open-vault/website/source/api/auth/token/index.html.md.erb

777 lines
19 KiB
Plaintext
Raw Normal View History

2017-08-08 16:28:17 +00:00
---
layout: "api"
page_title: "Token - Auth Methods - HTTP API"
New Docs Website (#5535) * conversion stage 1 * correct image paths * add sidebar title to frontmatter * docs/concepts and docs/internals * configuration docs and multi-level nav corrections * commands docs, index file corrections, small item nav correction * secrets converted * auth * add enterprise and agent docs * add extra dividers * secret section, wip * correct sidebar nav title in front matter for apu section, start working on api items * auth and backend, a couple directory structure fixes * remove old docs * intro side nav converted * reset sidebar styles, add hashi-global-styles * basic styling for nav sidebar * folder collapse functionality * patch up border length on last list item * wip restructure for content component * taking middleman hacking to the extreme, but its working * small css fix * add new mega nav * fix a small mistake from the rebase * fix a content resolution issue with middleman * title a couple missing docs pages * update deps, remove temporary markup * community page * footer to layout, community page css adjustments * wip downloads page * deps updated, downloads page ready * fix community page * homepage progress * add components, adjust spacing * docs and api landing pages * a bunch of fixes, add docs and api landing pages * update deps, add deploy scripts * add readme note * update deploy command * overview page, index title * Update doc fields Note this still requires the link fields to be populated -- this is solely related to copy on the description fields * Update api_basic_categories.yml Updated API category descriptions. Like the document descriptions you'll still need to update the link headers to the proper target pages. * Add bottom hero, adjust CSS, responsive friendly * Add mega nav title * homepage adjustments, asset boosts * small fixes * docs page styling fixes * meganav title * some category link corrections * Update API categories page updated to reflect the second level headings for api categories * Update docs_detailed_categories.yml Updated to represent the existing docs structure * Update docs_detailed_categories.yml * docs page data fix, extra operator page remove * api data fix * fix makefile * update deps, add product subnav to docs and api landing pages * Rearrange non-hands-on guides to _docs_ Since there is no place for these on learn.hashicorp, we'll put them under _docs_. * WIP Redirects for guides to docs * content and component updates * font weight hotfix, redirects * fix guides and intro sidenavs * fix some redirects * small style tweaks * Redirects to learn and internally to docs * Remove redirect to `/vault` * Remove `.html` from destination on redirects * fix incorrect index redirect * final touchups * address feedback from michell for makefile and product downloads
2018-10-19 15:40:11 +00:00
sidebar_title: "Tokens"
sidebar_current: "api-http-auth-token"
2017-08-08 16:28:17 +00:00
description: |-
This is the API documentation for the Vault token auth method.
2017-08-08 16:28:17 +00:00
---
# Token Auth Method (API)
2017-08-08 16:28:17 +00:00
This is the API documentation for the Vault token auth method. For
general information about the usage and operation of the token method, please
see the [Vault Token method documentation](/docs/auth/token.html).
2017-08-08 16:28:17 +00:00
## List Accessors
This endpoint lists token accessor. This requires `sudo` capability, and access
2017-08-08 16:28:17 +00:00
to it should be tightly controlled as the accessors can be used to revoke very
large numbers of tokens and their associated leases at once.
| Method | Path |
| :--------------------------- | :--------------------- |
| `LIST` | `/auth/token/accessors` |
2017-08-08 16:28:17 +00:00
### Sample Request
```
$ curl \
--header "X-Vault-Token: ..." \
--request LIST \
2018-03-23 15:41:51 +00:00
http://127.0.0.1:8200/v1/auth/token/accessors
2017-08-08 16:28:17 +00:00
```
### Sample Response
```json
{
"auth": null,
"warnings": null,
"wrap_info": null,
"data": {
"keys": [
"476ea048-ded5-4d07-eeea-938c6b4e43ec",
"bb00c093-b7d3-b0e9-69cc-c4d85081165b"
]
},
"lease_duration": 0,
"renewable": false,
"lease_id": ""
}
```
## Create Token
Creates a new token. Certain options are only available when called by a
root token. If used via the `/auth/token/create-orphan` endpoint, a root
token is not required to create an orphan token (otherwise set with the
`no_parent` option). If used with a role name in the path, the token will
be created against the specified role name; this may override options set
during this call.
| Method | Path |
| :--------------------------- | :--------------------- |
| `POST` | `/auth/token/create` |
| `POST` | `/auth/token/create-orphan` |
| `POST` | `/auth/token/create/:role_name` |
2017-08-08 16:28:17 +00:00
### Parameters
- `id` `(string: "")` The ID of the client token. Can only be specified by a
root token. Otherwise, the token ID is a randomly generated value.
