HashiCorp Agentic Access
HashiCorp exposes 264 API operations that an AI agent could call, of which 149 are state-changing ‘acting’ operations. This is a recommended x-agentic-access execution contract — the scope, audience, consequence tier, short-lived token constraints, and escalation each action should carry before it is handed to an autonomous agent.
By consequence: 115 read, 132 write, and 17 safety-critical.
17 operations are classed safety-critical and should require human-in-the-loop approval at runtime.
Contracts are classified heuristically from the provider’s OpenAPI and refresh on every APIs.io network build; audience is bound per deployment. The model follows Curity’s Access Intelligence (apidays Munich 2026). Browse every provider’s agent contracts at agentic-access.apis.io.
By consequence
Highest-consequence actions
The physical and safety-critical operations an agent could invoke — the ones that most warrant scoped tokens, tight TTLs, and escalation. Full per-operation contracts are in the source below.
| Method | Path | Consequence | Human-in-loop |
|---|---|---|---|
| POST | /auth/token/revoke | safety-critical | required |
| POST | /auth/token/revoke-accessor | safety-critical | required |
| POST | /auth/token/revoke-orphan | safety-critical | required |
| POST | /auth/token/revoke-self | safety-critical | required |
| DELETE | /sys/audit/{path} | safety-critical | required |
| DELETE | /sys/auth/{path} | safety-critical | required |
| DELETE | /sys/config/auditing/request-headers/{header} | safety-critical | required |
| POST | /sys/internal/counters/config | safety-critical | required |
| POST | /sys/leases/revoke | safety-critical | required |
| POST | /sys/leases/revoke-force/{prefix} | safety-critical | required |
| POST | /sys/leases/revoke-prefix/{prefix} | safety-critical | required |
| POST | /sys/leases/revoke/{url_lease_id} | safety-critical | required |
| DELETE | /sys/mounts/{path} | safety-critical | required |
| POST | /sys/revoke | safety-critical | required |
| POST | /sys/revoke-force/{prefix} | safety-critical | required |
| POST | /sys/revoke-prefix/{prefix} | safety-critical | required |
| POST | /sys/revoke/{url_lease_id} | safety-critical | required |
Source
Agentic Access
generated: '2026-07-15'
method: generated
source: openapi/hashicorp-vault-openapi.yml
description: Recommended x-agentic-access execution contracts, classified heuristically from
the OpenAPI. A governance starting point for exposing this API to AI agents — review and bind
audience per deployment. See research/curity/agentic-governance/.
summary:
operations: 264
by_action_class:
connected: 115
acting: 149
by_consequence:
read: 115
write: 132
safety-critical: 17
human_in_the_loop_required: 17
operations:
- path: /auth/token/accessors/
method: get
operationId: getAuthTokenAccessors
x-agentic-access:
action-class: connected
consequence: read
subject: optional
token:
max-ttl: 3600
audit: none
- path: /auth/token/create
method: post
operationId: postAuthTokenCreate
x-agentic-access:
action-class: acting
consequence: write
subject: required
audience: null
token:
max-ttl: 900
escalation:
human-in-the-loop: conditional
triggers:
- abnormal
- high-value
audit: required
- path: /auth/token/create-orphan
method: post
operationId: postAuthTokenCreateOrphan
x-agentic-access:
action-class: acting
consequence: write
subject: required
audience: null
token:
max-ttl: 900
escalation:
human-in-the-loop: conditional
triggers:
- abnormal
- high-value
audit: required
- path: /auth/token/create/{role_name}
method: post
operationId: postAuthTokenCreateRole_name
x-agentic-access:
action-class: acting
consequence: write
subject: required
audience: null
token:
max-ttl: 900
