2015-04-10 05:52:02 +00:00
---
2017-03-17 18:06:03 +00:00
layout: "api"
2015-04-10 05:52:02 +00:00
page_title: "HTTP API"
New Docs Website (#5535)
* conversion stage 1
* correct image paths
* add sidebar title to frontmatter
* docs/concepts and docs/internals
* configuration docs and multi-level nav corrections
* commands docs, index file corrections, small item nav correction
* secrets converted
* auth
* add enterprise and agent docs
* add extra dividers
* secret section, wip
* correct sidebar nav title in front matter for apu section, start working on api items
* auth and backend, a couple directory structure fixes
* remove old docs
* intro side nav converted
* reset sidebar styles, add hashi-global-styles
* basic styling for nav sidebar
* folder collapse functionality
* patch up border length on last list item
* wip restructure for content component
* taking middleman hacking to the extreme, but its working
* small css fix
* add new mega nav
* fix a small mistake from the rebase
* fix a content resolution issue with middleman
* title a couple missing docs pages
* update deps, remove temporary markup
* community page
* footer to layout, community page css adjustments
* wip downloads page
* deps updated, downloads page ready
* fix community page
* homepage progress
* add components, adjust spacing
* docs and api landing pages
* a bunch of fixes, add docs and api landing pages
* update deps, add deploy scripts
* add readme note
* update deploy command
* overview page, index title
* Update doc fields
Note this still requires the link fields to be populated -- this is solely related to copy on the description fields
* Update api_basic_categories.yml
Updated API category descriptions. Like the document descriptions you'll still need to update the link headers to the proper target pages.
* Add bottom hero, adjust CSS, responsive friendly
* Add mega nav title
* homepage adjustments, asset boosts
* small fixes
* docs page styling fixes
* meganav title
* some category link corrections
* Update API categories page
updated to reflect the second level headings for api categories
* Update docs_detailed_categories.yml
Updated to represent the existing docs structure
* Update docs_detailed_categories.yml
* docs page data fix, extra operator page remove
* api data fix
* fix makefile
* update deps, add product subnav to docs and api landing pages
* Rearrange non-hands-on guides to _docs_
Since there is no place for these on learn.hashicorp, we'll put them
under _docs_.
* WIP Redirects for guides to docs
* content and component updates
* font weight hotfix, redirects
* fix guides and intro sidenavs
* fix some redirects
* small style tweaks
* Redirects to learn and internally to docs
* Remove redirect to `/vault`
* Remove `.html` from destination on redirects
* fix incorrect index redirect
* final touchups
* address feedback from michell for makefile and product downloads
2018-10-19 15:40:11 +00:00
sidebar_title: "Overview"
sidebar_current: "api-http-overview"
2015-04-10 05:52:02 +00:00
description: |-
Vault has an HTTP API that can be used to control every aspect of Vault.
---
# HTTP API
2018-08-28 19:33:19 +00:00
The Vault HTTP API gives you full access to Vault via HTTP. Every aspect of
Vault can be controlled via this API. The Vault CLI uses the HTTP API to access
Vault.
2015-04-10 05:52:02 +00:00
All API routes are prefixed with `/v1/` .
2018-08-28 19:33:19 +00:00
This documentation is only for the v1 API, which is currently the only version.
2015-04-10 05:52:02 +00:00
2018-08-28 19:33:19 +00:00
~> **Backwards compatibility:** At the current version, Vault does not yet
promise backwards compatibility even with the v1 prefix. We'll remove this
warning when this policy changes. At this point in time the core API (that
is, `sys/` routes) change very infrequently, but various secrets engines/auth
methods/etc. sometimes have minor changes to accommodate new features as
they're developed.
2015-04-10 05:52:02 +00:00
## Transport
2018-08-28 19:33:19 +00:00
The API is expected to be accessed over a TLS connection at all times, with a
valid certificate that is verified by a well-behaved client. It is possible to
disable TLS verification for listeners, however, so API clients should expect
to have to do both depending on user settings.