2017-08-08 16:28:17 +00:00
- `role_name` `(string: "")` The name of the token role.
- `policies` `(array: "")` A list of policies for the token. This must be a
2017-08-08 16:28:17 +00:00
subset of the policies belonging to the token making the request, unless root.
If not specified, defaults to all the policies of the calling token.
- `meta` `(map: {})` A map of string to string valued metadata. This is
passed through to the audit devices.
- `no_parent` `(bool: false)` - If true and set by a root caller, the token will
2017-08-08 16:28:17 +00:00
not have the parent token of the caller. This creates a token with no parent.
- `no_default_policy` `(bool: false)` - If true the `default` policy will not be
2017-08-08 16:28:17 +00:00
contained in this token's policy set.
- `renewable` `(bool: true)` - Set to `false` to disable the ability of the token
to be renewed past its initial TTL. Setting the value to `true` will allow
the token to be renewable up to the system/mount maximum TTL.
- `lease` `(string: "")` - DEPRECATED; use `ttl` instead
- `ttl` `(string: "")` - The TTL period of the token, provided as "1h", where
2017-08-08 16:28:17 +00:00
hour is the largest suffix. If not provided, the token is valid for the
[default lease TTL](/docs/configuration/index.html), or indefinitely if the
2017-08-08 16:28:17 +00:00
root policy is used.
- `type` `(string: "")` - The token type. Can be "batch" or "service". Defaults
to the type specified by the role configuration named by `role_name`.
- `explicit_max_ttl` `(string: "")` - If set, the token will have an explicit
max TTL set upon it. This maximum token TTL *cannot* be changed later, and
unlike with normal tokens, updates to the system/mount max TTL value will
have no effect at renewal time -- the token will never be able to be renewed
or used past the value set at issue time.
2017-08-08 16:28:17 +00:00
- `display_name` `(string: "token")` - The display name of the token.
- `num_uses` `(integer: 0)` - The maximum uses for the given token. This can be
used to create a one-time-token or limited use token. The value of 0 has no
2017-08-08 16:28:17 +00:00
limit to the number of uses.
- `period` `(string: "")` - If specified, the token will be periodic; it will have
no maximum TTL (unless an "explicit-max-ttl" is also set) but every renewal
2017-08-08 16:28:17 +00:00
will use the given period. Requires a root/sudo token to use.
- `entity_alias` `(string: "")` - Name of the entity alias to associate with
during token creation. Only works in combination with `role_name` argument
and used entity alias must be listed in `allowed_entity_aliases`. If this has
been specified, the entity will not be inherited from the parent.
2017-08-08 16:28:17 +00:00
### Sample Payload
```json
{
"policies": [
"web",
"stage"
],
"meta": {
2017-08-08 16:28:17 +00:00
"user": "armon"
},
"ttl": "1h",
"renewable": true
}
```
### Sample Request
```
$ curl \
--header "X-Vault-Token: ..." \
--request POST \
--data @payload.json \
2018-03-23 15:41:51 +00:00
http://127.0.0.1:8200/v1/auth/token/create
2017-08-08 16:28:17 +00:00
```
### Sample Response
```json
{
"request_id": "f00341c1-fad5-f6e6-13fd-235617f858a1",
"lease_id": "",
"renewable": false,
"lease_duration": 0,
"data": null,
"wrap_info": null,
"warnings": [
"Policy \"stage\" does not exist",
"Policy \"web\" does not exist"
],
2017-08-08 16:28:17 +00:00
"auth": {
"client_token": "s.wOrq9dO9kzOcuvB06CMviJhZ",
"accessor": "B6oixijqmeR4bsLOJH88Ska9",
2017-08-08 16:28:17 +00:00
"policies": [
"default",
"stage",
"web"
],
"token_policies": [
"default",
"stage",
"web"
2017-08-08 16:28:17 +00:00
],
"metadata": {
"user": "armon"
},
"lease_duration": 3600,
"renewable": true,
"entity_id": "",
"token_type": "service",
"orphan": false
2017-08-08 16:28:17 +00:00
}
}
```
## Lookup a Token
Returns information about the client token.
| Method | Path |
| :--------------------------- | :--------------------- |
| `POST` | `/auth/token/lookup` |
2017-08-08 16:28:17 +00:00
### Parameters
- `token` `(string: <required>)` - Token to lookup.