escalation:
human-in-the-loop: conditional
triggers:
- abnormal
- high-value
audit: required
- path: /auth/token/lookup
method: get
operationId: getAuthTokenLookup
x-agentic-access:
action-class: connected
consequence: read
subject: optional
token:
max-ttl: 3600
audit: none
- path: /auth/token/lookup
method: post
operationId: postAuthTokenLookup
x-agentic-access:
action-class: acting
consequence: write
subject: required
audience: null
token:
max-ttl: 900
escalation:
human-in-the-loop: conditional
triggers:
- abnormal
- high-value
audit: required
- path: /auth/token/lookup-accessor
method: post
operationId: postAuthTokenLookupAccessor
x-agentic-access:
action-class: acting
consequence: write
subject: required
audience: null
token:
max-ttl: 900
escalation:
human-in-the-loop: conditional
triggers:
- abnormal
- high-value
audit: required
- path: /auth/token/lookup-self
method: get
operationId: getAuthTokenLookupSelf
x-agentic-access:
action-class: connected
consequence: read
subject: optional
token:
max-ttl: 3600
audit: none
- path: /auth/token/lookup-self
method: post
operationId: postAuthTokenLookupSelf
x-agentic-access:
action-class: acting
consequence: write
subject: required
audience: null
token:
max-ttl: 900
escalation:
human-in-the-loop: conditional
triggers:
- abnormal
- high-value
audit: required
- path: /auth/token/renew
method: post
operationId: postAuthTokenRenew
x-agentic-access:
action-class: acting
consequence: write
subject: required
audience: null
token:
max-ttl: 900
escalation:
human-in-the-loop: conditional
triggers:
- abnormal
- high-value
audit: required
- path: /auth/token/renew-accessor
method: post
operationId: postAuthTokenRenewAccessor
x-agentic-access:
action-class: acting
consequence: write
subject: required
audience: null
token:
max-ttl: 900
escalation:
human-in-the-loop: conditional
triggers:
- abnormal
- high-value
audit: required
- path: /auth/token/renew-self
method: post
operationId: postAuthTokenRenewSelf
x-agentic-access:
action-class: acting
consequence: write
subject: required
audience: null
token:
max-ttl: 900
escalation:
human-in-the-loop: conditional
triggers:
- abnormal
- high-value
audit: required
- path: /auth/token/revoke
method: post
operationId: postAuthTokenRevoke
x-agentic-access:
action-class: acting
consequence: safety-critical
subject: required
audience: null
token:
max-ttl: 120
exchange: true
purpose-required: true
proof-of-possession: true
escalation:
human-in-the-loop: required
audit: required
- path: /auth/token/revoke-accessor
method: post
operationId: postAuthTokenRevokeAccessor
x-agentic-access:
action-class: acting
consequence: safety-critical
subject: required
audience: null
token:
max-ttl: 120
exchange: true
purpose-required: true
proof-of-possession: true
escalation:
human-in-the-loop: required
audit: required
- path: /auth/token/revoke-orphan
method: post
operationId: postAuthTokenRevokeOrphan
x-agentic-access:
action-class: acting
consequence: safety-critical
subject: required
audience: null
token:
max-ttl: 120
exchange: true
purpose-required: true
proof-of-possession: true
escalation:
human-in-the-loop: required
audit: required
- path: /auth/token/revoke-self
method: post
operationId: postAuthTokenRevokeSelf
x-agentic-access:
action-class: acting
consequence: safety-critical
subject: required
audience: null
token:
max-ttl: 120
exchange: true
purpose-required: true
proof-of-possession: true
escalation:
human-in-the-loop: required
audit: required
- path: /auth/token/roles
method: get
operationId: getAuthTokenRoles
x-agentic-access:
action-class: connected
consequence: read
subject: optional
token:
max-ttl: 3600
audit: none
- path: /auth/token/roles/{role_name}
method: get