2015-04-10 05:52:02 +00:00
## Authentication
2018-08-28 19:33:19 +00:00
Once Vault is unsealed, almost every other operation requires a _client token_ .
2018-10-02 13:31:01 +00:00
A user may have a client token sent to them. The client token must be sent as
2018-10-17 14:38:15 +00:00
either the `X-Vault-Token` HTTP Header or as `Authorization` HTTP Header using
the `Bearer <token>` scheme.
2015-04-10 05:52:02 +00:00
2016-01-19 23:09:26 +00:00
Otherwise, a client token can be retrieved via [authentication
backends](/docs/auth/index.html).
2015-04-10 05:52:02 +00:00
2018-08-28 19:33:19 +00:00
Each auth method has one or more unauthenticated login endpoints. These
endpoints can be reached without any authentication, and are used for
authentication to Vault itself. These endpoints are specific to each auth
method.
Responses from auth login methods that generate an authentication token are
sent back to the client via JSON. The resulting token should be saved on the
2018-10-17 14:38:15 +00:00
client or passed via the `X-Vault-Token` or `Authorization` header for future requests.
2018-08-28 19:33:19 +00:00
## Namespaces
2015-04-10 05:52:02 +00:00
2018-08-28 19:33:19 +00:00
If using the [Namespaces ](/docs/enterprise/namespaces/index.html ) feature, API
operations are relative to the namespace value passed in via the
`X-Vault-Namespace` header. For instance, if the request path is to
`secret/foo` , and the header is set to `ns1/ns2/` , the final request path Vault
uses will be `ns1/ns2/secret/foo` . Note that it is semantically equivalent to
use a full path rather than the `X-Vault-Namespace` header, as the operation in
Vault will always look up the correct namespace based on the final given path.
Thus, it would be equivalent to the above example to set `X-Vault-Namespace` to
`ns1/` and a request path of `ns2/secret/foo` , or to not set
`X-Vault-Namespace` at all and use a request path of `ns1/ns2/secret/foo` .
2015-04-10 05:52:02 +00:00
2018-08-29 15:26:23 +00:00
For example, the following two commands result in equivalent requests:
```shell
$ curl \
-H "X-Vault-Token: f3b09679-3001-009d-2b80-9c306ab81aa6" \
-H "X-Vault-Namespace: ns1/ns2/" \
-X GET \
http://127.0.0.1:8200/v1/secret/foo
```
```shell
$ curl \
-H "X-Vault-Token: f3b09679-3001-009d-2b80-9c306ab81aa6" \
-X GET \
http://127.0.0.1:8200/v1/ns1/ns2/secret/foo
```
2018-08-28 19:33:19 +00:00
## API Operations
2016-01-19 23:09:26 +00:00
2018-08-28 19:33:19 +00:00
With few documented exceptions, all request body data and response data from
Vault is via JSON. Vault will set the `Content-Type` header appropriately but
does not require that clients set it.
2015-05-28 21:28:25 +00:00
2018-08-28 19:33:19 +00:00
Different plugins implement different APIs according to their functionality.
The examples below are created with the `KVv1` backend, which acts like a very
simple Key/Value store. Read the documentation for a particular backend for
detailed information on its API; this simply provides a general overview.
For `KVv1` , reading a secret via the HTTP API is done by issuing a GET:
2015-05-28 21:28:25 +00:00
2015-06-01 04:23:44 +00:00
```text
/v1/secret/foo
```
2015-05-28 21:28:25 +00:00
2016-01-19 23:09:26 +00:00
This maps to `secret/foo` where `foo` is the key in the `secret/` mount, which
2017-09-15 13:02:29 +00:00
is mounted by default on a fresh Vault install and is of type `kv` .
