Azure Key Vault website screenshot

Azure Key Vault

Azure Key Vault is a cloud service for securely storing and accessing secrets, keys, and certificates. It helps safeguard cryptographic keys and secrets used by cloud applications and services.

5 APIs 6 Features
CertificatesCloud SecurityCryptographyKey ManagementSecrets ManagementSecurity

APIs

Azure Key Vault API

REST API for managing vaults, keys, secrets, and certificates in Azure Key Vault.

Azure Key Vault Data Plane API

API for performing cryptographic operations and managing keys, secrets, and certificates within a specific Key Vault instance.

Azure Key Vault Keys API

REST API for creating, importing, updating, and performing cryptographic operations with keys in Azure Key Vault. Supports RSA, EC, and symmetric key types with operations inclu...

Azure Key Vault Secrets API

REST API for securely storing and managing secrets such as passwords, connection strings, and API keys in Azure Key Vault.

Azure Key Vault Certificates API

REST API for creating, importing, managing, and renewing certificates in Azure Key Vault.

Collections

Pricing Plans

Rate Limits

Azure Key Vault Rate Limits

13 limits

RATE LIMITS

FinOps

Features

Key Management

Create, import, and manage cryptographic keys with support for RSA, EC, and symmetric key types.

Secrets Management

Securely store and control access to passwords, connection strings, API keys, and other secrets.

Certificate Lifecycle

Automate certificate creation, renewal, and management with certificate authority integration.

Cryptographic Operations

Perform encrypt, decrypt, sign, verify, wrap, and unwrap operations using managed keys.

HSM-Backed Keys

Use hardware security modules for FIPS 140-2 Level 2 validated key protection.

Soft Delete and Purge Protection

Recover accidentally deleted vaults, keys, secrets, and certificates with configurable retention.

Use Cases

Application Secret Management

Centralize and secure application secrets with audited access and automatic rotation.

Data Encryption

Encrypt data at rest and in transit using customer-managed keys stored in Key Vault.

TLS Certificate Management

Automate TLS certificate provisioning and renewal for web applications and services.

Code and Document Signing

Sign code, documents, and artifacts using keys stored securely in Key Vault.

Integrations

Azure App Service

Reference Key Vault secrets and certificates directly from App Service configuration.

Azure Kubernetes Service

Mount Key Vault secrets as volumes in AKS pods using the Secrets Store CSI Driver.

Azure DevOps

Use Key Vault secrets in CI/CD pipelines for secure deployment automation.

Azure Disk Encryption

Encrypt Azure VM disks using customer-managed keys stored in Key Vault.

Azure SQL Database

Enable Transparent Data Encryption with customer-managed keys from Key Vault.

Semantic Vocabularies

Azure Key Vault Context

0 classes · 57 properties

JSON-LD

Azure Key Vault Data Plane Context

0 classes · 0 properties

JSON-LD

API Governance Rules

Azure Key Vault API Rules

7 rules · 7 errors

SPECTRAL

JSON Structure

Azure Key Vault Data Plane Error Structure

2 properties

JSON STRUCTURE

Azure Key Vault Data Plane Key Item Structure

3 properties

JSON STRUCTURE

Microsoft Azure Key Vault Structure

0 properties

JSON STRUCTURE

Example Payloads

Resources

🟢
StatusPage
StatusPage
📰
Blog
Blog
📜
TermsOfService
TermsOfService
📜
PrivacyPolicy
PrivacyPolicy
📄
ChangeLog
ChangeLog
🌐
Portal
Portal
💬
Support
Support
💰
Pricing
Pricing
🔗
SpectralRules
SpectralRules
🔗
Vocabulary
Vocabulary