operationId: getAuthTokenRolesRole_name
x-agentic-access:
action-class: connected
consequence: read
subject: optional
token:
max-ttl: 3600
audit: none
- path: /auth/token/roles/{role_name}
method: post
operationId: postAuthTokenRolesRole_name
x-agentic-access:
action-class: acting
consequence: write
subject: required
audience: null
token:
max-ttl: 900
escalation:
human-in-the-loop: conditional
triggers:
- abnormal
- high-value
audit: required
- path: /auth/token/roles/{role_name}
method: delete
operationId: deleteAuthTokenRolesRole_name
x-agentic-access:
action-class: acting
consequence: write
subject: required
audience: null
token:
max-ttl: 900
escalation:
human-in-the-loop: conditional
triggers:
- abnormal
- high-value
audit: required
- path: /auth/token/tidy
method: post
operationId: postAuthTokenTidy
x-agentic-access:
action-class: acting
consequence: write
subject: required
audience: null
token:
max-ttl: 900
escalation:
human-in-the-loop: conditional
triggers:
- abnormal
- high-value
audit: required
- path: /cubbyhole/{path}
method: get
operationId: getCubbyholePath
x-agentic-access:
action-class: connected
consequence: read
subject: optional
token:
max-ttl: 3600
audit: none
- path: /cubbyhole/{path}
method: post
operationId: postCubbyholePath
x-agentic-access:
action-class: acting
consequence: write
subject: required
audience: null
token:
max-ttl: 900
escalation:
human-in-the-loop: conditional
triggers:
- abnormal
- high-value
audit: required
- path: /cubbyhole/{path}
method: delete
operationId: deleteCubbyholePath
x-agentic-access:
action-class: acting
consequence: write
subject: required
audience: null
token:
max-ttl: 900
escalation:
human-in-the-loop: conditional
triggers:
- abnormal
- high-value
audit: required
- path: /identity/alias
method: post
operationId: postIdentityAlias
x-agentic-access:
action-class: acting
consequence: write
subject: required
audience: null
token:
max-ttl: 900
escalation:
human-in-the-loop: conditional
triggers:
- abnormal
- high-value
audit: required
- path: /identity/alias/id
method: get
operationId: getIdentityAliasId
x-agentic-access:
action-class: connected
consequence: read
subject: optional
token:
max-ttl: 3600
audit: none
- path: /identity/alias/id/{id}
method: get
operationId: getIdentityAliasIdId
x-agentic-access:
action-class: connected
consequence: read
subject: optional
token:
max-ttl: 3600
audit: none
- path: /identity/alias/id/{id}
method: post
operationId: postIdentityAliasIdId
x-agentic-access:
action-class: acting
consequence: write
subject: required
audience: null
token:
max-ttl: 900
escalation:
human-in-the-loop: conditional
triggers:
- abnormal
- high-value
audit: required
- path: /identity/alias/id/{id}
method: delete
operationId: deleteIdentityAliasIdId
x-agentic-access:
action-class: acting
consequence: write
subject: required
audience: null
token:
max-ttl: 900
escalation:
human-in-the-loop: conditional
triggers:
- abnormal
- high-value
audit: required
- path: /identity/entity
method: post
operationId: postIdentityEntity
x-agentic-access:
action-class: acting
consequence: write
subject: required
audience: null
token:
max-ttl: 900
escalation:
human-in-the-loop: conditional
triggers:
- abnormal
- high-value
audit: required
- path: /identity/entity-alias
method: post
operationId: postIdentityEntityAlias
x-agentic-access:
action-class: acting
consequence: write
subject: required
audience: null
token:
max-ttl: 900
escalation:
human-in-the-loop: conditional
triggers:
- abnormal
- high-value
audit: required
- path: /identity/entity-alias/id
method: get
operationId: getIdentityEntityAliasId
x-agentic-access:
action-class: connected
consequence: read
subject: optional
token:
max-ttl: 3600
audit: none
