--- layout: api page_title: /sys/init - HTTP API description: The `/sys/init` endpoint is used to initialize a new Vault. --- # `/sys/init` The `/sys/init` endpoint is used to initialize a new Vault. ## Read Initialization Status This endpoint returns the initialization status of Vault. | Method | Path | | :----- | :---------- | | `GET` | `/sys/init` | ### Sample Request ```shell-session $ curl \ http://127.0.0.1:8200/v1/sys/init ``` ### Sample Response ```json { "initialized": true } ``` ## Start Initialization This endpoint initializes a new Vault. The Vault must not have been previously initialized. The recovery options, as well as the stored shares option, are only available when using Auto Unseal. | Method | Path | | :----- | :---------- | | `POST` | `/sys/init` | ### Parameters - `pgp_keys` `(array: nil)` – Specifies an array of PGP public keys used to encrypt the output unseal keys. Ordering is preserved. The keys must be base64-encoded from their original binary representation. The size of this array must be the same as `secret_shares`. - `root_token_pgp_key` `(string: "")` – Specifies a PGP public key used to encrypt the initial root token. The key must be base64-encoded from its original binary representation. - `secret_shares` `(int: )` – Specifies the number of shares to split the root key into. - `secret_threshold` `(int: )` – Specifies the number of shares required to reconstruct the root key. This must be less than or equal `secret_shares`. If using Vault HSM with auto-unsealing, this value must be the same as `secret_shares`. Additionally, the following options are only supported using Auto Unseal: - `stored_shares` `(int: )` – Specifies the number of shares that should be encrypted by the HSM and stored for auto-unsealing. Currently must be the same as `secret_shares`. - `recovery_shares` `(int: )` – Specifies the number of shares to split the recovery key into. - `recovery_threshold` `(int: )` – Specifies the number of shares required to reconstruct the recovery key. This must be less than or equal to `recovery_shares`. - `recovery_pgp_keys` `(array: nil)` – Specifies an array of PGP public keys used to encrypt the output recovery keys. Ordering is preserved. The keys must be base64-encoded from their original binary representation. The size of this array must be the same as `recovery_shares`. ### Sample Payload ```json { "secret_shares": 10, "secret_threshold": 5 } ``` ### Sample Request ```shell-session $ curl \ --request POST \ --data @payload.json \ http://127.0.0.1:8200/v1/sys/init ``` ### Sample Response A JSON-encoded object including the (possibly encrypted, if `pgp_keys` was provided) root keys, base 64 encoded root keys and initial root token: ```json { "keys": ["one", "two", "three"], "keys_base64": ["cR9No5cBC", "F3VLrkOo", "zIDSZNGv"], "root_token": "foo" } ```