Sources

Raw ↑
opencollection: 1.0.0
info:
  name: Azure Key Vault Data Plane API
  version: '7.4'
request:
  auth:
    type: oauth2
    flow: implicit
    authorizationUrl: https://login.microsoftonline.com/common/oauth2/authorize
    credentials:
      clientId: '{{clientId}}'
items:
- info:
    name: Keys
    type: folder
  items:
  - info:
      name: Azure Key Vault Create Key
      type: http
    http:
      method: POST
      url: https://{vaultName}.vault.azure.net/keys/:key-name/create
      params:
      - name: key-name
        value: ''
        type: path
        description: The name of the key.
      - name: api-version
        value: ''
        type: query
        description: The API version to use for this operation.
      body:
        type: json
        data: '{}'
    docs: Creates a new key, stores it, then returns key parameters and attributes to the client. If the named key already
      exists, Azure Key Vault creates a new version of the key. Requires the keys/create permission.
  - info:
      name: Azure Key Vault Get Key
      type: http
    http:
      method: GET
      url: https://{vaultName}.vault.azure.net/keys/:key-name/:key-version
      params:
      - name: key-name
        value: ''
        type: path
        description: The name of the key.
      - name: key-version
        value: ''
        type: path
        description: The version of the key. This URI fragment is optional. If not specified, the latest version of the key
          is returned.
      - name: api-version
        value: ''
        type: query
        description: The API version to use for this operation.
    docs: Gets the public part of a stored key. The get key operation is applicable to all key types. If the requested key
      is symmetric, then no key material is released in the response. Requires the keys/get permission.
  - info:
      name: Azure Key Vault Update Key
      type: http
    http:
      method: PATCH
      url: https://{vaultName}.vault.azure.net/keys/:key-name/:key-version
      params:
      - name: key-name
        value: ''
        type: path
        description: The name of the key.
      - name: key-version
        value: ''
        type: path
        description: The version of the key. This URI fragment is optional. If not specified, the latest version of the key
          is returned.
      - name: api-version
        value: ''
        type: query
        description: The API version to use for this operation.
      body:
        type: json
        data: '{}'
    docs: The update key operation changes specified attributes of a stored key and can be applied to any key type and key
      version stored in Azure Key Vault. Requires the keys/update permission.
  - info:
      name: Azure Key Vault Delete Key
      type: http
    http:
      method: DELETE
      url: https://{vaultName}.vault.azure.net/keys/:key-name
      params:
      - name: key-name
        value: ''
        type: path
        description: The name of the key.
      - name: api-version
        value: ''
        type: query
        description: The API version to use for this operation.
    docs: Deletes a key of any type from storage in Azure Key Vault. Requires the keys/delete permission.
  - info:
      name: Azure Key Vault List Keys
      type: http
    http:
      method: GET
      url: https://{vaultName}.vault.azure.net/keys
      params:
      - name: api-version
        value: ''
        type: query
        description: The API version to use for this operation.
      - name: maxresults
        value: ''
        type: query
        description: Maximum number of results to return in a page. If not specified, the service will return up to 25 results.
    docs: Retrieves a list of the keys in the Key Vault as JSON Web Key structures that contain the public part of a stored
      key. The list operation is applicable to all key types. Requires the keys/list permission.
  - info:
      name: Azure Key Vault Encrypt
      type: http
    http:
      method: POST
      url: https://{vaultName}.vault.azure.net/keys/:key-name/:key-version/encrypt
      params:
      - name: key-name
        value: ''
        type: path
        description: The name of the key.
      - name: key-version
        value: ''
        type: path
        description: The version of the key. This URI fragment is optional. If not specified, the latest version of the key
          is returned.
      - name: api-version
        value: ''
        type: query
        description: The API version to use for this operation.
      body:
        type: json
        data: '{}'
    docs: Encrypts an arbitrary sequence of bytes using an encryption key that is stored in a Key Vault. Requires the keys/encrypt
      permission.
  - info:
      name: Azure Key Vault Decrypt
      type: http
    http:
      method: POST
      url: https://{vaultName}.vault.azure.net/keys/:key-name/:key-version/decrypt
      params:
      - name: key-name
        value: ''
        type: path
        description: The name of the key.
      - name: key-version
        value: ''
        type: path
        description: The version of the key. This URI fragment is optional. If not specified, the latest version of the key
          is returned.
      - name: api-version
        value: ''
        type: query
        description: The API version to use for this operation.
      body:
        type: json
        data: '{}'
    docs: Decrypts a single block of encrypted data using the specified encryption key. Requires the keys/decrypt permission.
  - info:
      name: Azure Key Vault Sign
      type: http
    http:
      method: POST
      url: https://{vaultName}.vault.azure.net/keys/:key-name/:key-version/sign
      params:
      - name: key-name
        value: ''
        type: path
        description: The name of the key.
      - name: key-version
        value: ''
        type: path
        description: The version of the key. This URI fragment is optional. If not specified, the latest version of the key
          is returned.
