_pem: type: string description: The client key to use for authentication, in PEM format. dr_operation_token: type: string description: DR operation token used to authorize this request. primary_api_addr: type: string description: The API address of the primary. If not set, the value the primary supplies in the token will be used, which is the primary's redirect address. token: type: string description: The token given by the primary to activate secondary status for this cluster. SysReplicationPerformancePrimaryEnableRequest: title: SysReplicationPerformancePrimaryEnableRequest type: object properties: primary_cluster_addr: type: string description: The address the secondary cluster should connect to. Defaults to the primary's cluster address. SysReplicationPerformancePrimaryMountFilterRequest: title: SysReplicationPerformancePrimaryMountFilterRequest type: object properties: mode: type: string description: The filter mode for the mount paths (whitelist or blacklist). Defaults to whitelist. default: allow paths: type: array items: type: string description: The paths to the mount to filter in replication. SysReplicationPerformancePrimaryPathsFilterRequest: title: SysReplicationPerformancePrimaryPathsFilterRequest type: object properties: mode: type: string description: The filter mode for the paths filter (allow or deny). Defaults to allow. default: allow paths: type: array items: type: string description: The paths to filter in replication. Must be a mount or a namespace. SysReplicationPerformancePrimaryRevokeSecondaryRequest: title: SysReplicationPerformancePrimaryRevokeSecondaryRequest type: object properties: id: type: string description: The secondary cluster ID to revoke SysReplicationPerformancePrimarySecondaryTokenRequest: title: SysReplicationPerformancePrimarySecondaryTokenRequest type: object properties: id: pattern: '\w([\w-.]*\w)?' type: string description: An opaque identifier that can be used to identify and revoke a secondary cluster's access later. secondary_public_key: type: string description: A base64-encoded public key generated by the secondary cluster. ttl: type: integer description: The TTL to use for the secondary activation token. Defaults to 30 minutes. format: int32 SysReplicationPerformanceSecondaryEnableRequest: title: SysReplicationPerformanceSecondaryEnableRequest type: object properties: ca_file: type: string description: A path to a file containing a PEM-encoded CA certificate to verify the call against the primary's API address ca_path: type: string description: A path to a directory containing PEM-encoded CA certificates to verify the call against the primary's API address client_cert_pem: type: string description: 'The client certificate to use for authentication, in PEM format. Note: client authentication for this operation will always use TLS 1.2 or higher.' client_key_pem: type: string description: The client key to use for authentication, in PEM format. primary_api_addr: type: string description: The API address of the primary. If not set, the value the primary supplies in the token will be used, which is the primary's redirect address. token: type: string description: The token given by the primary to activate secondary status for this cluster. SysReplicationPerformanceSecondaryPromoteRequest: title: SysReplicationPerformanceSecondaryPromoteRequest type: object properties: force: type: boolean description: Set to true if the cluster should be promoted despite replication being in an error state. This could mean some data was not replicated to the secondary primary_cluster_addr: type: string description: The address the secondary cluster should connect to. Defaults to the primary's cluster address. SysReplicationPerformanceSecondaryUpdatePrimaryRequest: title: SysReplicationPerformanceSecondaryUpdatePrimaryRequest type: object properties: ca_file: type: string description: A path to a file containing a PEM-encoded CA certificate to verify the call against the primary's API address ca_path: type: string description: A path to a directory containing PEM-encoded CA certificates to verify the call against the primary's API address client_cert_pem: type: string description: 'The client certificate to use for authentication, in PEM format. Note: client authentication for this operation will always use TLS 1.2 or higher.' client_key_pem: type: string description: The client key to use for authentication, in PEM format. primary_api_addr: type: string description: The API address of the primary. If not set, the value the primary supplies in the token will be used, which is the primary's redirect address. token: type: string description: The token given by the primary to activate secondary status for this cluster. SysReplicationPrimaryEnableRequest: title: SysReplicationPrimaryEnableRequest type: object properties: primary_cluster_addr: type: string description: The address the secondary cluster should connect to. Defaults to the primary's cluster address. SysReplicationPrimaryRevokeSecondaryRequest: title: SysReplicationPrimaryRevokeSecondaryRequest type: object properties: id: pattern: '\w([\w-.]*\w)?' type: string description: The secondary cluster ID to revoke SysReplicationPrimarySecondaryTokenRequest: title: SysReplicationPrimarySecondaryTokenRequest type: object properties: id: pattern: '\w([\w-.]*\w)?' type: string description: An opaque identifier that can be used to identify and revoke a secondary cluster's access later. secondary_public_key: type: string description: A base64-encoded public key generated by the secondary cluster. ttl: type: integer description: The TTL to use for the secondary activation token. Defaults to 30 minutes. format: int32 SysReplicationReindexRequest: title: SysReplicationReindexRequest type: object properties: diff: type: boolean description: Enables a slower re-indexing which will perform a key level check to diagnose issues. Defaults false. force: type: boolean description: Forces a complete re-indexing which only scans data available in the storage. Defaults false. skip_flush: type: boolean description: Skips the tree flushing stage of the reindex process. This setting can be used to reduce the amount of time the tree is locked during a reindex process. If this node is killed before the full tree has been asynchronously flushed the reindex may not