- path: /identity/entity-alias/id/{id}
method: get
operationId: getIdentityEntityAliasIdId
x-agentic-access:
action-class: connected
consequence: read
subject: optional
token:
max-ttl: 3600
audit: none
- path: /identity/entity-alias/id/{id}
method: post
operationId: postIdentityEntityAliasIdId
x-agentic-access:
action-class: acting
consequence: write
subject: required
audience: null
token:
max-ttl: 900
escalation:
human-in-the-loop: conditional
triggers:
- abnormal
- high-value
audit: required
- path: /identity/entity-alias/id/{id}
method: delete
operationId: deleteIdentityEntityAliasIdId
x-agentic-access:
action-class: acting
consequence: write
subject: required
audience: null
token:
max-ttl: 900
escalation:
human-in-the-loop: conditional
triggers:
- abnormal
- high-value
audit: required
- path: /identity/entity/batch-delete
method: post
operationId: postIdentityEntityBatchDelete
x-agentic-access:
action-class: acting
consequence: write
subject: required
audience: null
token:
max-ttl: 900
escalation:
human-in-the-loop: conditional
triggers:
- abnormal
- high-value
audit: required
- path: /identity/entity/id
method: get
operationId: getIdentityEntityId
x-agentic-access:
action-class: connected
consequence: read
subject: optional
token:
max-ttl: 3600
audit: none
- path: /identity/entity/id/{id}
method: get
operationId: getIdentityEntityIdId
x-agentic-access:
action-class: connected
consequence: read
subject: optional
token:
max-ttl: 3600
audit: none
- path: /identity/entity/id/{id}
method: post
operationId: postIdentityEntityIdId
x-agentic-access:
action-class: acting
consequence: write
subject: required
audience: null
token:
max-ttl: 900
escalation:
human-in-the-loop: conditional
triggers:
- abnormal
- high-value
audit: required
- path: /identity/entity/id/{id}
method: delete
operationId: deleteIdentityEntityIdId
x-agentic-access:
action-class: acting
consequence: write
subject: required
audience: null
token:
max-ttl: 900
escalation:
human-in-the-loop: conditional
triggers:
- abnormal
- high-value
audit: required
- path: /identity/entity/merge
method: post
operationId: postIdentityEntityMerge
x-agentic-access:
action-class: acting
consequence: write
subject: required
audience: null
token:
max-ttl: 900
escalation:
human-in-the-loop: conditional
triggers:
- abnormal
- high-value
audit: required
- path: /identity/entity/name
method: get
operationId: getIdentityEntityName
x-agentic-access:
action-class: connected
consequence: read
subject: optional
token:
max-ttl: 3600
audit: none
- path: /identity/entity/name/{name}
method: get
operationId: getIdentityEntityNameName
x-agentic-access:
action-class: connected
consequence: read
subject: optional
token:
max-ttl: 3600
audit: none
- path: /identity/entity/name/{name}
method: post
operationId: postIdentityEntityNameName
x-agentic-access:
action-class: acting
consequence: write
subject: required
audience: null
token:
max-ttl: 900
escalation:
human-in-the-loop: conditional
triggers:
- abnormal
- high-value
audit: required
- path: /identity/entity/name/{name}
method: delete
operationId: deleteIdentityEntityNameName
x-agentic-access:
action-class: acting
consequence: write
subject: required
audience: null
token:
max-ttl: 900
escalation:
human-in-the-loop: conditional
triggers:
- abnormal
- high-value
audit: required
- path: /identity/group
method: post
operationId: postIdentityGroup
x-agentic-access:
action-class: acting
consequence: write
subject: required
audience: null
token:
max-ttl: 900
escalation:
human-in-the-loop: conditional
triggers:
- abnormal
- high-value
audit: required
- path: /identity/group-alias
method: post
operationId: postIdentityGroupAlias
x-agentic-access:
action-class: acting
consequence: write
subject: required
