e4e4a7ba67
* Capabilities endpoint will now return considering policies on entities and groups * refactor the policy derivation into a separate function * Docs: Update docs to reflect the change in capabilities endpoint
59 lines
1.3 KiB
Markdown
59 lines
1.3 KiB
Markdown
---
|
||
layout: "api"
|
||
page_title: "/sys/capabilities - HTTP API"
|
||
sidebar_current: "docs-http-system-capabilities/"
|
||
description: |-
|
||
The `/sys/capabilities` endpoint is used to fetch the capabilities of a token
|
||
on a given path.
|
||
---
|
||
|
||
# `/sys/capabilities`
|
||
|
||
The `/sys/capabilities` endpoint is used to fetch the capabilities of a token
|
||
on a given path. The capabilities returned will be derived from the policies
|
||
that are on the token, and from the policies to which token is entitled to
|
||
through the entity and entity's group memberships.
|
||
|
||
## Query Token Capabilities
|
||
|
||
This endpoint returns the list of capabilities for a provided token.
|
||
|
||
| Method | Path | Produces |
|
||
| :------- | :------------------- | :--------------------- |
|
||
| `POST` | `/sys/capabilities` | `200 application/json` |
|
||
|
||
### Parameters
|
||
|
||
- `path` `(string: <required>)` – Specifies the path against which to check the
|
||
token's capabilities.
|
||
|
||
- `token` `(string: <required>)` – Specifies the token for which to check
|
||
capabilities.
|
||
|
||
### Sample Payload
|
||
|
||
```json
|
||
{
|
||
"path": "secret/foo",
|
||
"token": "abcd1234"
|
||
}
|
||
```
|
||
|
||
### Sample Request
|
||
|
||
```
|
||
$ curl \
|
||
--header "X-Vault-Token: ..." \
|
||
--request POST \
|
||
--data @payload.json \
|
||
https://vault.rocks/v1/sys/capabilities
|
||
```
|
||
|
||
### Sample Response
|
||
|
||
```json
|
||
{
|
||
"capabilities": ["read", "list"]
|
||
}
|
||
```
|