### Sample Payload
```json
{
"token": "ClientToken"
}
```
### Sample Request
```
$ curl \
--header "X-Vault-Token: ..." \
--request POST \
--data @payload.json \
2018-03-23 15:41:51 +00:00
http://127.0.0.1:8200/v1/auth/token/lookup
2017-08-08 16:28:17 +00:00
```
### Sample Response
```json
{
"data": {
2018-04-17 15:40:00 +00:00
"accessor": "8609694a-cdbc-db9b-d345-e782dbb562ed",
"creation_time": 1523979354,
"creation_ttl": 2764800,
"display_name": "ldap2-tesla",
"entity_id": "7d2e3179-f69b-450c-7179-ac8ee8bd8ca9",
"expire_time": "2018-05-19T11:35:54.466476215-04:00",
"explicit_max_ttl": 0,
"id": "cf64a70f-3a12-3f6c-791d-6cef6d390eed",
"identity_policies": [
"dev-group-policy"
],
"issue_time": "2018-04-17T11:35:54.466476078-04:00",
2017-08-08 16:28:17 +00:00
"meta": {
2018-04-17 15:40:00 +00:00
"username": "tesla"
2017-08-08 16:28:17 +00:00
},
2018-04-17 15:40:00 +00:00
"num_uses": 0,
"orphan": true,
"path": "auth/ldap2/login/tesla",
"policies": [
"default",
"testgroup2-policy"
],
"renewable": true,
"ttl": 2764790
2017-08-08 16:28:17 +00:00
}
}
```
## Lookup a Token (Self)
Returns information about the current client token.
| Method | Path |
| :--------------------------- | :--------------------- |
| `GET` | `/auth/token/lookup-self` |
2017-08-08 16:28:17 +00:00
### Sample Request
```
$ curl \
--header "X-Vault-Token: ..." \
2018-03-23 15:41:51 +00:00
http://127.0.0.1:8200/v1/auth/token/lookup-self
2017-08-08 16:28:17 +00:00
```
### Sample Response
```json
{
"data": {
2018-04-17 15:40:00 +00:00
"accessor": "8609694a-cdbc-db9b-d345-e782dbb562ed",
"creation_time": 1523979354,
"creation_ttl": 2764800,
"display_name": "ldap2-tesla",
"entity_id": "7d2e3179-f69b-450c-7179-ac8ee8bd8ca9",
"expire_time": "2018-05-19T11:35:54.466476215-04:00",
"explicit_max_ttl": 0,
"id": "cf64a70f-3a12-3f6c-791d-6cef6d390eed",
"identity_policies": [
"dev-group-policy"
],
"issue_time": "2018-04-17T11:35:54.466476078-04:00",
2017-08-08 16:28:17 +00:00
"meta": {
2018-04-17 15:40:00 +00:00
"username": "tesla"
2017-08-08 16:28:17 +00:00
},
2018-04-17 15:40:00 +00:00
"num_uses": 0,
"orphan": true,
"path": "auth/ldap2/login/tesla",
"policies": [
"default",
"testgroup2-policy"
],
"renewable": true,
"ttl": 2764790
2017-08-08 16:28:17 +00:00
}
}
```
## Lookup a Token Accessor
Returns information about the client token from the accessor.
| Method | Path |
| :--------------------------- | :--------------------- |
| `POST` | `/auth/token/lookup-accessor` |
2017-08-08 16:28:17 +00:00
### Parameters
- `accessor` `(string: <required>)` - Token accessor to lookup.