audience: null
token:
max-ttl: 900
escalation:
human-in-the-loop: conditional
triggers:
- abnormal
- high-value
audit: required
- path: /identity/group-alias/id
method: get
operationId: getIdentityGroupAliasId
x-agentic-access:
action-class: connected
consequence: read
subject: optional
token:
max-ttl: 3600
audit: none
- path: /identity/group-alias/id/{id}
method: get
operationId: getIdentityGroupAliasIdId
x-agentic-access:
action-class: connected
consequence: read
subject: optional
token:
max-ttl: 3600
audit: none
- path: /identity/group-alias/id/{id}
method: post
operationId: postIdentityGroupAliasIdId
x-agentic-access:
action-class: acting
consequence: write
subject: required
audience: null
token:
max-ttl: 900
escalation:
human-in-the-loop: conditional
triggers:
- abnormal
- high-value
audit: required
- path: /identity/group-alias/id/{id}
method: delete
operationId: deleteIdentityGroupAliasIdId
x-agentic-access:
action-class: acting
consequence: write
subject: required
audience: null
token:
max-ttl: 900
escalation:
human-in-the-loop: conditional
triggers:
- abnormal
- high-value
audit: required
- path: /identity/group/id
method: get
operationId: getIdentityGroupId
x-agentic-access:
action-class: connected
consequence: read
subject: optional
token:
max-ttl: 3600
audit: none
- path: /identity/group/id/{id}
method: get
operationId: getIdentityGroupIdId
x-agentic-access:
action-class: connected
consequence: read
subject: optional
token:
max-ttl: 3600
audit: none
- path: /identity/group/id/{id}
method: post
operationId: postIdentityGroupIdId
x-agentic-access:
action-class: acting
consequence: write
subject: required
audience: null
token:
max-ttl: 900
escalation:
human-in-the-loop: conditional
triggers:
- abnormal
- high-value
audit: required
- path: /identity/group/id/{id}
method: delete
operationId: deleteIdentityGroupIdId
x-agentic-access:
action-class: acting
consequence: write
subject: required
audience: null
token:
max-ttl: 900
escalation:
human-in-the-loop: conditional
triggers:
- abnormal
- high-value
audit: required
- path: /identity/group/name
method: get
operationId: getIdentityGroupName
x-agentic-access:
action-class: connected
consequence: read
subject: optional
token:
max-ttl: 3600
audit: none
- path: /identity/group/name/{name}
method: get
operationId: getIdentityGroupNameName
x-agentic-access:
action-class: connected
consequence: read
subject: optional
token:
max-ttl: 3600
audit: none
- path: /identity/group/name/{name}
method: post
operationId: postIdentityGroupNameName
x-agentic-access:
action-class: acting
consequence: write
subject: required
audience: null
token:
max-ttl: 900
escalation:
human-in-the-loop: conditional
triggers:
- abnormal
- high-value
audit: required
- path: /identity/group/name/{name}
method: delete
operationId: deleteIdentityGroupNameName
x-agentic-access:
action-class: acting
consequence: write
subject: required
audience: null
token:
max-ttl: 900
escalation:
human-in-the-loop: conditional
triggers:
- abnormal
- high-value
audit: required
- path: /identity/lookup/entity
method: post
operationId: postIdentityLookupEntity
x-agentic-access:
action-class: acting
consequence: write
subject: required
audience: null
token:
max-ttl: 900
escalation:
human-in-the-loop: conditional
triggers:
- abnormal
- high-value
audit: required
- path: /identity/lookup/group
method: post
operationId: postIdentityLookupGroup
x-agentic-access:
action-class: acting
consequence: write
subject: required
audience: null
token:
max-ttl: 900
escalation:
human-in-the-loop: conditional
triggers:
- abnormal
- high-value
audit: required
- path: /identity/oidc/.well-known/keys
method: get
operationId: getIdentityOidcWellKnownKeys
x-agentic-access:
