2020-04-07 16:59:49 +00:00
|
|
|
|
---
|
|
|
|
|
layout: api
|
|
|
|
|
page_title: Transform - Secrets Engines - HTTP API
|
|
|
|
|
description: This is the API documentation for the Transform secrets engine.
|
|
|
|
|
---
|
|
|
|
|
|
|
|
|
|
# Transform Secrets Engine (API)
|
|
|
|
|
|
|
|
|
|
This is the API documentation for the Transform secrets engine. For general
|
|
|
|
|
information about the usage and operation of the secrets engine, please see the
|
|
|
|
|
[Transform secrets engine documentation](/docs/secrets/transform).
|
|
|
|
|
|
|
|
|
|
This documentation assumes the transform secrets engine is enabled at the
|
|
|
|
|
`/transform` path in Vault. Since it is possible to enable secrets engines at any
|
|
|
|
|
location, please update your API calls accordingly.
|
|
|
|
|
|
|
|
|
|
## Create/Update Role
|
|
|
|
|
|
|
|
|
|
This endpoint creates or updates the role with the given `name`. If a role with
|
|
|
|
|
the name does not exist, it will be created. If the role exists, it will be
|
|
|
|
|
updated with the new attributes.
|
|
|
|
|
|
|
|
|
|
| Method | Path |
|
|
|
|
|
| :----- | :---------------------- |
|
|
|
|
|
| `POST` | `/transform/role/:name` |
|
|
|
|
|
|
|
|
|
|
### Parameters
|
|
|
|
|
|
2020-05-21 17:18:17 +00:00
|
|
|
|
- `name` `(string: <required>)` –
|
2020-04-07 16:59:49 +00:00
|
|
|
|
Specifies the name of the role to create. This is part of the request URL.
|
|
|
|
|
|
|
|
|
|
- `transformations` (`list: []`) -
|
|
|
|
|
Specifies the transformations that can be used with this role.
|
|
|
|
|
|
|
|
|
|
### Sample Payload
|
|
|
|
|
|
|
|
|
|
```json
|
|
|
|
|
{
|
2020-05-21 17:18:17 +00:00
|
|
|
|
"transformations": ["creditcard-fpe", "creditcard-masking"]
|
2020-04-07 16:59:49 +00:00
|
|
|
|
}
|
|
|
|
|
```
|
|
|
|
|
|
|
|
|
|
### Sample Request
|
|
|
|
|
|
2020-05-21 17:18:17 +00:00
|
|
|
|
```shell-session
|
2020-04-07 16:59:49 +00:00
|
|
|
|
$ curl \
|
|
|
|
|
--header "X-Vault-Token: ..." \
|
|
|
|
|
--request POST \
|
|
|
|
|
--data @payload.json \
|
|
|
|
|
https://127.0.0.1:8200/v1/transform/role/example-role
|
|
|
|
|
```
|
|
|
|
|
|
|
|
|
|
## Read Role
|
|
|
|
|
|
|
|
|
|
This endpoint queries an existing role by the given name.
|
|
|
|
|
|
2020-05-21 17:18:17 +00:00
|
|
|
|
| Method | Path |
|
|
|
|
|
| :----- | :---------------------- |
|
2020-04-07 16:59:49 +00:00
|
|
|
|
| `GET` | `/transform/role/:name` |
|
|
|
|
|
|
|
|
|
|
### Parameters
|
|
|
|
|
|
2020-05-21 17:18:17 +00:00
|
|
|
|
- `name` `(string: <required>)` –
|
2020-04-07 16:59:49 +00:00
|
|
|
|
Specifies the name of the role to read. This is part of the request URL.
|
|
|
|
|
|
|
|
|
|
### Sample Request
|
|
|
|
|
|
2020-05-21 17:18:17 +00:00
|
|
|
|
```shell-session
|
2020-04-07 16:59:49 +00:00
|
|
|
|
$ curl \
|
|
|
|
|
--header "X-Vault-Token: ..." \
|
|
|
|
|
http://127.0.0.1:8200/v1/transform/role/example-role
|
|
|
|
|
```
|
|
|
|
|
|
|
|
|
|
### Sample Response
|
|
|
|
|
|
|
|
|
|
```json
|
|
|
|
|
{
|
|
|
|
|
"data": {
|
2020-05-21 17:18:17 +00:00
|
|
|
|
"transformations": ["creditcard-fpe", "creditcard-masking"]
|
2020-04-07 16:59:49 +00:00
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
```
|
|
|
|
|
|
|
|
|
|
## List Roles
|
|
|
|
|
|
|
|
|
|
This endpoint lists all existing roles in the secrets engine.
|
|
|
|
|
|
2020-05-21 17:18:17 +00:00
|
|
|
|
| Method | Path |
|
|
|
|
|
| :----- | :---------------- |
|
|
|
|
|
| `LIST` | `/transform/role` |
|
2020-04-07 16:59:49 +00:00
|
|
|
|
|
2020-10-29 23:47:34 +00:00
|
|
|
|
### Parameters
|
|
|
|
|
|
|
|
|
|
- `filter` `(string: "*")` –
|
|
|
|
|
If provided, only returns role names that match the given glob.
|
|
|
|
|
|
2020-04-07 16:59:49 +00:00
|
|
|
|
### Sample Request
|
|
|
|
|
|
2020-05-21 17:18:17 +00:00
|
|
|
|
```shell-session
|
2020-04-07 16:59:49 +00:00
|
|
|
|
$ curl
|
|
|
|
|
--header "X-Vault-Token: ..." \
|
|
|
|
|
--request LIST \
|
|
|
|
|
http://127.0.0.1:8200/v1/transform/role
|
|
|
|
|
```
|
|
|
|
|
|
|
|
|
|
### Sample Response
|
|
|
|
|
|
|
|
|
|
```json
|
|
|
|
|
{
|
|
|
|
|
"data": {
|
2020-05-21 17:18:17 +00:00
|
|
|
|
"keys": ["example-role"]
|
2020-04-07 16:59:49 +00:00
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
```
|
|
|
|
|
|
|
|
|
|
## Delete Role
|
|
|
|
|
|
|
|
|
|
This endpoint deletes an existing role by the given name.
|
|
|
|
|
|
|
|
|
|
| Method | Path |
|
|
|
|
|
| :------- | :---------------------- |
|
|
|
|
|
| `DELETE` | `/transform/role/:name` |
|
|
|
|
|
|
|
|
|
|
### Parameters
|
|
|
|
|
|
2020-05-21 17:18:17 +00:00
|
|
|
|
- `name` `(string: <required>)` –
|
2020-04-07 16:59:49 +00:00
|
|
|
|
Specifies the name of the role to delete. This is part of the request URL.
|
|
|
|
|
|
|
|
|
|
### Sample Request
|
|
|
|
|
|
2020-05-21 17:18:17 +00:00
|
|
|
|
```shell-session
|
2020-04-07 16:59:49 +00:00
|
|
|
|
$ curl \
|
|
|
|
|
--header "X-Vault-Token: ..." \
|
|
|
|
|
--request DELETE \
|
|
|
|
|
http://127.0.0.1:8200/v1/transform/role/example-role
|
|
|
|
|
```
|
|
|
|
|
|
2020-11-09 16:58:54 +00:00
|
|
|
|
## Create/Update Transformation <sup>DEPRECATED (1.6)</sup>
|
2020-04-07 16:59:49 +00:00
|
|
|
|
|
|
|
|
|
This endpoint creates or updates a transformation with the given `name`. If a
|
|
|
|
|
transformation with the name does not exist, it will be created. If the
|
2020-12-17 21:53:33 +00:00
|
|
|
|
transformation exists, it will be updated with the new attributes. This
|
|
|
|
|
endpoint is deprecated as of version 1.6 in favor of the type specific
|
2020-11-09 16:58:54 +00:00
|
|
|
|
configuration endpoints, and will be removed in a future release.
|
|
|
|
|
|
2020-12-17 21:53:33 +00:00
|
|
|
|
- [FPE](#create-update-fpe-transformation)
|
|
|
|
|
- [Masking](#create-update-masking-transformation)
|
|
|
|
|
- [Tokenization](#create-update-tokenization-transformation)
|
2020-04-07 16:59:49 +00:00
|
|
|
|
|
|
|
|
|
| Method | Path |
|
|
|
|
|
| :----- | :-------------------------------- |
|
|
|
|
|
| `POST` | `/transform/transformation/:name` |
|
|
|
|
|
|
|
|
|
|
### Parameters
|
|
|
|
|
|
2020-05-21 17:18:17 +00:00
|
|
|
|
- `name` `(string: <required>)` –
|
2020-04-07 16:59:49 +00:00
|
|
|
|
Specifies the name of the transformation to create or update. This is part of
|
|
|
|
|
the request URL.
|
|
|
|
|
|
|
|
|
|
- `type` `(string: <required>)` -
|
|
|
|
|
Specifies the type of transformation to perform. The types currently supported
|
2020-12-17 21:53:33 +00:00
|
|
|
|
by this backend are `fpe`, `masking`, and `tokenization`. This value cannot be
|
2020-11-09 16:58:54 +00:00
|
|
|
|
modified by an update operation after creation.
|
2020-04-07 16:59:49 +00:00
|
|
|
|
|
|
|
|
|
- `template` `(string: <required>)` -
|
|
|
|
|
Specifies the template name to use for matching value on encode and decode
|
2020-12-17 21:53:33 +00:00
|
|
|
|
operations when using this transformation. Ignored by the tokenization
|
2020-11-09 16:58:54 +00:00
|
|
|
|
transformation type.
|
2020-04-07 16:59:49 +00:00
|
|
|
|
|
|
|
|
|
- `tweak_source` `(string: "supplied")` -
|
|
|
|
|
Specifies the source of where the tweak value comes from. Valid sources are
|
|
|
|
|
`supplied`, `generated`, and `internal`. Only used when the type is FPE.
|
|
|
|
|
|
|
|
|
|
- `masking_character` `(string: "*")` -
|
|
|
|
|
Specifies the character to use for masking. If multiple characters are
|
|
|
|
|
provided, only the first one is used and the rest is ignored. Only used when
|
|
|
|
|
the type is masking.
|
|
|
|
|
|
|
|
|
|
- `allowed_roles` `(list: [])` -
|
|
|
|
|
Specifies a list of allowed roles that this transformation can be assigned to.
|
|
|
|
|
A role using this transformation must exist in this list in order for
|
|
|
|
|
encode and decode operations to properly function.
|
|
|
|
|
|
2020-12-17 21:53:33 +00:00
|
|
|
|
-
|
2020-11-09 16:58:54 +00:00
|
|
|
|
|
2020-04-07 16:59:49 +00:00
|
|
|
|
### Sample Payload
|
|
|
|
|
|
|
|
|
|
```json
|
|
|
|
|
{
|
|
|
|
|
"type": "fpe",
|
|
|
|
|
"template": "builtin/creditcardnumber",
|
|
|
|
|
"tweak_source": "internal",
|
2020-05-21 17:18:17 +00:00
|
|
|
|
"allowed_roles": ["example-role"]
|
2020-04-07 16:59:49 +00:00
|
|
|
|
}
|
|
|
|
|
```
|
|
|
|
|
|
|
|
|
|
### Sample Request
|
|
|
|
|
|
2020-05-21 17:18:17 +00:00
|
|
|
|
```shell-session
|
2020-04-07 16:59:49 +00:00
|
|
|
|
$ curl \
|
|
|
|
|
--header "X-Vault-Token: ..." \
|
|
|
|
|
--request POST \
|
|
|
|
|
--data @payload.json \
|
|
|
|
|
https://127.0.0.1:8200/v1/transform/transformation/example-transformation
|
|
|
|
|
```
|
|
|
|
|
|
2020-11-09 16:58:54 +00:00
|
|
|
|
## Create/Update FPE Transformation
|
|
|
|
|
|
|
|
|
|
This endpoint creates or updates an FPE transformation with the given `name`. If a
|
|
|
|
|
transformation with the name does not exist, it will be created. If the
|
|
|
|
|
transformation exists, it will be updated with the new attributes.
|
|
|
|
|
|
2021-04-06 17:49:04 +00:00
|
|
|
|
| Method | Path |
|
|
|
|
|
| :----- | :------------------------------------- |
|
2021-03-25 01:10:27 +00:00
|
|
|
|
| `POST` | `/transform/transformations/fpe/:name` |
|
2020-11-09 16:58:54 +00:00
|
|
|
|
|
|
|
|
|
### Parameters
|
|
|
|
|
|
|
|
|
|
- `name` `(string: <required>)` –
|
|
|
|
|
Specifies the name of the transformation to create or update. This is part of
|
|
|
|
|
the request URL.
|
|
|
|
|
|
|
|
|
|
- `template` `(string: <required>)` -
|
|
|
|
|
Specifies the template name to use for matching value on encode and decode
|
|
|
|
|
operations when using this transformation.
|
|
|
|
|
|
|
|
|
|
- `tweak_source` `(string: "supplied")` -
|
|
|
|
|
Specifies the source of where the tweak value comes from. Valid sources are
|
|
|
|
|
`supplied`, `generated`, and `internal`. Only used when the type is FPE.
|
|
|
|
|
|
|
|
|
|
- `allowed_roles` `(list: [])` -
|
|
|
|
|
Specifies a list of allowed roles that this transformation can be assigned to.
|
|
|
|
|
A role using this transformation must exist in this list in order for
|
|
|
|
|
encode and decode operations to properly function.