### Sample Payload
```json
{
2018-04-17 15:52:58 +00:00
"accessor": "8609694a-cdbc-db9b-d345-e782dbb562ed"
2017-08-08 16:28:17 +00:00
}
```
### Sample Request
```
$ curl \
--header "X-Vault-Token: ..." \
--request POST \
--data @payload.json \
2018-03-23 15:41:51 +00:00
http://127.0.0.1:8200/v1/auth/token/lookup-accessor
2017-08-08 16:28:17 +00:00
```
### Sample Response
```json
{
"data": {
2018-04-17 15:52:58 +00:00
"accessor": "8609694a-cdbc-db9b-d345-e782dbb562ed",
"creation_time": 1523979354,
2017-08-08 16:28:17 +00:00
"creation_ttl": 2764800,
2018-04-17 15:52:58 +00:00
"display_name": "ldap2-tesla",
"entity_id": "7d2e3179-f69b-450c-7179-ac8ee8bd8ca9",
"expire_time": "2018-05-19T11:35:54.466476215-04:00",
"explicit_max_ttl": 0,
"id": "",
"identity_policies": [
"dev-group-policy"
],
"issue_time": "2018-04-17T11:35:54.466476078-04:00",
"meta": {
"username": "tesla"
},
2017-08-08 16:28:17 +00:00
"num_uses": 0,
2018-04-17 15:52:58 +00:00
"orphan": true,
"path": "auth/ldap2/login/tesla",
2017-08-08 16:28:17 +00:00
"policies": [
"default",
2018-04-17 15:52:58 +00:00
"testgroup2-policy"
2017-08-08 16:28:17 +00:00
],
2018-04-17 15:52:58 +00:00
"renewable": true,
"ttl": 2763902
}
2017-08-08 16:28:17 +00:00
}
```
## Renew a Token
Renews a lease associated with a token. This is used to prevent the expiration
of a token, and the automatic revocation of it. Token renewal is possible only
2017-08-08 16:28:17 +00:00
if there is a lease associated with it.
| Method | Path |
| :--------------------------- | :--------------------- |
| `POST` | `/auth/token/renew` |
2017-08-08 16:28:17 +00:00
### Parameters
- `token` `(string: <required>)` - Token to renew. This can be part of the URL
2017-08-08 16:28:17 +00:00
or the body.
- `increment` `(string: "")` - An optional requested lease increment can be
2017-08-08 16:28:17 +00:00
provided. This increment may be ignored.
### Sample Payload
```json
{
"token": "ClientToken"
}
```
### Sample Request
```
$ curl \
--header "X-Vault-Token: ..." \
--request POST \
--data @payload.json \
2018-03-23 15:41:51 +00:00
http://127.0.0.1:8200/v1/auth/token/renew
2017-08-08 16:28:17 +00:00
```
### Sample Response
```json
{
"auth": {
"client_token": "ABCD",
"policies": [
"web",
2017-08-08 16:28:17 +00:00
"stage"
],
"metadata": {
"user": "armon"
},
"lease_duration": 3600,
"renewable": true
2017-08-08 16:28:17 +00:00
}
}
```
## Renew a Token (Self)
Renews a lease associated with the calling token. This is used to prevent the
expiration of a token, and the automatic revocation of it. Token renewal is
2017-08-08 16:28:17 +00:00
possible only if there is a lease associated with it.
| Method | Path |
| :--------------------------- | :--------------------- |
| `POST` | `/auth/token/renew-self` |
2017-08-08 16:28:17 +00:00
### Parameters
- `increment` `(string: "")` - An optional requested lease increment can be
2017-08-08 16:28:17 +00:00
provided. This increment may be ignored.
### Sample Payload
```json
{
"increment": "1h"
}
```
### Sample Request
```
$ curl \
--header "X-Vault-Token: ..." \
--request POST \
--data @payload.json \
2018-03-23 15:41:51 +00:00
http://127.0.0.1:8200/v1/auth/token/renew-self
2017-08-08 16:28:17 +00:00
```
### Sample Response
```json
{
"auth": {
"client_token": "ABCD",
"policies": [
"web",
2017-08-08 16:28:17 +00:00
"stage"
],
"metadata": {
"user": "armon"
},
"lease_duration": 3600,
"renewable": true
2017-08-08 16:28:17 +00:00
}
}
```
## Revoke a Token
Revokes a token and all child tokens. When the token is revoked, all dynamic secrets
2017-08-08 16:28:17 +00:00
generated with it are also revoked.
| Method | Path |
| :--------------------------- | :--------------------- |
| `POST` | `/auth/token/revoke` |
2017-08-08 16:28:17 +00:00
### Parameters
- `token` `(string: <required>)` - Token to revoke.