      - name: api-version
        value: ''
        type: query
        description: The API version to use for this operation.
      body:
        type: json
        data: '{}'
    docs: Creates a signature from a digest using the specified key. Requires the keys/sign permission.
  - info:
      name: Azure Key Vault Verify
      type: http
    http:
      method: POST
      url: https://{vaultName}.vault.azure.net/keys/:key-name/:key-version/verify
      params:
      - name: key-name
        value: ''
        type: path
        description: The name of the key.
      - name: key-version
        value: ''
        type: path
        description: The version of the key. This URI fragment is optional. If not specified, the latest version of the key
          is returned.
      - name: api-version
        value: ''
        type: query
        description: The API version to use for this operation.
      body:
        type: json
        data: '{}'
    docs: Verifies a signature using a specified key. Requires the keys/verify permission.
  - info:
      name: Azure Key Vault Wrap Key
      type: http
    http:
      method: POST
      url: https://{vaultName}.vault.azure.net/keys/:key-name/:key-version/wrapkey
      params:
      - name: key-name
        value: ''
        type: path
        description: The name of the key.
      - name: key-version
        value: ''
        type: path
        description: The version of the key. This URI fragment is optional. If not specified, the latest version of the key
          is returned.
      - name: api-version
        value: ''
        type: query
        description: The API version to use for this operation.
      body:
        type: json
        data: '{}'
    docs: Wraps a symmetric key using a specified key. Requires the keys/wrapKey permission.
  - info:
      name: Azure Key Vault Unwrap Key
      type: http
    http:
      method: POST
      url: https://{vaultName}.vault.azure.net/keys/:key-name/:key-version/unwrapkey
      params:
      - name: key-name
        value: ''
        type: path
        description: The name of the key.
      - name: key-version
        value: ''
        type: path
        description: The version of the key. This URI fragment is optional. If not specified, the latest version of the key
          is returned.
      - name: api-version
        value: ''
        type: query
        description: The API version to use for this operation.
      body:
        type: json
        data: '{}'
    docs: Unwraps a symmetric key using the specified key that was initially used for wrapping that key. Requires the keys/unwrapKey
      permission.
- info:
    name: Secrets
    type: folder
  items:
  - info:
      name: Azure Key Vault Set Secret
      type: http
    http:
      method: PUT
      url: https://{vaultName}.vault.azure.net/secrets/:secret-name
      params:
      - name: secret-name
        value: ''
        type: path
        description: The name of the secret.
      - name: api-version
        value: ''
        type: query
        description: The API version to use for this operation.
      body:
        type: json
        data: '{}'
    docs: Sets a secret in a specified key vault. The SET operation adds a secret to the Azure Key Vault. If the named secret
      already exists, Azure Key Vault creates a new version of that secret. Requires the secrets/set permission.
  - info:
      name: Azure Key Vault Delete Secret
      type: http
    http:
      method: DELETE
      url: https://{vaultName}.vault.azure.net/secrets/:secret-name
      params:
      - name: secret-name
        value: ''
        type: path
        description: The name of the secret.
      - name: api-version
        value: ''
        type: query
        description: The API version to use for this operation.
    docs: Deletes a secret from a specified key vault. Requires the secrets/delete permission.
  - info:
      name: Azure Key Vault Get Secret
      type: http
    http:
      method: GET
      url: https://{vaultName}.vault.azure.net/secrets/:secret-name/:secret-version
      params:
      - name: secret-name
        value: ''
        type: path
        description: The name of the secret.
      - name: secret-version
        value: ''
        type: path
        description: The version of the secret. This URI fragment is optional. If not specified, the latest version of the
          secret is returned.
      - name: api-version
        value: ''
        type: query
        description: The API version to use for this operation.
    docs: Get a specified secret from a given key vault. The GET operation is applicable to any secret stored in Azure Key
      Vault. Requires the secrets/get permission.
  - info:
      name: Azure Key Vault Update Secret
      type: http
    http:
      method: PATCH
      url: https://{vaultName}.vault.azure.net/secrets/:secret-name/:secret-version
      params:
      - name: secret-name
        value: ''
        type: path
        description: The name of the secret.
      - name: secret-version
        value: ''
        type: path
        description: The version of the secret. This URI fragment is optional. If not specified, the latest version of the
          secret is returned.
      - name: api-version
        value: ''
        type: query
        description: The API version to use for this operation.
      body:
        type: json
        data: '{}'
    docs: Updates the attributes associated with a specified secret in a given key vault. Requires the secrets/set permission.
  - info:
      name: Azure Key Vault List Secrets
      type: http
    http:
      method: GET
      url: https://{vaultName}.vault.azure.net/secrets
      params:
      - name: api-version
        value: ''
        type: query
        description: The API version to use for this operation.
      - name: maxresults
        value: ''
        type: query
        description: Maximum number of results to return in a page. If not specified, the service will return up to 25 results.