have applied fully and a new reindex may need to be done. Shutting down this node cleanly will cause the tree to be flushed prior to shutdown. Defaults false. SysReplicationSecondaryEnableRequest: title: SysReplicationSecondaryEnableRequest type: object properties: ca_file: type: string description: A path to a file containing a PEM-encoded CA certificate to verify the call against the primary's API address ca_path: type: string description: A path to a directory containing PEM-encoded CA certificates to verify the call against the primary's API address client_cert_pem: type: string description: 'The client certificate to use for authentication, in PEM format. Note: client authentication for this operation will always use TLS 1.2 or higher.' client_key_pem: type: string description: The client key to use for authentication, in PEM format. primary_api_addr: type: string description: The API address of the primary. If not set, the value the primary supplies in the token will be used, which is the primary's redirect address. token: type: string description: The token given by the primary to activate secondary status for this cluster. SysReplicationSecondaryPromoteRequest: title: SysReplicationSecondaryPromoteRequest type: object properties: force: type: boolean description: Set to true if the cluster should be promoted despite replication being in an error state. This could mean some data was not replicated to the secondary primary_cluster_addr: type: string description: The address the secondary cluster should connect to. Defaults to the primary's cluster address. SysReplicationSecondaryUpdatePrimaryRequest: title: SysReplicationSecondaryUpdatePrimaryRequest type: object properties: ca_file: type: string description: A path to a file containing a PEM-encoded CA certificate to verify the call against the primary's API address ca_path: type: string description: A path to a directory containing PEM-encoded CA certificates to verify the call against the primary's API address client_cert_pem: type: string description: 'The client certificate to use for authentication, in PEM format. Note: client authentication for this operation will always use TLS 1.2 or higher.' client_key_pem: type: string description: The client key to use for authentication, in PEM format. primary_api_addr: type: string description: The API address of the primary. If not set, the value the primary supplies in the token will be used, which is the primary's redirect address. token: type: string description: The token given by the primary to activate secondary status for this cluster. SysRevokeRequest: title: SysRevokeRequest type: object properties: lease_id: type: string description: The lease identifier to renew. This is included with a lease. sync: type: boolean description: Whether or not to perform the revocation synchronously default: true url_lease_id: type: string description: The lease identifier to renew. This is included with a lease. SysRevokePrefixRequest: title: SysRevokePrefixRequest type: object properties: sync: type: boolean description: Whether or not to perform the revocation synchronously default: true SysRevokeRequest1: title: SysRevokeRequest1 type: object properties: lease_id: type: string description: The lease identifier to renew. This is included with a lease. sync: type: boolean description: Whether or not to perform the revocation synchronously default: true SysStorageRaftBootstrapAnswerRequest: title: SysStorageRaftBootstrapAnswerRequest type: object properties: answer: type: string cluster_addr: type: string non_voter: type: boolean server_id: type: string SysStorageRaftBootstrapChallengeRequest: title: SysStorageRaftBootstrapChallengeRequest type: object properties: server_id: type: string SysStorageRaftRemovePeerRequest: title: SysStorageRaftRemovePeerRequest type: object properties: server_id: type: string SysToolsHashRequest: title: SysToolsHashRequest type: object properties: algorithm: type: string description: 'Algorithm to use (POST body parameter). Valid values are: * sha2-224 * sha2-256 * sha2-384 * sha2-512 Defaults to "sha2-256".' default: sha2-256 format: type: string description: Encoding format to use. Can be "hex" or "base64". Defaults to "hex". default: hex input: type: string description: The base64-encoded input data urlalgorithm: type: string description: Algorithm to use (POST URL parameter) SysToolsHashRequest1: title: SysToolsHashRequest1 type: object properties: algorithm: type: string description: 'Algorithm to use (POST body parameter). Valid values are: * sha2-224 * sha2-256 * sha2-384 * sha2-512 Defaults to "sha2-256".' default: sha2-256 format: type: string description: Encoding format to use. Can be "hex" or "base64". Defaults to "hex". default: hex input: type: string description: The base64-encoded input data SysToolsRandomRequest: title: SysToolsRandomRequest type: object properties: bytes: type: integer description: The number of bytes to generate (POST body parameter). Defaults to 32 (256 bits). format: int32 default: 32 format: type: string description: Encoding format to use. Can be "hex" or "base64". Defaults to "base64". default: base64 urlbytes: type: string description: The number of bytes to generate (POST URL parameter) SysToolsRandomRequest1: title: SysToolsRandomRequest1 type: object properties: bytes: type: integer description: The number of bytes to generate (POST body parameter). Defaults to 32 (256 bits). format: int32 default: 32 format: type: string description: Encoding format to use. Can be "hex" or "base64". Defaults to "base64". default: base64 SysUnsealRequest: title: SysUnsealRequest type: object properties: key: type: string description: Specifies a single master key share. This is required unless reset is true. reset: type: boolean description: Specifies if previously-provided unseal keys are discarded and the unseal process is reset. SysWrappingLookupRequest: title: SysWrappingLookupRequest type: object properties: token: type: string SysWrappingRewrapRequest: title: SysWrappingRewrapRequest type: object properties: token: type: string SysWrappingUnwrapRequest: title: SysWrappingUnwrapRequest type: object properties: token: type: string tags: - name: secrets description: '' - name: auth description: '' - name: identity description: '' - name: system description: ''