open-vault/website/source/docs/http/sys-audit-hash.html.md

---
layout: "http"
page_title: "HTTP API: /sys/audit-hash"
sidebar_current: "docs-http-audits-hash"
description: |-
  The `/sys/audit-hash` endpoint is used to hash data using an audit backend's hash function and salt.
---

# /sys/audit-hash

## POST

<dl>
  <dt>Description</dt>
  <dd>
    Hash the given input data with the specified audit backend's hash function
    and salt. This endpoint can be used to discover whether a given plaintext
    string (the `input` parameter) appears in the audit log in obfuscated form.
    Note that the audit log records requests and responses; since the Vault API
    is JSON-based, any binary data returned from an API call (such as a
    DER-format certificate) is base64-encoded by the Vault server in the
    response, and as a result such information should also be base64-encoded to
    supply into the `input` parameter.
  </dd>

  <dt>Method</dt>
  <dd>POST</dd>

  <dt>URL</dt>
  <dd>`/sys/audit-hash/<path>`</dd>

  <dt>Parameters</dt>
  <dd>
    <ul>
      <li>
        <span class="param">input</span>
        <span class="param-flags">required</span>
        The input string to hash.
      </li>
    </ul>
  </dd>

  <dt>Returns</dt>
  <dd>

    ```javascript
    {
      "hash": "hmac-sha256:08ba357e274f528065766c770a639abf6809b39ccfd37c2a3157c7f51954da0a"
    }
    ```

  </dd>
</dl>
Reintroduce the ability to look up obfuscated values in the audit log with a new endpoint '/sys/audit-hash', which returns the given input string hashed with the given audit backend's hash function and salt (currently, always HMAC-SHA256 and a backend-specific salt). In the process of adding the HTTP handler, this also removes the custom HTTP handlers for the other audit endpoints, which were simply forwarding to the logical system backend. This means that the various audit functions will now redirect correctly from a standby to master. (Tests all pass.) Fixes #784 2015-11-19 01:26:03 +00:00			`---`
			`layout: "http"`
			`page_title: "HTTP API: /sys/audit-hash"`
			`sidebar_current: "docs-http-audits-hash"`
			`description: \|-`
			The `/sys/audit-hash` endpoint is used to hash data using an audit backend's hash function and salt.
			`---`

			`# /sys/audit-hash`

			`## POST`

			`<dl>`
			`<dt>Description</dt>`
			`<dd>`
			`Hash the given input data with the specified audit backend's hash function`
			`and salt. This endpoint can be used to discover whether a given plaintext`
			string (the `input` parameter) appears in the audit log in obfuscated form.
			`Note that the audit log records requests and responses; since the Vault API`
			`is JSON-based, any binary data returned from an API call (such as a`
			`DER-format certificate) is base64-encoded by the Vault server in the`
			`response, and as a result such information should also be base64-encoded to`
			supply into the `input` parameter.
			`</dd>`

			`<dt>Method</dt>`
			`<dd>POST</dd>`

			`<dt>URL</dt>`
Rename 'name' as 'path' in audit API docs 2016-03-14 22:33:51 +00:00			<dd>`/sys/audit-hash/<path>`</dd>
Reintroduce the ability to look up obfuscated values in the audit log with a new endpoint '/sys/audit-hash', which returns the given input string hashed with the given audit backend's hash function and salt (currently, always HMAC-SHA256 and a backend-specific salt). In the process of adding the HTTP handler, this also removes the custom HTTP handlers for the other audit endpoints, which were simply forwarding to the logical system backend. This means that the various audit functions will now redirect correctly from a standby to master. (Tests all pass.) Fixes #784 2015-11-19 01:26:03 +00:00
			`<dt>Parameters</dt>`
			`<dd>`
			`<ul>`
			`<li>`
			`<span class="param">input</span>`
			`<span class="param-flags">required</span>`
			`The input string to hash.`
			`</li>`
			`</ul>`
			`</dd>`

			`<dt>Returns</dt>`
			`<dd>`

			```javascript
			`{`
			`"hash": "hmac-sha256:08ba357e274f528065766c770a639abf6809b39ccfd37c2a3157c7f51954da0a"`
			`}`
			```

			`</dd>`
			`</dl>`