|
|
|
|
|
|
|
|
|
|
### Sample Payload
|
|
|
|
|
|
|
|
|
|
```json
|
|
|
|
|
{
|
|
|
|
|
"template": "builtin/creditcardnumber",
|
|
|
|
|
"tweak_source": "internal",
|
|
|
|
|
"allowed_roles": ["example-role"]
|
|
|
|
|
}
|
|
|
|
|
```
|
|
|
|
|
|
|
|
|
|
### Sample Request
|
|
|
|
|
|
|
|
|
|
```shell-session
|
|
|
|
|
$ curl \
|
|
|
|
|
--header "X-Vault-Token: ..." \
|
|
|
|
|
--request POST \
|
|
|
|
|
--data @payload.json \
|
2021-03-25 01:10:27 +00:00
|
|
|
|
https://127.0.0.1:8200/v1/transform/transformations/fpe/example-transformation
|
2020-11-09 16:58:54 +00:00
|
|
|
|
```
|
|
|
|
|
|
|
|
|
|
## Create/Update Masking Transformation
|
|
|
|
|
|
|
|
|
|
This endpoint creates or updates a masking transformation with the given `name`. If a
|
|
|
|
|
transformation with the name does not exist, it will be created. If the
|
|
|
|
|
transformation exists, it will be updated with the new attributes.
|
|
|
|
|
|
2021-04-06 17:49:04 +00:00
|
|
|
|
| Method | Path |
|
|
|
|
|
| :----- | :----------------------------------------- |
|
2021-03-25 01:10:27 +00:00
|
|
|
|
| `POST` | `/transform/transformations/masking/:name` |
|
2020-11-09 16:58:54 +00:00
|
|
|
|
|
|
|
|
|
### Parameters
|
|
|
|
|
|
|
|
|
|
- `name` `(string: <required>)` –
|
|
|
|
|
Specifies the name of the transformation to create or update. This is part of
|
|
|
|
|
the request URL.
|
|
|
|
|
|
|
|
|
|
- `template` `(string: <required>)` -
|
|
|
|
|
Specifies the template name to use for matching value on encode and decode
|
|
|
|
|
operations when using this transformation.
|
|
|
|
|
|
|
|
|
|
- `masking_character` `(string: "*")` -
|
|
|
|
|
Specifies the character to use for masking. If multiple characters are
|
|
|
|
|
provided, only the first one is used and the rest is ignored. Only used when
|
|
|
|
|
the type is masking.
|
|
|
|
|
|
|
|
|
|
- `allowed_roles` `(list: [])` -
|
|
|
|
|
Specifies a list of allowed roles that this transformation can be assigned to.
|
|
|
|
|
A role using this transformation must exist in this list in order for
|
|
|
|
|
encode and decode operations to properly function.
|
|
|
|
|
|
|
|
|
|
### Sample Payload
|
|
|
|
|
|
|
|
|
|
```json
|
|
|
|
|
{
|
|
|
|
|
"template": "builtin/creditcardnumber",
|
|
|
|
|
"masking_character": "X",
|
|
|
|
|
"allowed_roles": ["example-role"]
|
|
|
|
|
}
|
|
|
|
|
```
|
|
|
|
|
|
|
|
|
|
### Sample Request
|
|
|
|
|
|
|
|
|
|
```shell-session
|
|
|
|
|
$ curl \
|
|
|
|
|
--header "X-Vault-Token: ..." \
|
|
|
|
|
--request POST \
|
|
|
|
|
--data @payload.json \
|
2021-03-25 01:10:27 +00:00
|
|
|
|
https://127.0.0.1:8200/v1/transform/transformations/masking/example-transformation
|
2020-11-09 16:58:54 +00:00
|
|
|
|
```
|
|
|
|
|
|
|
|
|
|
## Create/Update Tokenization Transformation
|
|
|
|
|
|
|
|
|
|
This endpoint creates or updates a tokenization transformation with the given `name`. If a
|
|
|
|
|
transformation with the name does not exist, it will be created. If the
|
|
|
|
|
transformation exists, it will be updated with the new attributes.
|
|
|
|
|
|
2021-04-06 17:49:04 +00:00
|
|
|
|
| Method | Path |
|
|
|
|
|
| :----- | :---------------------------------------------- |
|
2021-03-25 01:10:27 +00:00
|
|
|
|
| `POST` | `/transform/transformations/tokenization/:name` |
|
2020-11-09 16:58:54 +00:00
|
|
|
|
|
|
|
|
|
### Parameters
|
|
|
|
|
|
|
|
|
|
- `name` `(string: <required>)` –
|
|
|
|
|
Specifies the name of the transformation to create or update. This is part of
|
|
|
|
|
the request URL.
|
|
|
|
|
|
|
|
|
|
- `mapping_mode` `(string: "default")` -
|
2020-12-17 21:53:33 +00:00
|
|
|
|
Specifies the mapping mode for stored tokenization values. `default`
|
|
|
|
|
is strongly recommended for highest security. `exportable` allows
|
2020-11-09 16:58:54 +00:00
|
|
|
|
for all plaintexts to be decoded via the export-decoded endpoint
|
2020-12-17 21:53:33 +00:00
|
|
|
|
in an emergency.
|
2020-11-09 16:58:54 +00:00
|
|
|
|
|
|
|
|
|
- `max_ttl`: `(duration: "0")
|
2020-12-17 21:53:33 +00:00
|
|
|
|
The maximum TTL of a token. If 0 or unspecified, tokens may have no expiration.
|
2020-11-09 16:58:54 +00:00
|
|
|
|
|
|
|
|
|
- `allowed_roles` `(list: [])` -
|
|
|
|
|
Specifies a list of allowed roles that this transformation can be assigned to.
|
|
|
|
|
A role using this transformation must exist in this list in order for
|
|
|
|
|
encode and decode operations to properly function.
|
|
|
|
|
|
|
|
|
|
- `stores` `(list: ["builtin/internal"])` -
|
2020-12-17 21:53:33 +00:00
|
|
|
|
The list of tokenization stores to use for tokenization state. Vault's
|
2020-11-09 16:58:54 +00:00
|
|
|
|
internal storage is used by default.
|
|
|
|
|
|
|
|
|
|
### Sample Payload
|
|
|
|
|
|
|
|
|
|
```json
|
|
|
|
|
{
|
|
|
|
|
"max_ttl": "365d",
|
|
|
|
|
"allowed_roles": ["example-role"]
|
|
|
|
|
}
|
|
|
|
|
```
|
|
|
|
|
|
|
|
|
|
### Sample Request
|
|
|
|
|
|
|
|
|
|
```shell-session
|
|
|
|
|
$ curl \
|
|
|
|
|
--header "X-Vault-Token: ..." \
|
|
|
|
|
--request POST \
|
|
|
|
|
--data @payload.json \
|
2021-03-25 01:10:27 +00:00
|
|
|
|
https://127.0.0.1:8200/v1/transform/transformations/tokenization/example-transformation
|
2020-11-09 16:58:54 +00:00
|
|
|
|
```
|
|
|
|
|
|
2020-04-07 16:59:49 +00:00
|
|
|
|
## Read Transformation
|
|
|
|
|
|
|
|
|
|
This endpoint queries an existing transformation by the given name.
|
|
|
|
|
|
2021-04-06 17:49:04 +00:00
|
|
|
|
| Method | Path |
|
|
|
|
|
| :----- | :--------------------------------- |
|
2021-06-01 22:56:26 +00:00
|
|
|
|
| `GET` | `/transform/transformation/:name` |
|
2020-04-07 16:59:49 +00:00
|
|
|
|
|
2020-05-21 17:18:17 +00:00
|
|
|
|
- `name` `(string: <required>)` –
|
2020-04-07 16:59:49 +00:00
|
|
|
|
Specifies the name of the role to read. This is part of the request URL.
|
|
|
|
|
|
|
|
|
|
### Sample Request
|
|
|
|
|
|
2020-05-21 17:18:17 +00:00
|
|
|
|
```shell-session
|
2020-04-07 16:59:49 +00:00
|
|
|
|
$ curl \
|
|
|
|
|
--header "X-Vault-Token: ..." \
|
2021-06-01 22:56:26 +00:00
|
|
|
|
http://127.0.0.1:8200/v1/transform/transformation/example-transformation
|
2020-04-07 16:59:49 +00:00
|
|
|
|
```
|
|
|
|
|
|
|
|
|
|
### Sample Response
|
|
|
|
|
|
|
|
|
|
```json
|
|
|
|
|
{
|
|
|
|
|
"data": {
|
2020-05-21 17:18:17 +00:00
|
|
|
|
"allowed_roles": ["example-role"],
|
|
|
|
|
"templates": ["builtin/creditcardnumber"],
|
2020-04-07 16:59:49 +00:00
|
|
|
|
"tweak_source": "internal",
|
|
|
|
|
"type": "fpe"
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
```
|
|
|
|
|
|
|
|
|
|
## List Transformation
|
|
|
|
|
|
|
|
|
|
This endpoint lists all existing transformations in the secrets engine.
|
|
|
|
|
|
2020-05-21 17:18:17 +00:00
|
|
|
|
| Method | Path |
|
|
|
|
|
| :----- | :-------------------------- |
|
|
|
|
|
| `LIST` | `/transform/transformation` |
|
2020-04-07 16:59:49 +00:00
|
|
|
|
|
|
|
|
|
### Sample Request
|
|
|
|
|
|
2020-05-21 17:18:17 +00:00
|
|
|
|
```shell-session
|
2020-04-07 16:59:49 +00:00
|
|
|
|
$ curl
|
|
|
|
|
--header "X-Vault-Token: ..." \
|
|
|
|
|
--request LIST \
|
|
|
|
|
http://127.0.0.1:8200/v1/transform/transformation
|
|
|
|
|
```
|
|
|
|
|
|
|
|
|
|
### Sample Response
|
|
|
|
|
|
|
|
|
|
```json
|
|
|
|
|
{
|
|
|
|
|
"data": {
|
2020-05-21 17:18:17 +00:00
|
|
|
|
"keys": ["example-transformation"]
|
2020-04-07 16:59:49 +00:00
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
```
|
|
|
|
|
|
|
|
|
|
## Delete Transformation
|
|
|
|
|
|
|
|
|
|
This endpoint deletes an existing transformation by the given name.
|
|
|
|
|
|
2021-04-06 17:49:04 +00:00
|
|
|
|
| Method | Path |
|
|
|
|
|
| :------- | :--------------------------------- |
|
2021-06-01 22:56:26 +00:00
|
|
|
|
| `DELETE` | `/transform/transformation/:name` |
|
2020-04-07 16:59:49 +00:00
|
|
|
|
|
|
|
|
|
### Parameters
|
|
|
|
|
|
2020-05-21 17:18:17 +00:00
|
|
|
|
- `name` `(string: <required>)` –
|
2020-04-07 16:59:49 +00:00
|
|
|
|
Specifies the name of the transformation to delete. This is part of the
|
|
|
|
|
request URL.
|
|
|
|
|
|
|
|
|
|
### Sample Request
|
|
|
|
|
|
2020-05-21 17:18:17 +00:00
|
|
|
|
```shell-session
|
2020-04-07 16:59:49 +00:00
|
|
|
|
$ curl \
|
|
|
|
|
--header "X-Vault-Token: ..." \
|
|
|
|
|
--request DELETE \
|
2021-06-01 22:56:26 +00:00
|
|
|
|
http://127.0.0.1:8200/v1/transform/transformation/example-transformation
|
2020-04-07 16:59:49 +00:00
|
|
|
|
```
|
|
|
|
|
|
|
|
|
|
## Create/Update Template
|
|
|
|
|
|
|
|
|
|
This endpoint creates or updates a template with the given `name`. If a
|
|
|
|
|
template with the name does not exist, it will be created. If the
|
|
|
|
|
template exists, it will be updated with the new attributes.
|
|
|
|
|
|
2020-05-21 17:18:17 +00:00
|
|
|
|
| Method | Path |
|
|
|
|
|
| :----- | :-------------------------- |
|
|
|
|
|
| `POST` | `/transform/template/:name` |
|
2020-04-07 16:59:49 +00:00
|
|
|
|
|
|
|
|
|
### Parameters
|
|
|
|
|
|
2020-05-21 17:18:17 +00:00
|
|
|
|
- `name` `(string: <required>)` –
|
2020-04-07 16:59:49 +00:00
|
|
|
|
Specifies the name of the template to create. This is part of the
|
|
|
|
|
request URL.
|
|
|
|
|
|
|
|
|
|
- `type` `(string: <required>)` -
|
2021-10-15 18:51:53 +00:00
|
|
|
|
Specifies the type of pattern matching to perform. The only type currently
|
|
|
|
|
supported by this backend is `regex`.
|
2020-04-07 16:59:49 +00:00
|
|
|
|
|
|
|
|
|
- `pattern` `(string: <required>)` -
|
|
|
|
|
Specifies the pattern used to match a particular value. For regex type
|
|
|
|
|
matching, capture group determines the set of character that should be matched
|
|
|
|
|
against. Any matches outside of capture groups are retained
|
|
|
|
|
post-transformation.
|
|
|
|
|
|
|
|
|
|
- `alphabet` `(string)` -
|
|
|
|
|
Specifies the name of the alphabet to use when this template is used for FPE
|
|
|
|
|
encoding and decoding operations.
|
|
|
|
|
|
2021-11-01 17:47:37 +00:00
|
|
|
|
- `encode_format` `(string: "")` -
|
2021-10-15 18:51:53 +00:00
|
|
|
|
The regular expression template to use to format encoded values. This can be
|
2021-11-01 17:47:37 +00:00
|
|
|
|
used to normalize the encoded output. If absent or empty, encoded values will
|
|
|
|
|
preserve the format of the input value. This is only used during FPE
|
2021-10-15 18:51:53 +00:00
|
|
|
|
transformations.
|
|
|
|
|
|
|
|
|
|
- `decode_formats` `(key-value-map: {})` -
|
|
|
|
|
An optional map of regular expression templates that can be used to customize
|
|
|
|
|
decoded output. For example, this can be used to decode only the last four
|
|
|
|
|
digits of a credit card number. This is only used during FPE transformations.