action-class: connected
consequence: read
subject: optional
token:
max-ttl: 3600
audit: none
- path: /identity/oidc/.well-known/openid-configuration
method: get
operationId: getIdentityOidcWellKnownOpenidConfiguration
x-agentic-access:
action-class: connected
consequence: read
subject: optional
token:
max-ttl: 3600
audit: none
- path: /identity/oidc/assignment
method: get
operationId: getIdentityOidcAssignment
x-agentic-access:
action-class: connected
consequence: read
subject: optional
token:
max-ttl: 3600
audit: none
- path: /identity/oidc/assignment/{name}
method: get
operationId: getIdentityOidcAssignmentName
x-agentic-access:
action-class: connected
consequence: read
subject: optional
token:
max-ttl: 3600
audit: none
- path: /identity/oidc/assignment/{name}
method: post
operationId: postIdentityOidcAssignmentName
x-agentic-access:
action-class: acting
consequence: write
subject: required
audience: null
token:
max-ttl: 900
escalation:
human-in-the-loop: conditional
triggers:
- abnormal
- high-value
audit: required
- path: /identity/oidc/assignment/{name}
method: delete
operationId: deleteIdentityOidcAssignmentName
x-agentic-access:
action-class: acting
consequence: write
subject: required
audience: null
token:
max-ttl: 900
escalation:
human-in-the-loop: conditional
triggers:
- abnormal
- high-value
audit: required
- path: /identity/oidc/client
method: get
operationId: getIdentityOidcClient
x-agentic-access:
action-class: connected
consequence: read
subject: optional
token:
max-ttl: 3600
audit: none
- path: /identity/oidc/client/{name}
method: get
operationId: getIdentityOidcClientName
x-agentic-access:
action-class: connected
consequence: read
subject: optional
token:
max-ttl: 3600
audit: none
- path: /identity/oidc/client/{name}
method: post
operationId: postIdentityOidcClientName
x-agentic-access:
action-class: acting
consequence: write
subject: required
audience: null
token:
max-ttl: 900
escalation:
human-in-the-loop: conditional
triggers:
- abnormal
- high-value
audit: required
- path: /identity/oidc/client/{name}
method: delete
operationId: deleteIdentityOidcClientName
x-agentic-access:
action-class: acting
consequence: write
subject: required
audience: null
token:
max-ttl: 900
escalation:
human-in-the-loop: conditional
triggers:
- abnormal
- high-value
audit: required
- path: /identity/oidc/config
method: get
operationId: getIdentityOidcConfig
x-agentic-access:
action-class: connected
consequence: read
subject: optional
token:
max-ttl: 3600
audit: none
- path: /identity/oidc/config
method: post
operationId: postIdentityOidcConfig
x-agentic-access:
action-class: acting
consequence: write
subject: required
audience: null
token:
max-ttl: 900
escalation:
human-in-the-loop: conditional
triggers:
- abnormal
- high-value
audit: required
- path: /identity/oidc/introspect
method: post
operationId: postIdentityOidcIntrospect
x-agentic-access:
action-class: acting
consequence: write
subject: required
audience: null
token:
max-ttl: 900
escalation:
human-in-the-loop: conditional
triggers:
- abnormal
- high-value
audit: required
- path: /identity/oidc/key
method: get
operationId: getIdentityOidcKey
x-agentic-access:
action-class: connected
consequence: read
subject: optional
token:
max-ttl: 3600
audit: none
- path: /identity/oidc/key/{name}
method: get
operationId: getIdentityOidcKeyName
x-agentic-access:
action-class: connected
consequence: read
subject: optional
token:
max-ttl: 3600
audit: none
- path: /identity/oidc/key/{name}
method: post
operationId: postIdentityOidcKeyName
x-agentic-access:
action-class: acting
consequence: write
subject: required
audience: null
token:
max-ttl: 900
escalation:
human-in-the-loop: conditional
triggers:
- abnormal
- high-value