2015-05-28 21:28:25 +00:00
Here is an example of reading a secret using cURL:
2015-06-01 04:23:44 +00:00
```shell
2015-10-12 16:10:22 +00:00
$ curl \
-H "X-Vault-Token: f3b09679-3001-009d-2b80-9c306ab81aa6" \
-X GET \
http://127.0.0.1:8200/v1/secret/foo
2015-06-01 04:23:44 +00:00
```
2015-05-28 21:28:25 +00:00
2018-08-28 19:33:19 +00:00
A few endpoints consume query parameters via `GET` calls, but only if those
parameters are not sensitive, as some load balancers will log these. Most
endpoints that consume parameters use `POST` instead and put the parameters in
the request body.
2016-01-19 23:09:26 +00:00
You can list secrets as well. To do this, either issue a GET with the query
2018-08-28 19:33:19 +00:00
parameter `list=true` , or you can use the `LIST` HTTP verb. For the `kv`
2016-01-19 23:09:26 +00:00
backend, listing is allowed on directories only, and returns the keys in the
given directory:
```shell
$ curl \
-H "X-Vault-Token: f3b09679-3001-009d-2b80-9c306ab81aa6" \
2017-09-13 01:58:17 +00:00
-X LIST \
http://127.0.0.1:8200/v1/secret/
2016-01-19 23:09:26 +00:00
```
2018-08-28 19:33:19 +00:00
The API documentation uses `LIST` as the HTTP verb, but you can still use `GET`
with the `?list=true` query string.
2017-09-13 01:58:17 +00:00
2018-08-28 19:33:19 +00:00
To use an API that consumes data via request body, issue a `POST` or `PUT` :
2015-05-28 21:28:25 +00:00
2015-06-01 04:23:44 +00:00
```text
/v1/secret/foo
```
2015-05-28 21:28:25 +00:00
2015-06-01 04:23:44 +00:00
with a JSON body like:
2015-05-28 21:28:25 +00:00
```javascript
{
"value": "bar"
}
```
Here is an example of writing a secret using cURL:
2015-06-01 04:23:44 +00:00
```shell
2015-10-12 16:10:22 +00:00
$ curl \
-H "X-Vault-Token: f3b09679-3001-009d-2b80-9c306ab81aa6" \
-H "Content-Type: application/json" \
-X POST \
-d '{"value":"bar"}' \
http://127.0.0.1:8200/v1/secret/baz
2015-06-01 04:23:44 +00:00
```
2015-05-28 21:28:25 +00:00
2018-08-28 19:33:19 +00:00
Vault currently considers `PUT` and `POST` to be synonyms. Rather than trust a
2016-01-19 23:09:26 +00:00
client's stated intentions, Vault backends can implement an existence check to
discover whether an operation is actually a create or update operation based on
2018-08-28 19:33:19 +00:00
the data already stored within Vault. This makes permission management via ACLs
more flexible.
2016-01-19 23:09:26 +00:00
2015-06-01 04:23:44 +00:00
For more examples, please look at the Vault API client.
2015-05-28 21:28:25 +00:00
2015-04-10 05:52:02 +00:00
## Help
2018-08-28 19:33:19 +00:00
To retrieve the help for any API within Vault, including mounted backends, auth
methods, etc. then append `?help=1` to any URL. If you have valid permission to
2018-12-14 14:12:03 +00:00
access the path, then the help text will be return a markdown-formatted block in the `help` attribute of the response.
Additionally, with the [OpenAPI generation ](/api/system/internal-specs-openapi.html ) in Vault, you will get back a small
OpenAPI document in the `openapi` attribute. This document is relevant for the path you're looking up and any paths under it - also note paths in the OpenAPI document are relative to the initial path queried.