|
|
|
|
|
|
2020-04-07 16:59:49 +00:00
|
|
|
|
### Sample Payload
|
|
|
|
|
|
|
|
|
|
```json
|
|
|
|
|
{
|
|
|
|
|
"type": "regex",
|
2021-10-15 18:51:53 +00:00
|
|
|
|
"alphabet": "builtin/numeric",
|
|
|
|
|
"pattern": "(\\d{3})[-/](\\d{2})[-/](\\d{4})",
|
|
|
|
|
"encode_format": "$1-$2-$3",
|
|
|
|
|
"decode_formats": {
|
|
|
|
|
"first-three": "$1",
|
|
|
|
|
"last-four": "$3"
|
|
|
|
|
}
|
2020-04-07 16:59:49 +00:00
|
|
|
|
}
|
|
|
|
|
```
|
|
|
|
|
|
|
|
|
|
### Sample Request
|
|
|
|
|
|
2020-05-21 17:18:17 +00:00
|
|
|
|
```shell-session
|
2020-04-07 16:59:49 +00:00
|
|
|
|
$ curl \
|
|
|
|
|
--header "X-Vault-Token: ..." \
|
|
|
|
|
--request POST \
|
|
|
|
|
--data @payload.json \
|
|
|
|
|
https://127.0.0.1:8200/v1/transform/template/example-template
|
|
|
|
|
```
|
|
|
|
|
|
|
|
|
|
## Read Template
|
|
|
|
|
|
|
|
|
|
This endpoint queries an existing template by the given name.
|
|
|
|
|
|
2020-05-21 17:18:17 +00:00
|
|
|
|
| Method | Path |
|
|
|
|
|
| :----- | :-------------------------- |
|
|
|
|
|
| `GET` | `/transform/template/:name` |
|
2020-04-07 16:59:49 +00:00
|
|
|
|
|
2020-05-21 17:18:17 +00:00
|
|
|
|
- `name` `(string: <required>)` –
|
2020-04-07 16:59:49 +00:00
|
|
|
|
Specifies the name of the role to read. This is part of the request URL.
|
|
|
|
|
|
|
|
|
|
### Sample Request
|
|
|
|
|
|
2020-05-21 17:18:17 +00:00
|
|
|
|
```shell-session
|
2020-04-07 16:59:49 +00:00
|
|
|
|
$ curl \
|
|
|
|
|
--header "X-Vault-Token: ..." \
|
|
|
|
|
http://127.0.0.1:8200/v1/transform/template/example-template
|
|
|
|
|
```
|
|
|
|
|
|
|
|
|
|
### Sample Response
|
|
|
|
|
|
|
|
|
|
```json
|
|
|
|
|
{
|
|
|
|
|
"data": {
|
|
|
|
|
"alphabet": "builtin/numeric",
|
2021-10-15 18:51:53 +00:00
|
|
|
|
"decode_formats": {
|
|
|
|
|
"first-three": "$1",
|
|
|
|
|
"last-four": "$3"
|
|
|
|
|
},
|
|
|
|
|
"encode_format": "$1-$2-$3",
|
|
|
|
|
"pattern": "(\\d{3})[-/](\\d{2})[-/](\\d{4})",
|
2020-04-07 16:59:49 +00:00
|
|
|
|
"type": "regex"
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
```
|
|
|
|
|
|
|
|
|
|
## List Template
|
|
|
|
|
|
|
|
|
|
This endpoint lists all existing templates in the secrets engine.
|
|
|
|
|
|
2020-05-21 17:18:17 +00:00
|
|
|
|
| Method | Path |
|
|
|
|
|
| :----- | :-------------------- |
|
|
|
|
|
| `LIST` | `/transform/template` |
|
2020-04-07 16:59:49 +00:00
|
|
|
|
|
|
|
|
|
### Sample Request
|
|
|
|
|
|
2020-05-21 17:18:17 +00:00
|
|
|
|
```shell-session
|
2020-04-07 16:59:49 +00:00
|
|
|
|
$ curl
|
|
|
|
|
--header "X-Vault-Token: ..." \
|
|
|
|
|
--request LIST \
|
|
|
|
|
http://127.0.0.1:8200/v1/transform/template
|
|
|
|
|
```
|
|
|
|
|
|
|
|
|
|
### Sample Response
|
|
|
|
|
|
|
|
|
|
```json
|
|
|
|
|
{
|
|
|
|
|
"data": {
|
2020-05-21 17:18:17 +00:00
|
|
|
|
"keys": ["example-template"]
|
2020-04-07 16:59:49 +00:00
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
```
|
|
|
|
|
|
|
|
|
|
## Delete Template
|
|
|
|
|
|
|
|
|
|
This endpoint deletes an existing template by the given name.
|
|
|
|
|
|
2020-05-21 17:18:17 +00:00
|
|
|
|
| Method | Path |
|
|
|
|
|
| :------- | :-------------------------- |
|
|
|
|
|
| `DELETE` | `/transform/template/:name` |
|
2020-04-07 16:59:49 +00:00
|
|
|
|
|
|
|
|
|
### Parameters
|
|
|
|
|
|
2020-05-21 17:18:17 +00:00
|
|
|
|
- `name` `(string: <required>)` –
|
2020-04-07 16:59:49 +00:00
|
|
|
|
Specifies the name of the template to delete. This is part of the
|
|
|
|
|
request URL.
|
|
|
|
|
|
|
|
|
|
### Sample Request
|
|
|
|
|
|
2020-05-21 17:18:17 +00:00
|
|
|
|
```shell-session
|
2020-04-07 16:59:49 +00:00
|
|
|
|
$ curl \
|
|
|
|
|
--header "X-Vault-Token: ..." \
|
|
|
|
|
--request DELETE \
|
|
|
|
|
http://127.0.0.1:8200/v1/transform/template/example-template
|
|
|
|
|
```
|
|
|
|
|
|
|
|
|
|
## Create/Update Alphabet
|
|
|
|
|
|
|
|
|
|
This endpoint creates or updates an alphabet with the given `name`. If an
|
|
|
|
|
alphabet with the name does not exist, it will be created. If the
|
|
|
|
|
alphabet exists, it will be updated with the new attributes.
|
|
|
|
|
|
2020-05-21 17:18:17 +00:00
|
|
|
|
| Method | Path |
|
|
|
|
|
| :----- | :-------------------------- |
|
|
|
|
|
| `POST` | `/transform/alphabet/:name` |
|
2020-04-07 16:59:49 +00:00
|
|
|
|
|
|
|
|
|
### Parameters
|
|
|
|
|
|
2020-05-21 17:18:17 +00:00
|
|
|
|
- `name` `(string: <required>)` –
|
2020-04-07 16:59:49 +00:00
|
|
|
|
Specifies the name of the transformation to create. This is part of the
|
|
|
|
|
request URL.
|
|
|
|
|
|
2020-05-21 17:18:17 +00:00
|
|
|
|
- `alphabet` `(string: <required>)` –
|
2020-04-07 16:59:49 +00:00
|
|
|
|
Specifies the set of characters that can exist within the provided value
|
|
|
|
|
and the encoded or decoded value for a FPE transformation.
|
|
|
|
|
|
|
|
|
|
### Sample Payload
|
|
|
|
|
|
|
|
|
|
```json
|
|
|
|
|
{
|
|
|
|
|
"alphabet": "abc"
|
|
|
|
|
}
|
|
|
|
|
```
|
|
|
|
|
|
|
|
|
|
### Sample Request
|
|
|
|
|
|
2020-05-21 17:18:17 +00:00
|
|
|
|
```shell-session
|
2020-04-07 16:59:49 +00:00
|
|
|
|
$ curl \
|
|
|
|
|
--header "X-Vault-Token: ..." \
|
|
|
|
|
--request POST \
|
|
|
|
|
--data @payload.json \
|
|
|
|
|
https://127.0.0.1:8200/v1/transform/alphabet/example-alphabet
|
|
|
|
|
```
|
|
|
|
|
|
|
|
|
|
## Read Alphabet
|
|
|
|
|
|
|
|
|
|
This endpoint queries an existing alphabet by the given name.
|
|
|
|
|
|
2020-05-21 17:18:17 +00:00
|
|
|
|
| Method | Path |
|
|
|
|
|
| :----- | :-------------------------- |
|
|
|
|
|
| `GET` | `/transform/alphabet/:name` |
|
2020-04-07 16:59:49 +00:00
|
|
|
|
|
2020-05-21 17:18:17 +00:00
|
|
|
|
- `name` `(string: <required>)` –
|
2020-04-07 16:59:49 +00:00
|
|
|
|
Specifies the name of the role to read. This is part of the request URL.
|
|
|
|
|
|
|
|
|
|
### Sample Request
|
|
|
|
|
|
2020-05-21 17:18:17 +00:00
|
|
|
|
```shell-session
|
2020-04-07 16:59:49 +00:00
|
|
|
|
$ curl \
|
|
|
|
|
--header "X-Vault-Token: ..." \
|
|
|
|
|
http://127.0.0.1:8200/v1/transform/alphabet/example-alphabet
|
|
|
|
|
```
|
|
|
|
|
|
|
|
|
|
### Sample Response
|
|
|
|
|
|
|
|
|
|
```json
|
|
|
|
|
{
|
|
|
|
|
"data": {
|
|
|
|
|
"alphabet": "abc"
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
```
|
|
|
|
|
|
|
|
|
|
## List Alphabets
|
|
|
|
|
|
|
|
|
|
This endpoint lists all existing alphabets in the secrets engine.
|
|
|
|
|
|
2020-05-21 17:18:17 +00:00
|
|
|
|
| Method | Path |
|
|
|
|
|
| :----- | :-------------------- |
|
|
|
|
|
| `LIST` | `/transform/alphabet` |
|
2020-04-07 16:59:49 +00:00
|
|
|
|
|
|
|
|
|
### Sample Request
|
|
|
|
|
|
2020-05-21 17:18:17 +00:00
|
|
|
|
```shell-session
|
2020-04-07 16:59:49 +00:00
|
|
|
|
$ curl
|
|
|
|
|
--header "X-Vault-Token: ..." \
|
|
|
|
|
--request LIST \
|
|
|
|
|
http://127.0.0.1:8200/v1/transform/alphabet
|
|
|
|
|
```
|
|
|
|
|
|
|
|
|
|
### Sample Response
|
|
|
|
|
|
|
|
|
|
```json
|
|
|
|
|
{
|
|
|
|
|
"data": {
|
2020-05-21 17:18:17 +00:00
|
|
|
|
"keys": ["example-alphabet"]
|
2020-04-07 16:59:49 +00:00
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
```
|
|
|
|
|
|
|
|
|
|
## Delete Alphabet
|
|
|
|
|
|
|
|
|
|
This endpoint deletes an existing alphabet by the given name.
|
|
|
|
|
|
2020-05-21 17:18:17 +00:00
|
|
|
|
| Method | Path |
|
|
|
|
|
| :------- | :-------------------------- |
|
|
|
|
|
| `DELETE` | `/transform/alphabet/:name` |
|
2020-04-07 16:59:49 +00:00
|
|
|
|
|
|
|
|
|
### Parameters
|
|
|
|
|
|
2020-05-21 17:18:17 +00:00
|
|
|
|
- `name` `(string: <required>)` –
|
2020-04-07 16:59:49 +00:00
|
|
|
|
Specifies the name of the alphabet to delete. This is part of the request URL.
|
|
|
|
|
|
|
|
|
|
### Sample Request
|
|
|
|
|
|
2020-05-21 17:18:17 +00:00
|
|
|
|
```shell-session
|
2020-04-07 16:59:49 +00:00
|
|
|
|
$ curl \
|
|
|
|
|
--header "X-Vault-Token: ..." \
|
|
|
|
|
--request DELETE \
|
|
|
|
|
http://127.0.0.1:8200/v1/transform/alphabet/example-alphabet
|
|
|
|
|
```
|
|
|
|
|
|
2020-11-09 16:58:54 +00:00
|
|
|
|
## Create/Update Tokenization Store
|
|
|
|
|
|
|
|
|
|
This endpoint creates or updates a storage configuration for use with tokenization.
|
|
|
|
|
The database user configured here should only have permission to `SELECT`,
|
|
|
|
|
`INSERT`, and `UPDATE` rows in the tables.
|
|
|
|
|
|
2022-05-13 19:00:33 +00:00
|
|
|
|
| Method | Path |
|
|
|
|
|
| :----- | :------------------------ |
|
|
|
|
|
| `POST` | `/transform/stores/:name` |
|
2020-11-09 16:58:54 +00:00
|
|
|
|
|
|
|
|
|
### Parameters
|
|
|
|
|
|
|
|
|
|
- `name` `(string: <required>)` –
|
|
|
|
|
Specifies the name of the store to create or update. This is part of
|
|
|
|
|
the request URL.
|
|
|
|
|
|
|
|
|
|
- `type` `(string: <required>)` -
|
2020-12-17 21:53:33 +00:00
|
|
|
|
Specifies the type of store. Currently only `sql` is supported.
|
2020-11-09 16:58:54 +00:00
|
|
|
|
|
2021-04-06 17:49:04 +00:00
|
|
|
|
- `driver` `(string: <required>)` -
|
2021-03-19 15:34:41 +00:00
|
|
|
|
Specifies the database driver to use, and thus which SQL database type.
|
2022-09-06 15:55:48 +00:00
|
|
|
|
Currently the supported options are `postgres`, `mysql`, and `mssql`.
