---
layout: docs
page_title: Vault Enterprise Lease Count Quotas
description: |-
  Vault Enterprise features a mechanism to create lease count quotas.
---

# Lease Count Quotas

Vault features an extension to resource quotas that allows operators to enforce
limits on how many leases are created. For a given lease count quota, if the
number of leases in the cluster hits the configured limit, `max_leases`, additional
lease creations will be forbidden for all clients until a lease has been revoked
or has expired.

It is important to note that lease count quotas do not apply to the root tokens.
If the number of leases in the cluster hits the configured limit, `max_leases`,
an operator could still create a root token and access the cluster to try to recover.

Additionally, batch token creation is blocked when the lease count quota is
exceeded, but batch tokens do not count towards the quota.

All the nodes in the Vault cluster will share the lease quota rules, meaning that
the lease counters will be shared, regardless of which node in the Vault cluster
receives lease generation requests. Lease quotas can be imposed across Vault's API,
or scoped down to API pertaining to specific namespaces or specific mounts.

A quota that is defined in the `root` namespace with no specified path is inherited by all namespaces.
Essentially, it applies to the entire Vault API unless a more specific quota has been defined
for a specific API path.

Lease count quotas defined on a namespace take precedence over the global
quotas. Lease count quotas defined for a mount will take precedence over global
and namespace quotas. Lease count quotas defined for a specific path will take precedence
over global, namespace, and mount quotas. Lease count quotas defined with a login role for
a specific auth mount will take precedence over every other quota when applying to
login requests using that auth method and the specified role.

The limits on quotas can either be increased or decreased. If a lower precedence quota
is very restrictive and if it is desired to relax the limits in one namespace,
or on a specific mount, it can be done using this precedence model. On the
other hand, if a lower precedence quota is very liberal and if it is desired to
further restrict usages in a specific namespace or mount, that can be done
using the precedence model too.

Vault also allows the inspection into the state of lease count quotas in a Vault
cluster through various [metrics](/docs/internals/telemetry#Resource-Quota-Metrics)
exposed and through enabling optional audit logging.

## Tutorial

Refer to [Protecting Vault with Resource
Quotas](https://learn.hashicorp.com/vault/security/resource-quotas) for a
step-by-step tutorial.

## API

Lease count quotas can be managed over the HTTP API. Please see
[Lease Count Quotas API](/api-docs/system/lease-count-quotas) for more details.