Example request:
```shell
$ curl \
-H "X-Vault-Token: f3b09679-3001-009d-2b80-9c306ab81aa6" \
http://127.0.0.1:8200/v1/secret?help=1
```
Example response:
2015-04-10 05:52:02 +00:00
2015-04-22 23:47:11 +00:00
```javascript
2018-12-14 14:12:03 +00:00
2015-04-22 23:47:11 +00:00
{
2018-12-14 14:12:03 +00:00
"help": "## DESCRIPTION\n\nThis backend provides a versioned key-value store. The kv backend reads and\nwrites arbitrary secrets to the storage backend. The secrets are\nencrypted/decrypted by Vault: they are never stored unencrypted in the backend\nand the backend never has an opportunity to see the unencrypted value. Each key\ncan have a configured number of versions, and versions can be retrieved based on\ntheir version numbers.\n\n## PATHS\n\nThe following paths are supported by this backend. To view help for\nany of the paths below, use the help command with any route matching\nthe path pattern. Note that depending on the policy of your auth token,\nyou may or may not be able to access certain paths.\n\n ^.*$\n\n\n ^config$\n Configures settings for the KV store\n\n ^data/(?P< path > .*)$\n Write, Read, and Delete data in the Key-Value Store.\n\n ^delete/(?P< path > .*)$\n Marks one or more versions as deleted in the KV store.\n\n ^destroy/(?P< path > .*)$\n Permanently removes one or more versions in the KV store\n\n ^metadata/(?P< path > .*)$\n Configures settings for the KV store\n\n ^undelete/(?P< path > .*)$\n Undeletes one or more versions from the KV store.",
"openapi": {
"openapi": "3.0.2",
"info": {
"title": "HashiCorp Vault API",
"description": "HTTP API that gives you full access to Vault. All API routes are prefixed with `/v1/` .",
"version": "1.0.0",
"license": {
"name": "Mozilla Public License 2.0",
"url": "https://www.mozilla.org/en-US/MPL/2.0"
}
},
"paths": {
"/.*": {},
"/config": {
"description": "Configures settings for the KV store",
"x-vault-create-supported": true,
"get": {
"summary": "Read the backend level settings.",
"tags": [
"secrets"
],
"responses": {
"200": {
"description": "OK"
}
}
},
...[output truncated]...
}
}
2015-04-22 23:47:11 +00:00
}
```
2015-04-10 05:52:02 +00:00
2018-12-14 14:12:03 +00:00
2015-04-10 05:52:02 +00:00
## Error Response
A common JSON structure is always returned to return errors:
2015-04-22 23:47:11 +00:00
```javascript
{
"errors": [
"message",
"another message"
]
}
```
2015-04-10 05:52:02 +00:00
This structure will be sent down for any HTTP status greater than
or equal to 400.
## HTTP Status Codes
2018-08-28 19:33:19 +00:00
The following HTTP status codes are used throughout the API. Vault tries to
adhere to these whenever possible, but in some cases may not -- feel free to
file a bug in that case to point our attention to it!
2015-04-10 05:52:02 +00:00
2018-10-09 20:54:18 +00:00
~> *Note* : Applications should be prepared to accept both `200` and `204` as
success. `204` is simply an indication that there is no response body to parse,
but API endpoints that indicate that they return a `204` may return a `200` if
warnings are generated during the operation.
2015-04-10 05:52:02 +00:00
- `200` - Success with data.
- `204` - Success, no data returned.
2017-05-22 16:37:51 +00:00
- `400` - Invalid request, missing or invalid data.
2018-08-28 19:33:19 +00:00
- `403` - Forbidden, your authentication details are either incorrect, you
don't have access to this feature, or - if CORS is enabled - you made a
cross-origin request from an origin that is not allowed to make such
requests.
- `404` - Invalid path. This can both mean that the path truly doesn't exist or
that you don't have permission to view a specific path. We use 404 in some
cases to avoid state leakage.
- `429` - Default return code for health status of standby nodes. This will
likely change in the future.
- `473` - Default return code for health status of performance standby nodes.
- `500` - Internal server error. An internal error has occurred, try again
later. If the error persists, report a bug.
- `502` - A request to Vault required Vault making a request to a third party;
the third party responded with an error of some kind.
- `503` - Vault is down for maintenance or is currently sealed. Try again
later.
2017-02-06 23:24:40 +00:00
## Limits
2018-08-28 19:33:19 +00:00
A maximum request size of 32MB is imposed to prevent a denial of service attack
with arbitrarily large requests; this can be tuned per `listener` block in
Vault's server configuration file.