|
2021-03-19 15:34:41 +00:00
|
|
|
|
|
2020-11-09 16:58:54 +00:00
|
|
|
|
- `connection_string` `(string: <required>)` -
|
|
|
|
|
A database connection string with template slots for username and password that
|
2021-04-06 17:49:04 +00:00
|
|
|
|
Vault will use for locating and connecting to a database. Each
|
|
|
|
|
database driver type has a different syntax for its connection strings.
|
|
|
|
|
|
|
|
|
|
> When using MySQL, make sure to append `?parseTime=true` to enable timestamp parsing.
|
2020-11-09 16:58:54 +00:00
|
|
|
|
|
|
|
|
|
- `username`: `(string: <required>)` -
|
|
|
|
|
The username value to use when connecting to the database.
|
|
|
|
|
|
|
|
|
|
- `password`: `(string: <required>)` -
|
|
|
|
|
The password value to use when connecting to the database.
|
|
|
|
|
|
2021-10-15 18:51:53 +00:00
|
|
|
|
- `supported_transformations: `(list: ["tokenization"])` The types of transformations this store can host. Currently only`tokenization`
|
|
|
|
|
is supported.
|
|
|
|
|
|
2020-11-09 16:58:54 +00:00
|
|
|
|
- `schema`: `(string: "public")` -
|
|
|
|
|
The schema within the database to expect tokenization state tables.
|
|
|
|
|
|
|
|
|
|
- `max_open_connections` `(int: 4)` -
|
|
|
|
|
The maximum number of connections to the database at any given time.
|
|
|
|
|
|
|
|
|
|
- `max_idle_connections` `(int: 4)` -
|
|
|
|
|
The maximum number of idle connections to the database at any given time.
|
|
|
|
|
|
|
|
|
|
- `max_connection_lifetime` `(duration: 0)` -
|
2021-10-15 18:51:53 +00:00
|
|
|
|
The maximum amount of time a connection can be open before closing it.
|
2022-06-13 12:51:07 +00:00
|
|
|
|
0 means no limit. Uses [duration format strings](/docs/concepts/duration-format).
|
2020-11-09 16:58:54 +00:00
|
|
|
|
|
2021-03-19 15:34:41 +00:00
|
|
|
|
### Sample Payloads
|
2020-11-09 16:58:54 +00:00
|
|
|
|
|
|
|
|
|
```json
|
|
|
|
|
{
|
|
|
|
|
"type": "sql",
|
2021-03-19 15:34:41 +00:00
|
|
|
|
"driver": "postgres",
|
2020-11-09 16:58:54 +00:00
|
|
|
|
"connection_string": "postgresql://{{username}}:{{password}}@mydb.conhugeco.com/tokens",
|
|
|
|
|
"username": "vault_user",
|
|
|
|
|
"password": "very_secret"
|
|
|
|
|
}
|
|
|
|
|
```
|
|
|
|
|
|
2021-03-19 15:34:41 +00:00
|
|
|
|
```json
|
|
|
|
|
{
|
|
|
|
|
"type": "sql",
|
|
|
|
|
"driver": "mysql"
|
|
|
|
|
"connection_string": "{{username}}:{{password}}@tcp(mydb.conhugeco.com:3306)/tokens",
|
|
|
|
|
"username": "vault_user",
|
|
|
|
|
"password": "very_secret"
|
|
|
|
|
}
|
|
|
|
|
```
|
|
|
|
|
|
2020-11-09 16:58:54 +00:00
|
|
|
|
### Sample Request
|
|
|
|
|
|
|
|
|
|
```shell-session
|
|
|
|
|
$ curl \
|
|
|
|
|
--header "X-Vault-Token: ..." \
|
|
|
|
|
--request POST \
|
|
|
|
|
--data @payload.json \
|
2022-05-13 19:00:33 +00:00
|
|
|
|
https://127.0.0.1:8200/v1/transform/stores/example-store
|
2020-11-09 16:58:54 +00:00
|
|
|
|
```
|
|
|
|
|
|
|
|
|
|
## Create/Update Store Schema
|
|
|
|
|
|
|
|
|
|
This endpoint creates or updates the underlying schema in an SQL type
|
2020-12-17 21:53:33 +00:00
|
|
|
|
tokenization store. The provided username and password are only used during
|
|
|
|
|
this call. This is so one may use a user with DDL privileges to create
|
2020-11-09 16:58:54 +00:00
|
|
|
|
or update the schema, but still use a much more limited user for ordinary
|
|
|
|
|
operation.
|
|
|
|
|
|
2022-05-13 19:00:33 +00:00
|
|
|
|
| Method | Path |
|
|
|
|
|
| :----- | :------------------------------- |
|
|
|
|
|
| `POST` | `/transform/stores/:name/schema` |
|
2020-11-09 16:58:54 +00:00
|
|
|
|
|
|
|
|
|
### Parameters
|
|
|
|
|
|
|
|
|
|
- `name` `(string: <required>)` –
|
|
|
|
|
Specifies the name of the store to create or update. This is part of
|
|
|
|
|
the request URL.
|
|
|
|
|
|
|
|
|
|
- `username`: `(string: <required>)` -
|
|
|
|
|
The username value to use when connecting to the database.
|
|
|
|
|
|
|
|
|
|
- `password`: `(string: <required>)` -
|
|
|
|
|
The password value to use when connecting to the database.
|
|
|
|
|
|
2021-10-15 18:51:53 +00:00
|
|
|
|
- `transformation_type`: `(string: "tokenization")` -
|
|
|
|
|
The transformation type. Currently only `tokenization` is supported.
|
|
|
|
|
|
2020-11-09 16:58:54 +00:00
|
|
|
|
### Sample Payload
|
|
|
|
|
|
|
|
|
|
```json
|
|
|
|
|
{
|
|
|
|
|
"username": "ddl_user",
|
|
|
|
|
"password": "very_secret"
|
|
|
|
|
}
|
|
|
|
|
```
|
|
|
|
|
|
|
|
|
|
### Sample Request
|
|
|
|
|
|
|
|
|
|
```shell-session
|
|
|
|
|
$ curl \
|
|
|
|
|
--header "X-Vault-Token: ..." \
|
|
|
|
|
--request POST \
|
|
|
|
|
--data @payload.json \
|
2022-05-13 19:00:33 +00:00
|
|
|
|
https://127.0.0.1:8200/v1/transform/stores/example-store/schema
|
2020-11-09 16:58:54 +00:00
|
|
|
|
```
|
|
|
|
|
|
2020-12-17 21:53:33 +00:00
|
|
|
|
## Read Store
|
2020-11-09 16:58:54 +00:00
|
|
|
|
|
|
|
|
|
This endpoint queries an existing store by the given name.
|
|
|
|
|
|
2022-05-13 19:00:33 +00:00
|
|
|
|
| Method | Path |
|
|
|
|
|
| :----- | :------------------------ |
|
|
|
|
|
| `GET` | `/transform/stores/:name` |
|
2020-11-09 16:58:54 +00:00
|
|
|
|
|
|
|
|
|
- `name` `(string: <required>)` –
|
|
|
|
|
Specifies the name of the role to read. This is part of the request URL.
|
|
|
|
|
|
|
|
|
|
### Sample Request
|
|
|
|
|
|
|
|
|
|
```shell-session
|
|
|
|
|
$ curl \
|
|
|
|
|
--header "X-Vault-Token: ..." \
|
2022-05-13 19:00:33 +00:00
|
|
|
|
http://127.0.0.1:8200/v1/transform/stores/example-store
|
2020-11-09 16:58:54 +00:00
|
|
|
|
```
|
|
|
|
|
|
|
|
|
|
### Sample Response
|
|
|
|
|
|
|
|
|
|
```json
|
|
|
|
|
{
|
|
|
|
|
"data": {
|
|
|
|
|
"type": "sql",
|
|
|
|
|
"connection_string": "postgresql://{{username}}:{{password}}@mydb.conhugeco.com/tokens",
|
|
|
|
|
"supported_transformations": ["tokenization"]
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
```
|
|
|
|
|
|
|
|
|
|
## List Stores
|
|
|
|
|
|
|
|
|
|
This endpoint lists all existing stores in the secrets engine.
|
|
|
|
|
|
2022-05-13 19:00:33 +00:00
|
|
|
|
| Method | Path |
|
|
|
|
|
| :----- | :------------------ |
|
|
|
|
|
| `LIST` | `/transform/stores` |
|
2020-11-09 16:58:54 +00:00
|
|
|
|
|
|
|
|
|
### Sample Request
|
|
|
|
|
|
|
|
|
|
```shell-session
|
|
|
|
|
$ curl
|
|
|
|
|
--header "X-Vault-Token: ..." \
|
|
|
|
|
--request LIST \
|
|
|
|
|
http://127.0.0.1:8200/v1/transform/store
|
|
|
|
|
```
|
|
|
|
|
|
|
|
|
|
### Sample Response
|
|
|
|
|
|
|
|
|
|
```json
|
|
|
|
|
{
|
|
|
|
|
"data": {
|
|
|
|
|
"keys": ["example-store"]
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
```
|
|
|
|
|
|
|
|
|
|
## Delete Store
|
|
|
|
|
|
|
|
|
|
This endpoint deletes an existing store configuration by the given name.
|
|
|
|
|
|
2022-05-13 19:00:33 +00:00
|
|
|
|
| Method | Path |
|
|
|
|
|
| :------- | :------------------------ |
|
|
|
|
|
| `DELETE` | `/transform/stores/:name` |
|
2020-11-09 16:58:54 +00:00
|
|
|
|
|
|
|
|
|
### Parameters
|
|
|
|
|
|
|
|
|
|
- `name` `(string: <required>)` –
|
|
|
|
|
Specifies the name of the store to delete. This is part of the
|
|
|
|
|
request URL.
|
|
|
|
|
|
|
|
|
|
### Sample Request
|
|
|
|
|
|
|
|
|
|
```shell-session
|
|
|
|
|
$ curl \
|
|
|
|
|
--header "X-Vault-Token: ..." \
|
|
|
|
|
--request DELETE \
|
2022-05-13 19:00:33 +00:00
|
|
|
|
http://127.0.0.1:8200/v1/transform/stores/example-store
|
2020-11-09 16:58:54 +00:00
|
|
|
|
```
|
|
|
|
|
|
2020-04-07 16:59:49 +00:00
|
|
|
|
## Encode
|
|
|
|
|
|
|
|
|
|
This endpoint encodes the provided value using a named role.
|
|
|
|
|
|
|
|
|
|
| Method | Path |
|
|
|
|
|
| :----- | :----------------------------- |
|
|
|
|
|
| `POST` | `/transform/encode/:role_name` |
|
|
|
|
|
|
|
|
|
|
### Parameters
|
|
|
|
|
|
|
|
|
|
- `role_name` `(string: <required>)` –
|
|
|
|
|
Specifies the role name to use for this operation. This is specified as part
|
|
|
|
|
of the URL.
|
|
|
|
|
|
|
|
|
|
- `value` `(string: <required>)` –
|
|
|
|
|
Specifies the value to be encoded.
|
|
|
|
|
|
|
|
|
|
- `transformation` `(string)` –
|
|
|
|
|
Specifies the transformation within the role that should be used for this
|
|
|
|
|
encode operation. If a single transformation exists for role, this parameter
|
|
|
|
|
may be skipped and will be inferred. If multiple transformations exist, one
|
|
|
|
|
must be specified.
|
|
|
|
|
|
2020-11-09 16:58:54 +00:00
|
|
|
|
- `ttl` `(duration "0") -
|
2020-12-17 21:53:33 +00:00
|
|
|
|
Specifies the TTL of the resulting token. Only applicable for tokenization
|
2020-11-09 16:58:54 +00:00
|
|
|
|
transformations.
|
|
|
|
|
|
2020-12-17 21:53:33 +00:00
|
|
|
|
- `metadata` `(string)` -
|
2020-11-09 16:58:54 +00:00
|
|
|
|
For tokenization transforms, a list of key value pairs of the form
|
|
|
|
|
`key1=value1,key2=value2,`... These optional metadata values will be
|
2020-12-17 21:53:33 +00:00
|
|
|
|
stored with the value and can be retrieved with the
|
2020-11-09 16:58:54 +00:00
|
|
|
|
[metadata](#retrieve-token-metadata) endpoint.
|
|
|
|
|
|
2020-04-07 16:59:49 +00:00
|
|
|
|
- `tweak` `(string)` –
|
|
|
|
|
Specifies the **base64 encoded** tweak to use. Only applicable for FPE
|
2020-06-23 17:32:54 +00:00
|
|
|
|
transformations with `supplied` as the tweak source. The tweak must be a
|
|
|
|
|
7-byte value that is then base64 encoded.
|
2020-04-07 16:59:49 +00:00
|
|
|
|
|
2021-10-15 18:51:53 +00:00
|
|
|
|
- `reference` `(string: "")` -
|
|
|
|
|
A user-supplied string that will be present in the `reference` field on the
|
|
|
|
|
corresponding `batch_results` item in the response, to assist in understanding
|
|
|
|
|
which result corresponds to a particular input. Only valid on batch requests
|
|
|
|
|
when using ‘batch_input’ below.
|
2021-09-29 18:20:39 +00:00
|
|
|
|
|
2020-04-07 16:59:49 +00:00
|
|
|
|
- `batch_input` `(array<object>: nil)` -
|
2020-05-21 17:18:17 +00:00
|
|
|
|
Specifies a list of items to be encoded in a single batch. When this
|
2021-09-29 18:20:39 +00:00
|
|
|
|
parameter is set, the 'value', 'transformation', 'ttl', 'tweak' and
|
2021-10-15 18:51:53 +00:00
|
|
|
|
'reference' parameters are ignored. Instead, the aforementioned parameters
|
|
|
|
|
should be provided within each object in the list.