audit: required
- path: /identity/oidc/key/{name}
method: delete
operationId: deleteIdentityOidcKeyName
x-agentic-access:
action-class: acting
consequence: write
subject: required
audience: null
token:
max-ttl: 900
escalation:
human-in-the-loop: conditional
triggers:
- abnormal
- high-value
audit: required
- path: /identity/oidc/key/{name}/rotate
method: post
operationId: postIdentityOidcKeyNameRotate
x-agentic-access:
action-class: acting
consequence: write
subject: required
audience: null
token:
max-ttl: 900
escalation:
human-in-the-loop: conditional
triggers:
- abnormal
- high-value
audit: required
- path: /identity/oidc/provider
method: get
operationId: getIdentityOidcProvider
x-agentic-access:
action-class: connected
consequence: read
subject: optional
token:
max-ttl: 3600
audit: none
- path: /identity/oidc/provider/{name}
method: get
operationId: getIdentityOidcProviderName
x-agentic-access:
action-class: connected
consequence: read
subject: optional
token:
max-ttl: 3600
audit: none
- path: /identity/oidc/provider/{name}
method: post
operationId: postIdentityOidcProviderName
x-agentic-access:
action-class: acting
consequence: write
subject: required
audience: null
token:
max-ttl: 900
escalation:
human-in-the-loop: conditional
triggers:
- abnormal
- high-value
audit: required
- path: /identity/oidc/provider/{name}
method: delete
operationId: deleteIdentityOidcProviderName
x-agentic-access:
action-class: acting
consequence: write
subject: required
audience: null
token:
max-ttl: 900
escalation:
human-in-the-loop: conditional
triggers:
- abnormal
- high-value
audit: required
- path: /identity/oidc/provider/{name}/.well-known/keys
method: get
operationId: getIdentityOidcProviderNameWellKnownKeys
x-agentic-access:
action-class: connected
consequence: read
subject: optional
token:
max-ttl: 3600
audit: none
- path: /identity/oidc/provider/{name}/.well-known/openid-configuration
method: get
operationId: getIdentityOidcProviderNameWellKnownOpenidConfiguration
x-agentic-access:
action-class: connected
consequence: read
subject: optional
token:
max-ttl: 3600
audit: none
- path: /identity/oidc/provider/{name}/authorize
method: get
operationId: getIdentityOidcProviderNameAuthorize
x-agentic-access:
action-class: connected
consequence: read
subject: optional
token:
max-ttl: 3600
audit: none
- path: /identity/oidc/provider/{name}/authorize
method: post
operationId: postIdentityOidcProviderNameAuthorize
x-agentic-access:
action-class: acting
consequence: write
subject: required
audience: null
token:
max-ttl: 900
escalation:
human-in-the-loop: conditional
triggers:
- abnormal
- high-value
audit: required
- path: /identity/oidc/provider/{name}/token
method: post
operationId: postIdentityOidcProviderNameToken
x-agentic-access:
action-class: acting
consequence: write
subject: required
audience: null
token:
max-ttl: 900
escalation:
human-in-the-loop: conditional
triggers:
- abnormal
- high-value
audit: required
- path: /identity/oidc/provider/{name}/userinfo
method: get
operationId: getIdentityOidcProviderNameUserinfo
x-agentic-access:
action-class: connected
consequence: read
subject: optional
token:
max-ttl: 3600
audit: none
- path: /identity/oidc/provider/{name}/userinfo
method: post
operationId: postIdentityOidcProviderNameUserinfo
x-agentic-access:
action-class: acting
consequence: write
subject: required
audience: null
token:
max-ttl: 900
escalation:
human-in-the-loop: conditional
triggers:
- abnormal
- high-value
audit: required
- path: /identity/oidc/role
method: get
operationId: getIdentityOidcRole
x-agentic-access:
action-class: connected
consequence: read
subject: optional
token:
max-ttl: 3600
audit: none
- path: /identity/oidc/role/{name}
method: get
