HashiConf 2025 Don't miss the live stream of HashiConf Day 2 happening now View live stream
Vault
Vault Home

You are viewing documentation for version v1.5.x. View latest version.

HTTP API

The Vault HTTP API gives you full access to Vault via HTTP. Every aspect of Vault can be controlled via this API. The Vault CLI uses the HTTP API to access Vault.

All API routes are prefixed with /v1/.

This documentation is only for the v1 API, which is currently the only version.

Backwards compatibility: At the current version, Vault does not yet promise backwards compatibility even with the v1 prefix. We'll remove this warning when this policy changes. At this point in time the core API (that is, sys/ routes) change very infrequently, but various secrets engines/auth methods/etc. sometimes have minor changes to accommodate new features as they're developed.

Transport

The API is expected to be accessed over a TLS connection at all times, with a valid certificate that is verified by a well-behaved client. It is possible to disable TLS verification for listeners, however, so API clients should expect to have to do both depending on user settings.

Authentication

Once Vault is unsealed, almost every other operation requires a client token. A user may have a client token sent to them. The client token must be sent as either the X-Vault-Token HTTP Header or as Authorization HTTP Header using the Bearer <token> scheme.

Otherwise, a client token can be retrieved via