|
2020-05-21 17:18:17 +00:00
|
|
|
|
|
|
|
|
|
```json
|
|
|
|
|
[
|
|
|
|
|
{
|
|
|
|
|
"value": "1111-1111-1111-1111",
|
|
|
|
|
"transformation": "ccn-fpe"
|
|
|
|
|
},
|
|
|
|
|
{
|
|
|
|
|
"value": "2222-2222-2222-2222",
|
2021-09-29 18:20:39 +00:00
|
|
|
|
"transformation": "ccn-masking",
|
|
|
|
|
"reference": "order#1234"
|
2020-11-09 16:58:54 +00:00
|
|
|
|
},
|
2020-12-17 21:53:33 +00:00
|
|
|
|
{
|
|
|
|
|
"value": "3333-3333-3333-3333",
|
2020-11-09 16:58:54 +00:00
|
|
|
|
"transformation": "ccn-tokenization",
|
|
|
|
|
"ttl": "42d"
|
2020-05-21 17:18:17 +00:00
|
|
|
|
}
|
|
|
|
|
]
|
|
|
|
|
```
|
2020-04-07 16:59:49 +00:00
|
|
|
|
|
|
|
|
|
**NOTE:** The response payload may return a tweak along with the encoded value
|
|
|
|
|
if the `tweak_source` for the specified transformation is set to `generated`.
|
|
|
|
|
The resource owner should properly store this tweak, which must be supplied back
|
|
|
|
|
when decrypting the encoded value.
|
|
|
|
|
|
|
|
|
|
### Sample Payload
|
|
|
|
|
|
|
|
|
|
```json
|
|
|
|
|
{
|
|
|
|
|
"value": "1111-2222-3333-4444",
|
|
|
|
|
"transformation": "ccn-fpe"
|
|
|
|
|
}
|
|
|
|
|
```
|
|
|
|
|
|
|
|
|
|
### Sample Request
|
|
|
|
|
|
2020-05-21 17:18:17 +00:00
|
|
|
|
```shell-session
|
2020-04-07 16:59:49 +00:00
|
|
|
|
$ curl \
|
|
|
|
|
--header "X-Vault-Token: ..." \
|
|
|
|
|
--request POST \
|
|
|
|
|
--data @payload.json \
|
|
|
|
|
http://127.0.0.1:8200/v1/transform/encode/example-role
|
|
|
|
|
```
|
|
|
|
|
|
|
|
|
|
### Sample Response
|
|
|
|
|
|
|
|
|
|
```json
|
|
|
|
|
{
|
|
|
|
|
"data": {
|
|
|
|
|
"encoded_value": "5682-4613-6822-8064"
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
```
|
|
|
|
|
|
2020-11-09 16:58:54 +00:00
|
|
|
|
### Sample Payload
|
|
|
|
|
|
|
|
|
|
```json
|
|
|
|
|
{
|
|
|
|
|
"batch_input": [
|
2020-12-17 21:53:33 +00:00
|
|
|
|
{
|
2020-11-09 16:58:54 +00:00
|
|
|
|
"transformation": "ccn-fpe",
|
|
|
|
|
"value": "1111-2222-3333-4444"
|
2020-12-17 21:53:33 +00:00
|
|
|
|
},
|
|
|
|
|
{
|
2020-11-09 16:58:54 +00:00
|
|
|
|
"transformation": "ccn-tokenization",
|
2021-09-29 18:20:39 +00:00
|
|
|
|
"value": "1111-2222-3333-4444",
|
|
|
|
|
"reference": "order#1234"
|
2020-12-17 21:53:33 +00:00
|
|
|
|
}
|
2020-11-09 16:58:54 +00:00
|
|
|
|
]
|
|
|
|
|
}
|
|
|
|
|
```
|
|
|
|
|
|
|
|
|
|
### Sample Request
|
|
|
|
|
|
|
|
|
|
```shell-session
|
|
|
|
|
$ curl \
|
|
|
|
|
--header "X-Vault-Token: ..." \
|
|
|
|
|
--request POST \
|
|
|
|
|
--data @payload.json \
|
|
|
|
|
http://127.0.0.1:8200/v1/transform/encode/example-role
|
|
|
|
|
```
|
|
|
|
|
|
|
|
|
|
### Sample Response
|
|
|
|
|
|
|
|
|
|
```json
|
|
|
|
|
{
|
2020-12-17 21:53:33 +00:00
|
|
|
|
"data": {
|
2020-11-09 16:58:54 +00:00
|
|
|
|
"batch_results": [
|
|
|
|
|
{
|
|
|
|
|
"encoded_value": "5682-4613-6822-8064"
|
|
|
|
|
},
|
|
|
|
|
{
|
2021-09-29 18:20:39 +00:00
|
|
|
|
"encoded_value": "Q4tYgFXHxURXf9MLekG82L51vSAQrDnpAiaB37J4VPRxoQEB3fRpwR",
|
|
|
|
|
"reference": "order#1234"
|
2020-12-17 21:53:33 +00:00
|
|
|
|
}
|
2020-11-09 16:58:54 +00:00
|
|
|
|
]
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
```
|
|
|
|
|
|
2020-04-07 16:59:49 +00:00
|
|
|
|
## Decode
|
|
|
|
|
|
|
|
|
|
This endpoint decodes the provided value using a named role.
|
|
|
|
|
|
2021-10-15 18:51:53 +00:00
|
|
|
|
| Method | Path |
|
|
|
|
|
| :----- | :---------------------------------------------- |
|
|
|
|
|
| `POST` | `/transform/decode/:role_name(/:decode_format)` |
|
2020-04-07 16:59:49 +00:00
|
|
|
|
|
|
|
|
|
### Parameters
|
|
|
|
|
|
|
|
|
|
- `role_name` `(string: <required>)` –
|
|
|
|
|
Specifies the role name to use for this operation. This is specified as part
|
|
|
|
|
of the URL.
|
|
|
|
|
|
|
|
|
|
- `value` `(string: <required>)` –
|
|
|
|
|
Specifies the value to be decoded.
|
|
|
|
|
|
2021-10-15 18:51:53 +00:00
|
|
|
|
- `decode_format` `(string)` -
|
|
|
|
|
The name of the decode format to use for decoding. These are defined in
|
|
|
|
|
`decode_formats` when creating the transformation's template, and can be used
|
|
|
|
|
to selectively decode or format the output. If one is not defined or
|
|
|
|
|
specified, the template's pattern will be used. Only applicable for FPE
|
|
|
|
|
transformations.
|
|
|
|
|
|
2020-04-07 16:59:49 +00:00
|
|
|
|
- `transformation` `(string)` –
|
|
|
|
|
Specifies the transformation within the role that should be used for this
|
|
|
|
|
decode operation. If a single transformation exists for role, this parameter
|
|
|
|
|
may be skipped and will be inferred. If multiple transformations exist, one
|
|
|
|
|
must be specified.
|
|
|
|
|
|
2020-06-23 17:32:54 +00:00
|
|
|
|
- `tweak` `(string)` – Specifies the **base64 encoded** tweak to use. Only
|
|
|
|
|
applicable for FPE transformations with `supplied` or `generated` as the tweak
|
|
|
|
|
source. The tweak must be a 7-byte value that is then base64 encoded.
|
2020-04-07 16:59:49 +00:00
|
|
|
|
|
2021-10-15 18:51:53 +00:00
|
|
|
|
- `reference` `(string: "")` -
|
|
|
|
|
A user-supplied string that will be present in the `reference` field on the
|
|
|
|
|
corresponding `batch_results` item in the response, to assist in understanding
|
|
|
|
|
which result corresponds to a particular input. Only valid on batch requests
|
|
|
|
|
when using ‘batch_input’ below.
|
2021-09-29 18:20:39 +00:00
|
|
|
|
|
2020-04-07 16:59:49 +00:00
|
|
|
|
- `batch_input` `(array<object>: nil)` -
|
2021-10-15 18:51:53 +00:00
|
|
|
|
Specifies a list of items to be decoded in a single batch. When this
|
2021-09-29 18:20:39 +00:00
|
|
|
|
parameter is set, the 'value', 'transformation', 'tweak' and
|
2021-10-15 18:51:53 +00:00
|
|
|
|
'reference' parameters are ignored. Instead, the aforementioned parameters
|
|
|
|
|
should be provided within each object in the list.
|
2020-05-21 17:18:17 +00:00
|
|
|
|
|
|
|
|
|
```json
|
|
|
|
|
[
|
|
|
|
|
{
|
|
|
|
|
"value": "5682-4613-6822-8064",
|
|
|
|
|
"transformation": "ccn-fpe"
|
|
|
|
|
}
|
|
|
|
|
]
|
|
|
|
|
```
|
|
|
|
|
|
2020-04-07 16:59:49 +00:00
|
|
|
|
### Sample Payload
|
|
|
|
|
|
2022-06-06 18:34:08 +00:00
|
|
|
|
```json
|
2021-10-15 18:51:53 +00:00
|
|
|
|
{
|
|
|
|
|
"value": "418-56-4374",
|
|
|
|
|
"transformation": "example-transformation"
|
|
|
|
|
}
|
|
|
|
|
```
|
|
|
|
|
|
|
|
|
|
### Sample Request
|
|
|
|
|
|
|
|
|
|
```shell-session
|
|
|
|
|
$ curl \
|
|
|
|
|
--header "X-Vault-Token: ..." \
|
|
|
|
|
--request POST \
|
|
|
|
|
--data @payload.json \
|
|
|
|
|
http://127.0.0.1:8200/v1/transform/decode/example-role
|
|
|
|
|
```
|
|
|
|
|
|
|
|
|
|
### Sample Response
|
|
|
|
|
|
2020-04-07 16:59:49 +00:00
|
|
|
|
```json
|
|
|
|
|
{
|
2021-10-15 18:51:53 +00:00
|
|
|
|
"data": {
|
|
|
|
|
"decoded_value": "111-22-3333"
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
```
|
|
|
|
|
|
|
|
|
|
### Sample Payload
|
|
|
|
|
|
2022-06-06 18:34:08 +00:00
|
|
|
|
```json
|
2021-10-15 18:51:53 +00:00
|
|
|
|
{
|
|
|
|
|
"value": "418-56-4374",
|
|
|
|
|
"transformation": "example-transformation"
|
2020-04-07 16:59:49 +00:00
|
|
|
|
}
|
|
|
|
|
```
|
|
|
|
|
|
|
|
|
|
### Sample Request
|
|
|
|
|
|
2020-05-21 17:18:17 +00:00
|
|
|
|
```shell-session
|
2020-04-07 16:59:49 +00:00
|
|
|
|
$ curl \
|
|
|
|
|
--header "X-Vault-Token: ..." \
|
|
|
|
|
--request POST \
|
|
|
|
|
--data @payload.json \
|
2021-10-15 18:51:53 +00:00
|
|
|
|
http://127.0.0.1:8200/v1/transform/decode/example-role/last-four
|
2020-04-07 16:59:49 +00:00
|
|
|
|
```
|
|
|
|
|
|
|
|
|
|
### Sample Response
|
|
|
|
|
|
|
|
|
|
```json
|
|
|
|
|
{
|
|
|
|
|
"data": {
|
2021-10-15 18:51:53 +00:00
|
|
|
|
"decoded_value": "4444"
|
2020-04-07 16:59:49 +00:00
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
```
|
2020-11-09 16:58:54 +00:00
|
|
|
|
|
|
|
|
|
### Sample Payload
|
|
|
|
|
|
|
|
|
|
```json
|
|
|
|
|
{
|
|
|
|
|
"batch_input": [
|
2020-12-17 21:53:33 +00:00
|
|
|
|
{
|
2020-11-09 16:58:54 +00:00
|
|
|
|
"transformation": "ccn-fpe",
|
2021-09-29 18:20:39 +00:00
|
|
|
|
"value": "5682-4613-6822-8064",
|
|
|
|
|
"reference": "order#1234"
|
2020-12-17 21:53:33 +00:00
|
|
|
|
},
|
|
|
|
|
{
|
2020-11-09 16:58:54 +00:00
|
|
|
|
"transformation": "ccn-tokenization",
|
|
|
|
|
"value": "Q4tYgFXHxURXf9MLekG82L51vSAQrDnpAiaB37J4VPRxoQEB3fRpwR"
|
2020-12-17 21:53:33 +00:00
|
|
|
|
}
|
2020-11-09 16:58:54 +00:00
|
|
|
|
]
|
|
|
|
|
}
|
|
|
|
|
```
|
|
|
|
|
|
|
|
|
|
### Sample Request
|
|
|
|
|
|
|
|
|
|
```shell-session
|
|
|
|
|
$ curl \
|
|
|
|
|
--header "X-Vault-Token: ..." \
|
|
|
|
|
--request POST \
|
|
|
|
|
--data @payload.json \
|
|
|
|
|
http://127.0.0.1:8200/v1/transform/decode/example-role
|
|
|
|
|
```
|
|
|
|
|
|
|
|
|
|
### Sample Response
|
|
|
|
|
|
|
|
|
|
```json
|
|
|
|
|
{
|
2020-12-17 21:53:33 +00:00
|
|
|
|
"data": {
|
2020-11-09 16:58:54 +00:00
|
|
|
|
"batch_results": [
|
|
|
|
|
{
|
2021-09-29 18:20:39 +00:00
|
|
|
|
"encoded_value": "1111-2222-3333-4444",
|
|
|
|
|
"reference": "order#1234"
|
2020-11-09 16:58:54 +00:00
|
|
|
|
},
|
|
|
|
|
{
|
|
|
|
|
"encoded_value": "1111-2222-3333-4444"
|
2020-12-17 21:53:33 +00:00
|
|
|
|
}
|
2020-11-09 16:58:54 +00:00
|
|
|
|
]
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
```
|
2020-12-17 21:53:33 +00:00
|
|
|
|
|
2020-11-09 16:58:54 +00:00
|
|
|
|
## Validate Token
|
|
|
|
|
|
|
|
|
|
This endpoint determines if a provided tokenized value is valid and unexpired.