operationId: getIdentityOidcRoleName
x-agentic-access:
action-class: connected
consequence: read
subject: optional
token:
max-ttl: 3600
audit: none
- path: /identity/oidc/role/{name}
method: post
operationId: postIdentityOidcRoleName
x-agentic-access:
action-class: acting
consequence: write
subject: required
audience: null
token:
max-ttl: 900
escalation:
human-in-the-loop: conditional
triggers:
- abnormal
- high-value
audit: required
- path: /identity/oidc/role/{name}
method: delete
operationId: deleteIdentityOidcRoleName
x-agentic-access:
action-class: acting
consequence: write
subject: required
audience: null
token:
max-ttl: 900
escalation:
human-in-the-loop: conditional
triggers:
- abnormal
- high-value
audit: required
- path: /identity/oidc/scope
method: get
operationId: getIdentityOidcScope
x-agentic-access:
action-class: connected
consequence: read
subject: optional
token:
max-ttl: 3600
audit: none
- path: /identity/oidc/scope/{name}
method: get
operationId: getIdentityOidcScopeName
x-agentic-access:
action-class: connected
consequence: read
subject: optional
token:
max-ttl: 3600
audit: none
- path: /identity/oidc/scope/{name}
method: post
operationId: postIdentityOidcScopeName
x-agentic-access:
action-class: acting
consequence: write
subject: required
audience: null
token:
max-ttl: 900
escalation:
human-in-the-loop: conditional
triggers:
- abnormal
- high-value
audit: required
- path: /identity/oidc/scope/{name}
method: delete
operationId: deleteIdentityOidcScopeName
x-agentic-access:
action-class: acting
consequence: write
subject: required
audience: null
token:
max-ttl: 900
escalation:
human-in-the-loop: conditional
triggers:
- abnormal
- high-value
audit: required
- path: /identity/oidc/token/{name}
method: get
operationId: getIdentityOidcTokenName
x-agentic-access:
action-class: connected
consequence: read
subject: optional
token:
max-ttl: 3600
audit: none
- path: /identity/persona
method: post
operationId: postIdentityPersona
x-agentic-access:
action-class: acting
consequence: write
subject: required
audience: null
token:
max-ttl: 900
escalation:
human-in-the-loop: conditional
triggers:
- abnormal
- high-value
audit: required
- path: /identity/persona/id
method: get
operationId: getIdentityPersonaId
x-agentic-access:
action-class: connected
consequence: read
subject: optional
token:
max-ttl: 3600
audit: none
- path: /identity/persona/id/{id}
method: get
operationId: getIdentityPersonaIdId
x-agentic-access:
action-class: connected
consequence: read
subject: optional
token:
max-ttl: 3600
audit: none
- path: /identity/persona/id/{id}
method: post
operationId: postIdentityPersonaIdId
x-agentic-access:
action-class: acting
consequence: write
subject: required
audience: null
token:
max-ttl: 900
escalation:
human-in-the-loop: conditional
triggers:
- abnormal
- high-value
audit: required
- path: /identity/persona/id/{id}
method: delete
operationId: deleteIdentityPersonaIdId
x-agentic-access:
action-class: acting
consequence: write
subject: required
audience: null
token:
max-ttl: 900
escalation:
human-in-the-loop: conditional
triggers:
- abnormal
- high-value
audit: required
- path: /secret/config
method: get
operationId: getSecretConfig
x-agentic-access:
action-class: connected
consequence: read
subject: optional
token:
max-ttl: 3600
audit: none
- path: /secret/config
method: post
operationId: postSecretConfig
x-agentic-access:
action-class: acting
consequence: write
subject: required
audience: null
token:
max-ttl: 900
escalation:
human-in-the-loop: conditional
triggers:
- abnormal
# --- truncated at 32 KB (77 KB total) ---
# Full source: https://raw.githubusercontent.com/api-evangelist/hashicorp/refs/heads/main/agentic-access/hashicorp-agentic-access.yml