### Sample Payload
```json
{
"token": "ClientToken"
}
```
### Sample Request
```
$ curl \
--header "X-Vault-Token: ..." \
--request POST \
--data @payload.json \
2018-03-23 15:41:51 +00:00
http://127.0.0.1:8200/v1/auth/token/revoke
2017-08-08 16:28:17 +00:00
```
## Revoke a Token (Self)
Revokes the token used to call it and all child tokens. When the token is
2017-08-08 16:28:17 +00:00
revoked, all dynamic secrets generated with it are also revoked.
| Method | Path |
| :--------------------------- | :--------------------- |
| `POST` | `/auth/token/revoke-self` |
2017-08-08 16:28:17 +00:00
### Sample Request
```
$ curl \
--header "X-Vault-Token: ..." \
--request POST \
2018-03-23 15:41:51 +00:00
http://127.0.0.1:8200/v1/auth/token/revoke-self
2017-08-08 16:28:17 +00:00
```
## Revoke a Token Accessor
Revoke the token associated with the accessor and all the child tokens. This is
meant for purposes where there is no access to token ID but there is need to
2017-08-08 16:28:17 +00:00
revoke a token and its children.
| Method | Path |
| :--------------------------- | :--------------------- |
| `POST` | `/auth/token/revoke-accessor` |
2017-08-08 16:28:17 +00:00
### Parameters
- `accessor` `(string: <required>)` - Accessor of the token.
### Sample Payload
```json
{
"accessor": "2c84f488-2133-4ced-87b0-570f93a76830"
}
```
### Sample Request
```
$ curl \
--header "X-Vault-Token: ..." \
--request POST \
--data @payload.json \
2018-03-23 15:41:51 +00:00
http://127.0.0.1:8200/v1/auth/token/revoke-accessor
2017-08-08 16:28:17 +00:00
```
## Revoke Token and Orphan Children
Revokes a token but not its child tokens. When the token is revoked, all secrets
generated with it are also revoked. All child tokens are orphaned, but can be
revoked sub-sequently using `/auth/token/revoke/`. This is a root-protected
endpoint.
| Method | Path |
| :--------------------------- | :--------------------- |
| `POST` | `/auth/token/revoke-orphan` |
2017-08-08 16:28:17 +00:00
### Parameters
- `token` `(string: <required>)` - Token to revoke. This can be part of the URL
2017-08-08 16:28:17 +00:00
or the body.
### Sample Payload
```json
{
"token": "ClientToken"
}
```
### Sample Request
```
$ curl \
--header "X-Vault-Token: ..." \
--request POST \
--data @payload.json \
2018-03-23 15:41:51 +00:00
http://127.0.0.1:8200/v1/auth/token/revoke-orphan
2017-08-08 16:28:17 +00:00
```
## Read Token Role
Fetches the named role configuration.
| Method | Path |
| :--------------------------- | :--------------------- |
| `GET` | `/auth/token/roles/:role_name`|
2017-08-08 16:28:17 +00:00
### Parameters
- `role_name` `(string: <required>)` - The name of the token role.
### Sample Request
```
$ curl \
--header "X-Vault-Token: ..." \
2018-03-23 15:41:51 +00:00
http://127.0.0.1:8200/v1/auth/token/roles/nomad
2017-08-08 16:28:17 +00:00
```
### Sample Response
```javascript
{
"request_id": "075a19cd-4e56-a3ca-d956-7609819831ec",
"lease_id": "",
"lease_duration": 0,
"renewable": false,
"data": {
"allowed_entity_aliases": [
"my-entity-alias"
2017-08-08 16:28:17 +00:00
],
"allowed_policies": [],
2017-08-08 16:28:17 +00:00
"disallowed_policies": [],
"explicit_max_ttl": 0,
"name": "nomad",
"orphan": false,
"path_suffix": "",
"period": 0,
"renewable": true,
"token_explicit_max_ttl": 0,
"token_period": 0,
"token_type": "default-service"
2017-08-08 16:28:17 +00:00
},
"warnings": null
}
```
## List Token Roles
List available token roles.
| Method | Path |
| :--------------------------- | :--------------------- |
| `LIST` | `/auth/token/roles` |
2017-08-08 16:28:17 +00:00
### Sample Request
```
$ curl \
--header "X-Vault-Token: ..." \
--request LIST
2018-03-23 15:41:51 +00:00
http://127.0.0.1:8200/v1/auth/token/roles
2017-08-08 16:28:17 +00:00
```
### Sample Response
```json
{
"data": {
"keys": [
"role1",
"role2"
]
}
}
```
## Create/Update Token Role
Creates (or replaces) the named role. Roles enforce specific behavior when
2017-08-08 16:28:17 +00:00
creating tokens that allow token functionality that is otherwise not
available or would require `sudo`/root privileges to access. Role
parameters, when set, override any provided options to the `create`
endpoints. The role name is also included in the token path, allowing all
tokens created against a role to be revoked using the
`/sys/leases/revoke-prefix` endpoint.