|
|
|
|
|
Only valid for tokenization transformations.
|
|
|
|
|
|
|
|
|
|
| Method | Path |
|
|
|
|
|
| :----- | :------------------------------- |
|
|
|
|
|
| `POST` | `/transform/validate/:role_name` |
|
|
|
|
|
|
|
|
|
|
### Parameters
|
|
|
|
|
|
|
|
|
|
- `role_name` `(string: <required>)` –
|
|
|
|
|
Specifies the role name to use for this operation. This is specified as part
|
|
|
|
|
of the URL.
|
|
|
|
|
|
|
|
|
|
- `value` `(string: <required>)` –
|
|
|
|
|
Specifies the token for which to check validity.
|
|
|
|
|
|
|
|
|
|
- `transformation` `(string)` –
|
|
|
|
|
Specifies the transformation within the role that should be used for this
|
|
|
|
|
decode operation. If a single transformation exists for role, this parameter
|
|
|
|
|
may be skipped and will be inferred. If multiple transformations exist, one
|
|
|
|
|
must be specified.
|
|
|
|
|
|
2021-10-15 18:51:53 +00:00
|
|
|
|
- `reference` `(string: "")` -
|
|
|
|
|
A user-supplied string that will be present in the `reference` field on the
|
|
|
|
|
corresponding `batch_results` item in the response, to assist in understanding
|
|
|
|
|
which result corresponds to a particular input. Only valid on batch requests
|
|
|
|
|
when using ‘batch_input’ below.
|
2021-09-29 18:20:39 +00:00
|
|
|
|
|
2020-11-09 16:58:54 +00:00
|
|
|
|
- `batch_input` `(array<object>: nil)` -
|
2021-09-29 18:20:39 +00:00
|
|
|
|
Specifies a list of items to be validated in a single batch. When this
|
|
|
|
|
parameter is set, the 'value', 'transformation' and
|
2021-10-15 18:51:53 +00:00
|
|
|
|
'reference' parameters are ignored. Instead, the aforementioned parameters
|
|
|
|
|
should be provided within each object in the list.
|
2020-11-09 16:58:54 +00:00
|
|
|
|
|
|
|
|
|
```json
|
|
|
|
|
[
|
|
|
|
|
{
|
|
|
|
|
"value": "CAESLAoYChAhsIt7Urh6GmN2VnxAeuLGENuF8fkFEhBYz7wwdFyJPrhyDmvZg7L0",
|
|
|
|
|
"transformation": "ccn-tokenization"
|
|
|
|
|
}
|
|
|
|
|
]
|
|
|
|
|
```
|
|
|
|
|
|
|
|
|
|
### Sample Payload
|
|
|
|
|
|
|
|
|
|
```json
|
|
|
|
|
{
|
|
|
|
|
"value": "CAESLAoYChAhsIt7Urh6GmN2VnxAeuLGENuF8fkFEhBYz7wwdFyJPrhyDmvZg7L0",
|
|
|
|
|
"transformation": "ccn-tokenization"
|
|
|
|
|
}
|
|
|
|
|
```
|
|
|
|
|
|
|
|
|
|
### Sample Request
|
|
|
|
|
|
|
|
|
|
```shell-session
|
|
|
|
|
$ curl \
|
|
|
|
|
--header "X-Vault-Token: ..." \
|
|
|
|
|
--request POST \
|
|
|
|
|
--data @payload.json \
|
|
|
|
|
http://127.0.0.1:8200/v1/transform/validate/example-role
|
|
|
|
|
```
|
|
|
|
|
|
|
|
|
|
### Sample Response
|
|
|
|
|
|
|
|
|
|
```json
|
|
|
|
|
{
|
|
|
|
|
"data": {
|
|
|
|
|
"valid": true
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
```
|
|
|
|
|
|
|
|
|
|
## Check Tokenization
|
|
|
|
|
|
2020-12-17 21:53:33 +00:00
|
|
|
|
This endpoint determines if a provided plaintext value has an valid, unexpired
|
|
|
|
|
tokenized value. Note that this cannot return the token, just confirm that a
|
2022-06-13 12:51:07 +00:00
|
|
|
|
tokenized value exists, but works for all tokenization modes.
|
2022-06-06 18:34:08 +00:00
|
|
|
|
This endpoint is only valid for tokenization transformations.
|
2020-11-09 16:58:54 +00:00
|
|
|
|
|
|
|
|
|
| Method | Path |
|
|
|
|
|
| :----- | :-------------------------------- |
|
|
|
|
|
| `POST` | `/transform/tokenized/:role_name` |
|
|
|
|
|
|
|
|
|
|
### Parameters
|
|
|
|
|
|
|
|
|
|
- `role_name` `(string: <required>)` –
|
|
|
|
|
Specifies the role name to use for this operation. This is specified as part
|
|
|
|
|
of the URL.
|
|
|
|
|
|
|
|
|
|
- `value` `(string: <required>)` –
|
2022-06-06 18:34:08 +00:00
|
|
|
|
Specifies the token to plaintext for which to check whether it has been tokenized.
|
2020-11-09 16:58:54 +00:00
|
|
|
|
|
|
|
|
|
- `transformation` `(string)` –
|
|
|
|
|
Specifies the transformation within the role that should be used for this
|
|
|
|
|
decode operation. If a single transformation exists for role, this parameter
|
|
|
|
|
may be skipped and will be inferred. If multiple transformations exist, one
|
|
|
|
|
must be specified.
|
|
|
|
|
|
2021-10-15 18:51:53 +00:00
|
|
|
|
- `reference` `(string: "")` -
|
|
|
|
|
A user-supplied string that will be present in the `reference` field on the
|
|
|
|
|
corresponding `batch_results` item in the response, to assist in understanding
|
|
|
|
|
which result corresponds to a particular input. Only valid on batch requests
|
|
|
|
|
when using ‘batch_input’ below.
|
2021-09-29 18:20:39 +00:00
|
|
|
|
|
2020-11-09 16:58:54 +00:00
|
|
|
|
- `batch_input` `(array<object>: nil)` -
|
|
|
|
|
Specifies a list of items to be decoded in a single batch. When this
|
2021-09-29 18:20:39 +00:00
|
|
|
|
parameter is set, the 'value', 'transformation', and 'reference' parameters are
|
2020-11-09 16:58:54 +00:00
|
|
|
|
ignored. Instead, the aforementioned parameters should be provided within
|
2021-09-29 18:20:39 +00:00
|
|
|
|
each object in the list. In addition, batched requests can add the 'reference'
|
|
|
|
|
field described above.
|
2020-11-09 16:58:54 +00:00
|
|
|
|
|
|
|
|
|
```json
|
|
|
|
|
[
|
|
|
|
|
{
|
|
|
|
|
"value": "1111-1111-1111-1111",
|
|
|
|
|
"transformation": "ccn-tokenization"
|
|
|
|
|
}
|
|
|
|
|
]
|
|
|
|
|
```
|
|
|
|
|
|
|
|
|
|
### Sample Payload
|
|
|
|
|
|
|
|
|
|
```json
|
|
|
|
|
{
|
|
|
|
|
"value": "1111-1111-1111-1111",
|
|
|
|
|
"transformation": "ccn-tokenization"
|
|
|
|
|
}
|
|
|
|
|
```
|
|
|
|
|
|
|
|
|
|
### Sample Request
|
|
|
|
|
|
|
|
|
|
```shell-session
|
|
|
|
|
$ curl \
|
|
|
|
|
--header "X-Vault-Token: ..." \
|
|
|
|
|
--request POST \
|
|
|
|
|
--data @payload.json \
|
|
|
|
|
http://127.0.0.1:8200/v1/transform/tokenized/example-role
|
|
|
|
|
```
|
|
|
|
|
|
|
|
|
|
### Sample Response
|
|
|
|
|
|
|
|
|
|
```json
|
|
|
|
|
{
|
|
|
|
|
"data": {
|
|
|
|
|
"tokenized": true
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
```
|
|
|
|
|
|
2022-06-06 18:34:08 +00:00
|
|
|
|
## Lookup Token
|
|
|
|
|
|
|
|
|
|
This endpoint returns the token given a plaintext and optionally an
|
|
|
|
|
expiration or range of expirations. This operation is only supported
|
|
|
|
|
if the transformation is configured as 'convergent', or if the mapping
|
|
|
|
|
mode is exportable and the storage backend is external. Tokens may be
|
|
|
|
|
looked up with an explicit expiration, an expiration value of "any", or with a range
|
2022-06-13 12:51:07 +00:00
|
|
|
|
of acceptable expiration times. This endpoint is only valid for tokenization
|
2022-06-06 18:34:08 +00:00
|
|
|
|
transformations.
|
|
|
|
|
|
|
|
|
|
| Method | Path |
|
|
|
|
|
| :----- | :-------------------------------- |
|
|
|
|
|
| `POST` | `/transform/tokens/:role_name` |
|
|
|
|
|
|
|
|
|
|
### Parameters
|
|
|
|
|
|
|
|
|
|
- `role_name` `(string: <required>)` –
|
|
|
|
|
Specifies the role name to use for this operation. This is specified as part
|
|
|
|
|
of the URL.
|
|
|
|
|
|
|
|
|
|
- `value` `(string: <required>)` –
|
|
|
|
|
Specifies the token to test for whether it has a valid tokenization.
|
|
|
|
|
|
2022-06-13 12:51:07 +00:00
|
|
|
|
- `expiration` `(string: "")` - The precise expiration of the token. If omitted,
|
2022-06-06 18:34:08 +00:00
|
|
|
|
this specifically searches for tokens with no expiration. If the string
|
|
|
|
|
"any", will return tokens with any or no expiration. Otherwise,
|
|
|
|
|
the string must be the RFC3339 formatted time and date of expiration. `expiration`
|
|
|
|
|
may not be used at the same time as `min_expiration` and `max_expiration`.
|
|
|
|
|
|
|
|
|
|
- `min_expiration` `(string: "")` - The minimum expiration time of the token,
|
2022-06-13 12:51:07 +00:00
|
|
|
|
inclusive, as an RFC3339 formatted time and date.
|
2022-06-06 18:34:08 +00:00
|
|
|
|
`min_expiration` may not be used at the same time as `expiration`.
|
|
|
|
|
When provided, `max_expiration` must also be provided.
|
|
|
|
|
|
|
|
|
|
- `max_expiration` `(string: "")` - The maximum expiration time of the token,
|
2022-06-13 12:51:07 +00:00
|
|
|
|
inclusive, as an RFC3339 formatted time and date.
|
2022-06-06 18:34:08 +00:00
|
|
|
|
`max_expiration` may not be used at the same time as `expiration`.
|
|
|
|
|
When provided, `min_expiration` must also be provided.
|
|
|
|
|
|
|
|
|
|
- `transformation` `(string)` –
|
|
|
|
|
Specifies the transformation within the role that should be used for this
|
|
|
|
|
lookup operation. If a single transformation exists for role, this parameter
|
|
|
|
|
may be skipped and will be inferred. If multiple transformations exist, one
|
|
|
|
|
must be specified.
|
|
|
|
|
|
|
|
|
|
- `reference` `(string: "")` -
|
|
|
|
|
A user-supplied string that will be present in the `reference` field on the
|
|
|
|
|
corresponding `batch_results` item in the response, to assist in understanding
|
|
|
|
|
which result corresponds to a particular input. Only valid on batch requests
|
|
|
|
|
when using `batch_input` below.
|
|
|
|
|
|
|
|
|
|
- `batch_input` `(array<object>: nil)` -
|
|
|
|
|
Specifies a list of items to be decoded in a single batch. When this
|
|
|
|
|
parameter is set, the `value`, `transformation`, and `reference` parameters are
|
|
|
|
|
ignored. Instead, the aforementioned parameters should be provided within
|
|
|
|
|
each object in the list. In addition, batched requests can add the `reference`
|
|
|
|
|
field described above.
|
|
|
|
|
|
|
|
|
|
```json
|
|
|
|
|
[
|
|
|
|
|
{
|
|
|
|
|
"value": "1111-1111-1111-1111",
|
|
|
|
|
"expiration": "any",
|
|
|
|
|
"transformation": "ccn-tokenization"
|
|
|
|
|
}
|
|
|
|
|
]
|
|
|
|
|
```
|
|
|
|
|
|
|
|
|
|
### Sample Payload
|
|
|
|
|
|
|
|
|
|
```json
|
|
|
|
|
{
|
|
|
|
|
"value": "1111-1111-1111-1111",
|
|
|
|
|
"min_expiration": "2022-06-06T3:14:15+00:00",
|
|
|
|
|
"min_expiration": "2022-06-07T9:26:53+00:00",
|
|
|
|
|
"transformation": "ccn-tokenization"
|
|
|
|
|
}
|
|
|
|
|
```
|
|
|
|
|
|
|
|
|
|
### Sample Request
|
|
|
|
|
|
|
|
|
|
```shell-session
|
|
|
|
|
$ curl \
|
|
|
|
|
--header "X-Vault-Token: ..." \
|
|
|
|
|
--request POST \
|
|
|
|
|
--data @payload.json \
|
|
|
|
|
http://127.0.0.1:8200/v1/transform/tokens/example-role
|
|
|
|
|
```
|
|
|
|
|
|
|
|
|
|
### Sample Response
|
|
|
|
|
|
|
|
|
|
```json
|
|
|
|
|
{
|
|
|
|
|
"data": {
|
|
|
|
|
"tokens": [
|
|
|
|
|
"AHLdmFvTRknMBgrNSy6Ba7xJxG28KkZeHKqxGJ7e45G3V9UbcUr6gdv83ozwRRQwLfJgyHZvfa9rh7kU9xJXVdY"
|
|
|
|
|
]
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
```
|
|
|
|
|
|
2020-11-09 16:58:54 +00:00
|
|
|
|
## Retrieve Token Metadata
|
|
|
|
|
|
|
|
|
|
This endpoint retrieves metadata for a tokenized value using a named role.
