2015-04-10 05:52:02 +00:00
|
|
|
---
|
2017-03-17 18:06:03 +00:00
|
|
|
layout: "api"
|
2015-04-10 05:52:02 +00:00
|
|
|
page_title: "HTTP API"
|
2015-04-18 21:34:47 +00:00
|
|
|
sidebar_current: "docs-http-overview"
|
2015-04-10 05:52:02 +00:00
|
|
|
description: |-
|
|
|
|
Vault has an HTTP API that can be used to control every aspect of Vault.
|
|
|
|
---
|
|
|
|
|
|
|
|
# HTTP API
|
|
|
|
|
|
|
|
The Vault HTTP API gives you full access to Vault via HTTP. Every
|
|
|
|
aspect of Vault can be controlled via this API. The Vault CLI uses
|
|
|
|
the HTTP API to access Vault.
|
|
|
|
|
|
|
|
## Version Prefix
|
|
|
|
|
|
|
|
All API routes are prefixed with `/v1/`.
|
|
|
|
|
|
|
|
This documentation is only for the v1 API.
|
|
|
|
|
|
|
|
~> **Backwards compatibility:** At the current version, Vault does
|
|
|
|
not yet promise backwards compatibility even with the v1 prefix. We'll
|
|
|
|
remove this warning when this policy changes. We expect we'll reach API
|
2016-01-19 23:23:07 +00:00
|
|
|
stability by Vault 1.0.
|
2015-04-10 05:52:02 +00:00
|
|
|
|
|
|
|
## Transport
|
|
|
|
|
|
|
|
The API is expected to be accessed over a TLS connection at
|
|
|
|
all times, with a valid certificate that is verified by a well
|
|
|
|
behaved client. It is possible to disable TLS verification for
|
|
|
|
listeners, however, so API clients should expect to have to do both
|
|
|
|
depending on user settings.
|
|
|
|
|
|
|
|
## Authentication
|
|
|
|
|
2016-01-19 23:09:26 +00:00
|
|
|
Once the Vault is unsealed, every other operation requires a _client token_. A
|
|
|
|
user may have a client token sent to her. The client token must be sent as the
|
|
|
|
`X-Vault-Token` HTTP header.
|
2015-04-10 05:52:02 +00:00
|
|
|
|
2016-01-19 23:09:26 +00:00
|
|
|
Otherwise, a client token can be retrieved via [authentication
|
|
|
|
backends](/docs/auth/index.html).
|
2015-04-10 05:52:02 +00:00
|
|
|
|
2016-01-19 23:09:26 +00:00
|
|
|
Each authentication backend will have one or more unauthenticated login
|
|
|
|
endpoints. These endpoints can be reached without any authentication, and are
|
|
|
|
used for authentication itself. These endpoints are specific to each
|
|
|
|
authentication backend.
|
2015-04-10 05:52:02 +00:00
|
|
|
|
2015-09-03 14:36:59 +00:00
|
|
|
Login endpoints for authentication backends that generate an identity will be
|
|
|
|
sent down via JSON. The resulting token should be saved on the client or passed
|
|
|
|
via the `X-Vault-Token` header for future requests.
|
2015-04-10 05:52:02 +00:00
|
|
|
|
2016-01-19 23:09:26 +00:00
|
|
|
## Reading, Writing, and Listing Secrets
|
|
|
|
|
|
|
|
Different backends implement different APIs according to their functionality.
|
2017-09-15 13:02:29 +00:00
|
|
|
The examples below are created with the `kv` backend, which acts like a
|
2016-01-19 23:09:26 +00:00
|
|
|
Key/Value store. Read the documentation for a particular backend for detailed
|
|
|
|
information on its API; this simply provides a general overview.
|
2015-05-28 21:28:25 +00:00
|
|
|
|
2015-06-01 04:23:44 +00:00
|
|
|
Reading a secret via the HTTP API is done by issuing a GET using the
|
|
|
|
following URL:
|
2015-05-28 21:28:25 +00:00
|
|
|
|
2015-06-01 04:23:44 +00:00
|
|
|
```text
|
|
|
|
/v1/secret/foo
|
|
|
|
```
|
2015-05-28 21:28:25 +00:00
|
|
|
|
2016-01-19 23:09:26 +00:00
|
|
|
This maps to `secret/foo` where `foo` is the key in the `secret/` mount, which
|
2017-09-15 13:02:29 +00:00
|
|
|
is mounted by default on a fresh Vault install and is of type `kv`.