2017-08-08 16:28:17 +00:00
| Method | Path |
| :--------------------------- | :--------------------- |
| `POST` | `/auth/token/roles/:role_name` |
2017-08-08 16:28:17 +00:00
### Parameters
- `role_name` `(string: <required>)` The name of the token role.
- `allowed_policies` `(list: [])` If set, tokens can be created with any
subset of the policies in this list, rather than the normal semantics of
tokens being a subset of the calling token's policies. The parameter is a
comma-delimited string of policy names. If at creation time
`no_default_policy` is not set and `"default"` is not contained in
`disallowed_policies`, the `"default"` policy will be added to the created
2017-08-08 16:28:17 +00:00
token automatically.
- `disallowed_policies` `(list: [])` If set, successful token creation via
this role will require that no policies in the given list are requested. The
parameter is a comma-delimited string of policy names. Adding `"default"` to
2017-08-08 16:28:17 +00:00
this list will prevent `"default"` from being added automatically to created
tokens.
- `orphan` `(bool: false)` - If `true`, tokens created against this policy will
be orphan tokens (they will have no parent). As such, they will not be
2017-08-08 16:28:17 +00:00
automatically revoked by the revocation of any other token.
- `renewable` `(bool: true)` - Set to `false` to disable the ability of the token
to be renewed past its initial TTL. Setting the value to `true` will allow
the token to be renewable up to the system/mount maximum TTL.
- `path_suffix` `(string: "")` - If set, tokens created against this role will
2017-08-08 16:28:17 +00:00
have the given suffix as part of their path in addition to the role name. This
can be useful in certain scenarios, such as keeping the same role name in the
future but revoking all tokens created against it before some point in time.
2017-08-08 16:28:17 +00:00
The suffix can be changed, allowing new callers to have the new suffix as part
of their path, and then tokens with the old suffix can be revoked via
`/sys/leases/revoke-prefix`.
- `allowed_entity_aliases` `(string: "", or list: [])` - String or JSON list
of allowed entity aliases. If set, specifies the entity aliases which are
allowed to be used during token generation. This field supports globbing.
2017-08-08 16:28:17 +00:00
<%= partial "partials/tokenstorefields" %>
2017-08-08 16:28:17 +00:00
### Sample Payload
```json
"allowed_policies": [
"dev"
],
"name": "nomad",
"orphan": false,
"bound_cidrs": ["127.0.0.1/32", "128.252.0.0/16"],
"renewable": true,
"allowed_entity_aliases": ["web-entity-alias", "app-entity-*"]
2017-08-08 16:28:17 +00:00
```
### Sample Request
```
$ curl \
--header "X-Vault-Token: ..." \
--request POST
--data @payload.json
2018-03-23 15:41:51 +00:00
http://127.0.0.1:8200/v1/auth/token/roles/nomad
2017-08-08 16:28:17 +00:00
```
## Delete Token Role
This endpoint deletes the named token role.
| Method | Path |
| :--------------------------- | :--------------------- |
| `DELETE` | `/auth/token/roles/:role_name` |
2017-08-08 16:28:17 +00:00
### Parameters
- `role_name` `(string: <required>)` - The name of the token role.
### Sample Request
```
$ curl \
--header "X-Vault-Token: ..." \
--request DELETE \
2018-03-23 15:41:51 +00:00
http://127.0.0.1:8200/v1/auth/token/roles/admins
2017-08-08 16:28:17 +00:00
```
## Tidy Tokens
Performs some maintenance tasks to clean up invalid entries that may remain
in the token store. Generally, running this is not needed unless upgrade
notes or support personnel suggest it. This may perform a lot of I/O to the
storage method so should be used sparingly.
2017-08-08 16:28:17 +00:00
| Method | Path |
| :--------------------------- | :--------------------- |
| `POST` | `/auth/token/tidy` |
2017-08-08 16:28:17 +00:00
### Sample Request
```
$ curl \
--header "X-Vault-Token: ..." \
--request POST \
2018-03-23 15:41:51 +00:00
http://127.0.0.1:8200/v1/auth/token/tidy
```
### Sample Response
```json
{
"request_id": "84437c7f-36a1-6c1d-381d-14ec99217e94",
"lease_id": "",
"renewable": false,
"lease_duration": 0,
"data": null,
"wrap_info": null,
"warnings": [
"Tidy operation successfully started. Any information from the operation will be printed to Vault's server logs."
],
"auth": null
}
```