|
|
|
|
|
Only valid for tokenization transformations.
|
|
|
|
|
|
|
|
|
|
| Method | Path |
|
|
|
|
|
| :----- | :------------------------------- |
|
|
|
|
|
| `POST` | `/transform/metadata/:role_name` |
|
|
|
|
|
|
|
|
|
|
### Parameters
|
|
|
|
|
|
|
|
|
|
- `role_name` `(string: <required>)` –
|
|
|
|
|
Specifies the role name to use for this operation. This is specified as part
|
|
|
|
|
of the URL.
|
|
|
|
|
|
|
|
|
|
- `value` `(string: <required>)` –
|
|
|
|
|
Specifies the token for which to retrieve metadata.
|
|
|
|
|
|
|
|
|
|
- `transformation` `(string)` –
|
|
|
|
|
Specifies the transformation within the role that should be used for this
|
|
|
|
|
decode operation. If a single transformation exists for role, this parameter
|
|
|
|
|
may be skipped and will be inferred. If multiple transformations exist, one
|
|
|
|
|
must be specified.
|
|
|
|
|
|
2021-10-15 18:51:53 +00:00
|
|
|
|
- `reference` `(string: "")` -
|
|
|
|
|
A user-supplied string that will be present in the `reference` field on the
|
|
|
|
|
corresponding `batch_results` item in the response, to assist in understanding
|
|
|
|
|
which result corresponds to a particular input. Only valid on batch requests
|
|
|
|
|
when using ‘batch_input’ below.
|
2021-09-29 18:20:39 +00:00
|
|
|
|
|
2020-11-09 16:58:54 +00:00
|
|
|
|
- `batch_input` `(array<object>: nil)` -
|
|
|
|
|
Specifies a list of items to be decoded in a single batch. When this
|
|
|
|
|
parameter is set, the 'value' parameter is
|
|
|
|
|
ignored. Instead, the aforementioned parameters should be provided within
|
2021-09-29 18:20:39 +00:00
|
|
|
|
each object in the list. In addition, batched requests can add the 'reference'
|
|
|
|
|
field described above.
|
2020-11-09 16:58:54 +00:00
|
|
|
|
|
|
|
|
|
```json
|
|
|
|
|
[
|
|
|
|
|
{
|
|
|
|
|
"value": "CAESLAoYChAhsIt7Urh6GmN2VnxAeuLGENuF8fkFEhBYz7wwdFyJPrhyDmvZg7L0",
|
|
|
|
|
"transformation": "ccn-tokenization"
|
|
|
|
|
}
|
|
|
|
|
]
|
|
|
|
|
```
|
|
|
|
|
|
|
|
|
|
### Sample Payload
|
|
|
|
|
|
|
|
|
|
```json
|
|
|
|
|
{
|
|
|
|
|
"value": "CAESLAoYChAhsIt7Urh6GmN2VnxAeuLGENuF8fkFEhBYz7wwdFyJPrhyDmvZg7L0",
|
|
|
|
|
"transformation": "ccn-tokenization"
|
|
|
|
|
}
|
|
|
|
|
```
|
|
|
|
|
|
|
|
|
|
### Sample Request
|
|
|
|
|
|
|
|
|
|
```shell-session
|
|
|
|
|
$ curl \
|
|
|
|
|
--header "X-Vault-Token: ..." \
|
|
|
|
|
--request POST \
|
|
|
|
|
--data @payload.json \
|
|
|
|
|
http://127.0.0.1:8200/v1/transform/encode/example-role
|
|
|
|
|
```
|
|
|
|
|
|
|
|
|
|
### Sample Response
|
|
|
|
|
|
|
|
|
|
```json
|
|
|
|
|
{
|
|
|
|
|
"data": {
|
|
|
|
|
"metadata": "Department=Marketing"
|
|
|
|
|
"expiration_time": "2020-11-04T04:00:00+00:00",
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
```
|
2021-03-17 21:29:13 +00:00
|
|
|
|
|
2021-03-19 15:34:41 +00:00
|
|
|
|
## Snapshot Tokenization State
|
|
|
|
|
|
2021-04-06 17:49:04 +00:00
|
|
|
|
This endpoint starts or continues retrieving a snapshot of the stored
|
|
|
|
|
state of a tokenization transform. This state is protected as it is
|
|
|
|
|
in the underlying store, and so is safe for storage or transport. Snapshots
|
2021-03-19 15:34:41 +00:00
|
|
|
|
may be used for backup purposes or to migrate from one store to another.
|
2021-04-06 17:49:04 +00:00
|
|
|
|
If more than one store is configured for a tokenization transform, the
|
2021-03-19 15:34:41 +00:00
|
|
|
|
snapshot data contains the contents of the first store.
|
|
|
|
|
|
2021-04-06 17:49:04 +00:00
|
|
|
|
Since more values may exist than can be returned in a single call, if
|
|
|
|
|
a snapshot has more values, the response will contain the `continuation`
|
2021-03-19 15:34:41 +00:00
|
|
|
|
field, an opaque value that if provided on a subsequent call will resume
|
2021-04-06 17:49:04 +00:00
|
|
|
|
snapshotting at the next value. If absent, the end of the snapshot has
|
2021-03-19 15:34:41 +00:00
|
|
|
|
been reached.
|
|
|
|
|
|
|
|
|
|
Snapshots are guaranteed to contain the values present at the time
|
2021-04-06 17:49:04 +00:00
|
|
|
|
of the first call to start the snapshot. Values tokenized after the
|
2021-03-19 15:34:41 +00:00
|
|
|
|
snapshot began may or may not be included.
|
|
|
|
|
|
|
|
|
|
| Method | Path |
|
|
|
|
|
| :----- | :------------------------------------------------------- |
|
|
|
|
|
| `POST` | `/transform/transformations/tokenization/snapshot/:name` |
|
|
|
|
|
|
|
|
|
|
### Parameters
|
|
|
|
|
|
|
|
|
|
- `name` `(string: <required>)` –
|
|
|
|
|
Specifies the name of the transformation to snapshot.
|
|
|
|
|
|
|
|
|
|
- `limit` `(int: 1000)` -
|
|
|
|
|
The maximum number of tokenized value states to return on this call.
|
|
|
|
|
|
|
|
|
|
- `continuation` `string: ""` -
|
2021-04-06 17:49:04 +00:00
|
|
|
|
If absent or empty, a new snapshot is started. If present, the
|
2021-03-19 15:34:41 +00:00
|
|
|
|
snapshot should continue at the next available value.
|
|
|
|
|
|
|
|
|
|
### Sample Payload
|
|
|
|
|
|
|
|
|
|
```json
|
|
|
|
|
{
|
|
|
|
|
"limit": 3,
|
|
|
|
|
"continuation": "2F1nUpUKMZUBnwQ77qByt1"
|
|
|
|
|
}
|
|
|
|
|
```
|
2021-04-06 17:49:04 +00:00
|
|
|
|
|
2021-03-19 15:34:41 +00:00
|
|
|
|
### Sample Request
|
|
|
|
|
|
|
|
|
|
```shell-session
|
|
|
|
|
$ curl \
|
|
|
|
|
--header "X-Vault-Token: ..." \
|
|
|
|
|
--request POST \
|
|
|
|
|
--data @payload.json \
|
|
|
|
|
http://127.0.0.1:8200/v1//transform/transformations/tokenization/snapshot/sample-transform
|
|
|
|
|
```
|
|
|
|
|
|
|
|
|
|
### Sample Response
|
|
|
|
|
|
|
|
|
|
```json
|
|
|
|
|
{
|
|
|
|
|
"data": {
|
|
|
|
|
"continuation": "2F1nUpUKMZUBnwQ77qBt4D",
|
|
|
|
|
"values": [
|
|
|
|
|
"CiDiVGJaXlcS0ky4mRVvfLdxk7FWh8ATcFMSbQRtWCs/HxJ8CAESIGQH2oukpwPAFoK2SaKUcYAxrnxtvJn7n5d3dWx2eCLcIkZ3FXcQKu5+Bnl4NzOSL2ZkU5t9OOpQOMg0lwsMkq0Vm98ANGC9RabaP2ePddzTkD58GBvsVetYVnqHQFZufQ2pw/EXkFIWMg4I4KvX4vf/////ARCgHw==",
|
|
|
|
|
"CiADFWL7/equiN83oWl/MvYWRYQLvjUxDVvoxK1Ghw4drBJ8CAESIOWPEUBUq4ATLY83P3vLknmWlKYjKVwTgB1z7hYGdyHPIka2nyOX1z3D4pMsZWwMFJlNBiT1Lb4MMZ6CUbclykLw/LBG5GTWQbOXx/3Vd54RAA82382mUem8Lu8BCMJYAa6vj/6aS9CLMg4I4KvX4vf/////ARCIJw==",
|
|
|
|
|
"CiBf2+RqeiXmIHIh2fytEKOesTZ5U31D4BZ5xyhpuj3UfRJ8CAESIOWPEUBUq4ATLY83P3vLknmWlKYjKVwTgB1z7hYGdyHPIkbbU3ho25Om5AsuLUdsAPiEnyRGbtUUDxrvSoz5T1OVY363dN08cN8diJJro+AE/Zv4QMnq9Vbu8FD237YkLV1bnX/t29ZMMg4I4KvX4vf/////ARDwLg=="
|
|
|
|
|
]
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
```
|
|
|
|
|
|
|
|
|
|
## Restore Tokenization State
|
|
|
|
|
|
|
|
|
|
This endpoint restores previously snapshotted tokenization state values
|
2021-04-06 17:49:04 +00:00
|
|
|
|
to the underlying store(s) of a tokenization transform. Calls to this
|
2021-03-19 15:34:41 +00:00
|
|
|
|
endpoint are idempotent, so multiple outputs from a snapshot run can
|
|
|
|
|
be applied via restore in any order and duplicates will not cause a problem.
|
|
|
|
|
|
|
|
|
|
Values snapshotted from a `default` mapping mode store cannot be restored
|
|
|
|
|
into an `exportable` mode store and vice versa.
|
|
|
|
|
|
|
|
|
|
| Method | Path |
|
|
|
|
|
| :----- | :------------------------------------------------------ |
|
|
|
|
|
| `POST` | `/transform/transformations/tokenization/restore/:name` |
|
|
|
|
|
|
|
|
|
|
### Parameters
|
|
|
|
|
|
|
|
|
|
- `name` `(string: <required>)` –
|
|
|
|
|
Specifies the name of the transformation to restore.
|
|
|
|
|
|
|
|
|
|
- `values` `([]string: <required>)` -
|
|
|
|
|
Any number of tokenization state values from a previous snapshot call.
|
|
|
|
|
|
|
|
|
|
### Sample Payload
|
|
|
|
|
|
|
|
|
|
```json
|
|
|
|
|
{
|
|
|
|
|
"values": [
|
2021-04-06 17:49:04 +00:00
|
|
|
|
"CiDiVGJaXlcS0ky4mRVvfLdxk7FWh8ATcFMSbQRtWCs/HxJ8CAESIGQH2oukpwPAFoK2SaKUcYAxrnxtvJn7n5d3dWx2eCLcIkZ3FXcQKu5+Bnl4NzOSL2ZkU5t9OOpQOMg0lwsMkq0Vm98ANGC9RabaP2ePddzTkD58GBvsVetYVnqHQFZufQ2pw/EXkFIWMg4I4KvX4vf/////ARCgHw==",
|
|
|
|
|
"CiADFWL7/equiN83oWl/MvYWRYQLvjUxDVvoxK1Ghw4drBJ8CAESIOWPEUBUq4ATLY83P3vLknmWlKYjKVwTgB1z7hYGdyHPIka2nyOX1z3D4pMsZWwMFJlNBiT1Lb4MMZ6CUbclykLw/LBG5GTWQbOXx/3Vd54RAA82382mUem8Lu8BCMJYAa6vj/6aS9CLMg4I4KvX4vf/////ARCIJw==",
|
|
|
|
|
"CiBf2+RqeiXmIHIh2fytEKOesTZ5U31D4BZ5xyhpuj3UfRJ8CAESIOWPEUBUq4ATLY83P3vLknmWlKYjKVwTgB1z7hYGdyHPIkbbU3ho25Om5AsuLUdsAPiEnyRGbtUUDxrvSoz5T1OVY363dN08cN8diJJro+AE/Zv4QMnq9Vbu8FD237YkLV1bnX/t29ZMMg4I4KvX4vf/////ARDwLg=="
|
2021-03-19 15:34:41 +00:00
|
|
|
|
]
|
|
|
|
|
}
|
|
|
|
|
```
|
2021-04-06 17:49:04 +00:00
|
|
|
|
|
2021-03-19 15:34:41 +00:00
|
|
|
|
### Sample Request
|
|
|
|
|
|
|
|
|
|
```shell-session
|
|
|
|
|
$ curl \
|
|
|
|
|
--header "X-Vault-Token: ..." \
|
|
|
|
|
--request POST \
|
|
|
|
|
--data @payload.json \
|
|
|
|
|
http://127.0.0.1:8200/v1//transform/transformations/tokenization/restore/sample-transform
|
|
|
|
|
```
|
|
|
|
|
|
|
|
|
|
## Export Decoded Tokenization State
|
|
|
|
|
|
2021-04-06 17:49:04 +00:00
|
|
|
|
This endpoint starts or continues retrieving an export of tokenization
|
|
|
|
|
state, including the tokens and their decoded values. This call is only
|
2021-03-19 15:34:41 +00:00
|
|
|
|
supported on tokenization stores configured with the `exportable` mapping
|
2021-04-06 17:49:04 +00:00
|
|
|
|
mode. Refer to the Tokenization
|
2021-08-18 17:44:25 +00:00
|
|
|
|
[documentation](../../docs/secrets/transform/tokenization#security-considerations)
|
2021-03-19 15:34:41 +00:00
|
|
|
|
for when to use the `exportable` mapping mode.