|
2015-05-28 21:28:25 +00:00
|
|
|
|
|
|
|
Here is an example of reading a secret using cURL:
|
|
|
|
|
2015-06-01 04:23:44 +00:00
|
|
|
```shell
|
2015-10-12 16:10:22 +00:00
|
|
|
$ curl \
|
|
|
|
-H "X-Vault-Token: f3b09679-3001-009d-2b80-9c306ab81aa6" \
|
|
|
|
-X GET \
|
|
|
|
http://127.0.0.1:8200/v1/secret/foo
|
2015-06-01 04:23:44 +00:00
|
|
|
```
|
2015-05-28 21:28:25 +00:00
|
|
|
|
2016-01-19 23:09:26 +00:00
|
|
|
You can list secrets as well. To do this, either issue a GET with the query
|
2017-09-15 13:02:29 +00:00
|
|
|
parameter `list=true`, or you can use the LIST HTTP verb. For the `kv`
|
2016-01-19 23:09:26 +00:00
|
|
|
backend, listing is allowed on directories only, and returns the keys in the
|
|
|
|
given directory:
|
|
|
|
|
|
|
|
```shell
|
|
|
|
$ curl \
|
|
|
|
-H "X-Vault-Token: f3b09679-3001-009d-2b80-9c306ab81aa6" \
|
|
|
|
-X GET \
|
2017-01-18 22:25:23 +00:00
|
|
|
http://127.0.0.1:8200/v1/secret/?list=true
|
2016-01-19 23:09:26 +00:00
|
|
|
```
|
|
|
|
|
2015-06-01 04:23:44 +00:00
|
|
|
To write a secret, issue a POST on the following URL:
|
2015-05-28 21:28:25 +00:00
|
|
|
|
2015-06-01 04:23:44 +00:00
|
|
|
```text
|
|
|
|
/v1/secret/foo
|
|
|
|
```
|
2015-05-28 21:28:25 +00:00
|
|
|
|
2015-06-01 04:23:44 +00:00
|
|
|
with a JSON body like:
|
2015-05-28 21:28:25 +00:00
|
|
|
|
|
|
|
```javascript
|
|
|
|
{
|
|
|
|
"value": "bar"
|
|
|
|
}
|
|
|
|
```
|
|
|
|
|
|
|
|
Here is an example of writing a secret using cURL:
|
|
|
|
|
2015-06-01 04:23:44 +00:00
|
|
|
```shell
|
2015-10-12 16:10:22 +00:00
|
|
|
$ curl \
|
|
|
|
-H "X-Vault-Token: f3b09679-3001-009d-2b80-9c306ab81aa6" \
|
|
|
|
-H "Content-Type: application/json" \
|
|
|
|
-X POST \
|
|
|
|
-d '{"value":"bar"}' \
|
|
|
|
http://127.0.0.1:8200/v1/secret/baz
|
2015-06-01 04:23:44 +00:00
|
|
|
```
|
2015-05-28 21:28:25 +00:00
|
|
|
|
2016-01-19 23:09:26 +00:00
|
|
|
Vault currently considers PUT and POST to be synonyms. Rather than trust a
|
|
|
|
client's stated intentions, Vault backends can implement an existence check to
|
|
|
|
discover whether an operation is actually a create or update operation based on
|
|
|
|
the data already stored within Vault.
|
|
|
|
|
2015-06-01 04:23:44 +00:00
|
|
|
For more examples, please look at the Vault API client.
|
2015-05-28 21:28:25 +00:00
|
|
|
|
2015-04-10 05:52:02 +00:00
|
|
|
## Help
|
|
|
|
|
|
|
|
To retrieve the help for any API within Vault, including mounted
|
|
|
|
backends, credential providers, etc. then append `?help=1` to any
|
|
|
|
URL. If you have valid permission to access the path, then the help text
|
|
|
|
will be returned with the following structure:
|
|
|
|
|
2015-04-22 23:47:11 +00:00
|
|
|
```javascript
|
|
|
|
{
|
|
|
|
"help": "help text"
|
|
|
|
}
|
|
|
|
```
|
2015-04-10 05:52:02 +00:00
|
|
|
|
|
|
|
## Error Response
|
|
|
|
|
|
|
|
A common JSON structure is always returned to return errors:
|
|
|
|
|
2015-04-22 23:47:11 +00:00
|
|
|
```javascript
|
|
|
|
{
|
|
|
|
"errors": [
|
|
|
|
"message",
|
|
|
|
"another message"
|
|
|
|
]
|
|
|
|
}
|
|
|
|
```
|
2015-04-10 05:52:02 +00:00
|
|
|
|
|
|
|
This structure will be sent down for any HTTP status greater than
|
|
|
|
or equal to 400.
|
|
|
|
|
|
|
|
## HTTP Status Codes
|
|
|
|
|
|
|
|
The following HTTP status codes are used throughout the API.
|
|
|
|
|
|
|
|
- `200` - Success with data.
|
|
|
|
- `204` - Success, no data returned.
|
2017-05-22 16:37:51 +00:00
|
|
|
- `400` - Invalid request, missing or invalid data.
|
2015-12-10 15:26:40 +00:00
|
|
|
- `403` - Forbidden, your authentication details are either
|
2017-06-17 04:04:55 +00:00
|
|
|
incorrect, you don't have access to this feature, or - if CORS is
|
|
|
|
enabled - you made a cross-origin request from an origin that is
|
|
|
|
not allowed to make such requests.
|
2015-04-10 05:52:02 +00:00
|
|
|
- `404` - Invalid path. This can both mean that the path truly
|
|
|
|
doesn't exist or that you don't have permission to view a
|
|
|
|
specific path. We use 404 in some cases to avoid state leakage.
|
2017-01-17 18:36:56 +00:00
|
|
|
- `429` - Default return code for health status of standby nodes, indicating a
|
|
|
|
warning.
|
2015-04-10 05:52:02 +00:00
|
|
|
- `500` - Internal server error. An internal error has occurred,
|
|
|
|
try again later. If the error persists, report a bug.
|
|
|
|
- `503` - Vault is down for maintenance or is currently sealed.
|
|
|
|
Try again later.
|
2017-02-06 23:24:40 +00:00
|
|
|
|
|
|
|
## Limits
|
|
|
|
|
2017-03-09 02:47:35 +00:00
|
|
|
A maximum request size of 32MB is imposed to prevent a denial
|
2017-02-06 23:24:40 +00:00
|
|
|
of service attack with arbitrarily large requests.
|