|
|
|
|
|
Decoded values are in Base64 representation.
|
|
|
|
|
|
2021-04-06 17:49:04 +00:00
|
|
|
|
Since more values may exist than can be returned in a single call, if
|
|
|
|
|
an export has more values, the response will contain the `continuation`
|
2021-03-19 15:34:41 +00:00
|
|
|
|
field, an opaque value that if provided on a subsequent call will resume
|
2021-04-06 17:49:04 +00:00
|
|
|
|
snapshotting at the next value. If absent, the end of the export has
|
2021-03-19 15:34:41 +00:00
|
|
|
|
been reached.
|
|
|
|
|
|
|
|
|
|
Exports are guaranteed to contain the values present at the time
|
2021-04-06 17:49:04 +00:00
|
|
|
|
of the first call to start the export. Values tokenized after the
|
2021-03-19 15:34:41 +00:00
|
|
|
|
snapshot began may or may not be included.
|
|
|
|
|
|
|
|
|
|
| Method | Path |
|
|
|
|
|
| :----- | :------------------------------------------------------------- |
|
|
|
|
|
| `POST` | `/transform/transformations/tokenization/export-decoded/:name` |
|
|
|
|
|
|
|
|
|
|
### Parameters
|
|
|
|
|
|
|
|
|
|
- `name` `(string: <required>)` –
|
|
|
|
|
Specifies the name of the transformation to export.
|
|
|
|
|
|
|
|
|
|
- `limit` `(int: 1000)` -
|
|
|
|
|
The maximum number of tokenized value states to return on this call.
|
|
|
|
|
|
|
|
|
|
- `continuation` `string: ""` -
|
2021-04-06 17:49:04 +00:00
|
|
|
|
If absent or empty, a new export is started. If present, the
|
2021-03-19 15:34:41 +00:00
|
|
|
|
export should continue at the next available value.
|
|
|
|
|
|
|
|
|
|
### Sample Payload
|
|
|
|
|
|
|
|
|
|
```json
|
|
|
|
|
{
|
|
|
|
|
"limit": 3,
|
|
|
|
|
"continuation": "2F1nUpUKMZUBnwQ77qByt1"
|
|
|
|
|
}
|
|
|
|
|
```
|
2021-04-06 17:49:04 +00:00
|
|
|
|
|
2021-03-19 15:34:41 +00:00
|
|
|
|
### Sample Request
|
|
|
|
|
|
|
|
|
|
```shell-session
|
|
|
|
|
$ curl \
|
|
|
|
|
--header "X-Vault-Token: ..." \
|
|
|
|
|
--request POST \
|
|
|
|
|
--data @payload.json \
|
|
|
|
|
http://127.0.0.1:8200/v1//transform/transformations/tokenization/export-decoded/sample-transform
|
|
|
|
|
```
|
|
|
|
|
|
|
|
|
|
### Sample Response
|
|
|
|
|
|
|
|
|
|
```json
|
|
|
|
|
{
|
2021-04-06 17:49:04 +00:00
|
|
|
|
"data": {
|
2021-03-19 15:34:41 +00:00
|
|
|
|
"continuation": "4hELrrmGAwhHFjmMFny",
|
|
|
|
|
"values": [
|
|
|
|
|
{
|
|
|
|
|
"plaintext": "dmFsdWUtMA==",
|
|
|
|
|
"token": "Q4tYgFXHxUaPhDdV9rx2CduZGPxjYpAp1K523AUsNM5A2Z6DrXj3zz"
|
|
|
|
|
},
|
|
|
|
|
{
|
|
|
|
|
"plaintext": "dmFsdWUtMg==",
|
|
|
|
|
"token": "Q4tYgFXHxUNyMfqRW6fA82DYvMigwdf6JjATauyVzqx2SsmUShMhN5",
|
2021-04-06 17:49:04 +00:00
|
|
|
|
"expiration_time": "2021-03-15T00:31:10Z"
|
2021-03-19 15:34:41 +00:00
|
|
|
|
},
|
|
|
|
|
{
|
|
|
|
|
"plaintext": "dmFsdWUtMQ==",
|
|
|
|
|
"token": "Q4tYgFXHxUNtW27owABRv5GjuxjXTCGebPr7xkqRAY18YVmfZsk2MV"
|
|
|
|
|
}
|
|
|
|
|
]
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
```
|
|
|
|
|
|
|
|
|
|
## Rotate Tokenization Key
|
2021-03-17 21:29:13 +00:00
|
|
|
|
|
2021-04-06 17:49:04 +00:00
|
|
|
|
This endpoint rotates the version of the named key. After rotation,
|
2021-03-19 15:34:41 +00:00
|
|
|
|
new requests will be encoded with the new version of the key.
|
2021-03-17 21:29:13 +00:00
|
|
|
|
|
|
|
|
|
| Method | Path |
|
|
|
|
|
| :----- | :---------------------------------------------------- |
|
|
|
|
|
| `POST` | `/transform/tokenization/keys/:transform_name/rotate` |
|
|
|
|
|
|
|
|
|
|
### Parameters
|
|
|
|
|
|
|
|
|
|
- `transform_name` `(string: <required>)` –
|
|
|
|
|
Specifies the transform name to use for this operation. This is specified as part
|
|
|
|
|
of the URL.
|
|
|
|
|
|
|
|
|
|
### Sample Request
|
|
|
|
|
|
|
|
|
|
```shell-session
|
|
|
|
|
$ curl \
|
|
|
|
|
--header "X-Vault-Token: ..." \
|
|
|
|
|
--request POST \
|
|
|
|
|
http://127.0.0.1:8200/v1/transform/tokenization/keys/transform_name/rotate
|
|
|
|
|
```
|
|
|
|
|
|
2021-03-19 15:34:41 +00:00
|
|
|
|
## Update Tokenization Key Config
|
2021-03-17 21:29:13 +00:00
|
|
|
|
|
2021-04-06 17:49:04 +00:00
|
|
|
|
This endpoint allows the minimum key version to be set for
|
|
|
|
|
decode operations.
|
2021-03-17 21:29:13 +00:00
|
|
|
|
Only valid for tokenization transformations.
|
|
|
|
|
|
|
|
|
|
| Method | Path |
|
|
|
|
|
| :----- | :---------------------------------------------------- |
|
|
|
|
|
| `POST` | `/transform/tokenization/keys/:transform_name/config` |
|
|
|
|
|
|
|
|
|
|
### Parameters
|
|
|
|
|
|
|
|
|
|
- `transform_name` `(string: <required>)` –
|
|
|
|
|
Specifies the transform name to use for this operation. This is specified as part
|
|
|
|
|
of the URL.
|
|
|
|
|
|
|
|
|
|
- `min_decryption_version` `(int: <optional>)` –
|
|
|
|
|
Specifies the minimum key version that vault can use to decode values for the
|
2021-04-06 17:49:04 +00:00
|
|
|
|
corresponding transform.
|
2021-03-17 21:29:13 +00:00
|
|
|
|
|
2022-07-21 20:48:58 +00:00
|
|
|
|
- `auto_rotate_period` `(duration: "0", optional)` - The period at which this key
|
|
|
|
|
should be rotated automatically. Setting this to "0" will disable automatic key
|
|
|
|
|
rotation. This value cannot be shorter than one hour. Uses
|
|
|
|
|
[duration format strings](/docs/concepts/duration-format).
|
|
|
|
|
|
2021-03-17 21:29:13 +00:00
|
|
|
|
### Sample Payload
|
|
|
|
|
|
2021-04-06 17:49:04 +00:00
|
|
|
|
```json
|
|
|
|
|
[
|
|
|
|
|
{
|
2022-07-21 20:48:58 +00:00
|
|
|
|
"min_decryption_version": 1,
|
|
|
|
|
"auto_rotate_period": "4320h"
|
2021-04-06 17:49:04 +00:00
|
|
|
|
}
|
|
|
|
|
]
|
|
|
|
|
```
|
2021-03-17 21:29:13 +00:00
|
|
|
|
|
|
|
|
|
### Sample Request
|
|
|
|
|
|
|
|
|
|
```shell-session
|
|
|
|
|
$ curl \
|
|
|
|
|
--header "X-Vault-Token: ..." \
|
|
|
|
|
--request POST \
|
|
|
|
|
--data @payload.json \
|
|
|
|
|
http://127.0.0.1:8200/v1/transform/tokenization/keys/transform_name/config
|
|
|
|
|
```
|
|
|
|
|
|
2021-03-19 15:34:41 +00:00
|
|
|
|
## List Tokenization Key Configuration
|
2021-03-17 21:29:13 +00:00
|
|
|
|
|
|
|
|
|
List all tokenization keys.
|
|
|
|
|
Only valid for tokenization transformations.
|
|
|
|
|
|
2021-04-06 17:49:04 +00:00
|
|
|
|
| Method | Path |
|
|
|
|
|
| :----- | :------------------------------ |
|
|
|
|
|
| `LIST` | `/transform/tokenization/keys/` |
|
2021-03-17 21:29:13 +00:00
|
|
|
|
|
|
|
|
|
### Sample Request
|
|
|
|
|
|
|
|
|
|
```shell-session
|
|
|
|
|
$ curl \
|
|
|
|
|
--header "X-Vault-Token: ..." \
|
|
|
|
|
--request LIST \
|
|
|
|
|
http://127.0.0.1:8200/v1/transform/tokenization/keys/
|
|
|
|
|
```
|
|
|
|
|
|
2021-03-19 15:34:41 +00:00
|
|
|
|
## Read Tokenization Key Configuration
|
2021-03-17 21:29:13 +00:00
|
|
|
|
|
|
|
|
|
Read tokenization key configuration for a particular transform.
|
|
|
|
|
Only valid for tokenization transformations.
|
|
|
|
|
|
|
|
|
|
| Method | Path |
|
|
|
|
|
| :----- | :--------------------------------------------- |
|
|
|
|
|
| `GET` | `/transform/tokenization/keys/:transform_name` |
|
|
|
|
|
|
|
|
|
|
### Parameters
|
|
|
|
|
|
|
|
|
|
- `transform_name` `(string: <required>)` –
|
|
|
|
|
Specifies the transform name to use for this operation. This is specified as part
|
|
|
|
|
of the URL.
|
|
|
|
|
|
|
|
|
|
### Sample Request
|
|
|
|
|
|
|
|
|
|
```shell-session
|
|
|
|
|
$ curl \
|
|
|
|
|
--header "X-Vault-Token: ..." \
|
|
|
|
|
--request LIST \
|
|
|
|
|
--data @payload.json \
|
|
|
|
|
http://127.0.0.1:8200/v1/transform/tokenization/keys/:transform_name
|
|
|
|
|
```
|
|
|
|
|
|
|
|
|
|
### Sample Response
|
|
|
|
|
|
|
|
|
|
```json
|
|
|
|
|
{
|
|
|
|
|
"data": {
|
|
|
|
|
"latest_version": 1,
|
|
|
|
|
"min_available_version": 0,
|
|
|
|
|
"min_decryption_version": 1,
|
2022-07-21 20:48:58 +00:00
|
|
|
|
"auto_rotate_period": "4320h",
|
2021-03-17 21:29:13 +00:00
|
|
|
|
"name": "transform_name"
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
```
|
|
|
|
|
|
2021-03-19 15:34:41 +00:00
|
|
|
|
## Trim Tokenization Key Version
|
2021-03-17 21:29:13 +00:00
|
|
|
|
|
|
|
|
|
This endpoint trims older key versions setting a minimum version for the keyring.
|
|
|
|
|
Once trimmed, previous versions of the key cannot be recovered.
|
|
|
|
|
|
|
|
|
|
| Method | Path |
|
|
|
|
|
| :----- | :-------------------------------------------------- |
|
|
|
|
|
| `POST` | `/transform/tokenization/keys/:transform_name/trim` |
|
|
|
|
|
|
|
|
|
|
### Parameters
|
|
|
|
|
|
|
|
|
|
- `transform_name` `(string: <required>)` –
|
|
|
|
|
Specifies the transform name to use for this operation. This is specified as part
|
|
|
|
|
of the URL.
|
|
|
|
|
|
|
|
|
|
- `min_available_version` `(int: <required>)` –
|
2021-04-06 17:49:04 +00:00
|
|
|
|
Specifies minimum key version available for use for this transform. All versions below
|
2021-03-17 21:29:13 +00:00
|
|
|
|
this will be permanently forgotten. Cannot be set below `min_decryption_version` or above
|
|
|
|
|
`latest_version`.
|
|
|
|
|
|
|
|
|
|
### Sample Payload
|
|
|
|
|
|
|
|
|
|
```json
|
|
|
|
|
{
|
|
|
|
|
"min_available_version": 1
|
|
|
|
|
}
|
|
|
|
|
```
|
|
|
|
|
|
|
|
|
|
### Sample Request
|
|
|
|
|
|
|
|
|
|
```shell-session
|
|
|
|
|
$ curl \
|
|
|
|
|
--header "X-Vault-Token: ..." \
|
|
|
|
|
--request LIST \
|
|
|
|
|
--data @payload.json \
|
|
|
|
|
http://127.0.0.1:8200/v1/transform//transform/tokenization/keys/:transform_name/trim
|
|
|
|
|
```
|