    docs: List secrets in a specified key vault. The Get Secrets operation is applicable to the entire vault. Requires the
      secrets/list permission.
  - info:
      name: Azure Key Vault List Secret Versions
      type: http
    http:
      method: GET
      url: https://{vaultName}.vault.azure.net/secrets/:secret-name/versions
      params:
      - name: secret-name
        value: ''
        type: path
        description: The name of the secret.
      - name: api-version
        value: ''
        type: query
        description: The API version to use for this operation.
      - name: maxresults
        value: ''
        type: query
        description: Maximum number of results to return in a page. If not specified, the service will return up to 25 results.
    docs: List all versions of the specified secret. Requires the secrets/list permission.
  - info:
      name: Azure Key Vault Backup Secret
      type: http
    http:
      method: POST
      url: https://{vaultName}.vault.azure.net/secrets/:secret-name/backup
      params:
      - name: secret-name
        value: ''
        type: path
        description: The name of the secret.
      - name: api-version
        value: ''
        type: query
        description: The API version to use for this operation.
    docs: Requests that a backup of the specified secret be downloaded to the client. All versions of the secret will be downloaded.
      Requires the secrets/backup permission.
  - info:
      name: Azure Key Vault Restore Secret
      type: http
    http:
      method: POST
      url: https://{vaultName}.vault.azure.net/secrets/restore
      params:
      - name: api-version
        value: ''
        type: query
        description: The API version to use for this operation.
      body:
        type: json
        data: '{}'
    docs: Restores a backed up secret, and all its versions, to a vault. Requires the secrets/restore permission.
- info:
    name: Certificates
    type: folder
  items:
  - info:
      name: Azure Key Vault Create Certificate
      type: http
    http:
      method: POST
      url: https://{vaultName}.vault.azure.net/certificates/:certificate-name/create
      params:
      - name: certificate-name
        value: ''
        type: path
        description: The name of the certificate.
      - name: api-version
        value: ''
        type: query
        description: The API version to use for this operation.
      body:
        type: json
        data: '{}'
    docs: Creates a new certificate. If this is the first version, the certificate resource is created. Requires the certificates/create
      permission.
  - info:
      name: Azure Key Vault Get Certificate
      type: http
    http:
      method: GET
      url: https://{vaultName}.vault.azure.net/certificates/:certificate-name/:certificate-version
      params:
      - name: certificate-name
        value: ''
        type: path
        description: The name of the certificate.
      - name: certificate-version
        value: ''
        type: path
        description: The version of the certificate. This URI fragment is optional. If not specified, the latest version of
          the certificate is returned.
      - name: api-version
        value: ''
        type: query
        description: The API version to use for this operation.
    docs: Gets information about a specific certificate. Requires the certificates/get permission.
  - info:
      name: Azure Key Vault Update Certificate
      type: http
    http:
      method: PATCH
      url: https://{vaultName}.vault.azure.net/certificates/:certificate-name/:certificate-version
      params:
      - name: certificate-name
        value: ''
        type: path
        description: The name of the certificate.
      - name: certificate-version
        value: ''
        type: path
        description: The version of the certificate. This URI fragment is optional. If not specified, the latest version of
          the certificate is returned.
      - name: api-version
        value: ''
        type: query
        description: The API version to use for this operation.
      body:
        type: json
        data: '{}'
    docs: Applies the specified update on the given certificate. Requires the certificates/update permission.
  - info:
      name: Azure Key Vault Delete Certificate
      type: http
    http:
      method: DELETE
      url: https://{vaultName}.vault.azure.net/certificates/:certificate-name
      params:
      - name: certificate-name
        value: ''
        type: path
        description: The name of the certificate.
      - name: api-version
        value: ''
        type: query
        description: The API version to use for this operation.
    docs: Deletes all versions of a certificate object along with its associated policy. Requires the certificates/delete
      permission.
  - info:
      name: Azure Key Vault List Certificates
      type: http
    http:
      method: GET
      url: https://{vaultName}.vault.azure.net/certificates
      params:
      - name: api-version
        value: ''
        type: query
        description: The API version to use for this operation.
      - name: maxresults
        value: ''
        type: query
        description: Maximum number of results to return in a page. If not specified, the service will return up to 25 results.
      - name: includePending
        value: ''
        type: query
        description: Specifies whether to include certificates which are not completely provisioned.
    docs: List certificates in a specified key vault. Requires the certificates/list permission.
  - info:
      name: Azure Key Vault Import Certificate
      type: http
    http:
      method: POST
      url: https://{vaultName}.vault.azure.net/certificates/:certificate-name/import
      params:
      - name: certificate-name
        value: ''
        type: path
        description: The name of the certificate.
      - name: api-version
        value: ''
        type: query
        description: The API version to use for this operation.
      body:
        type: json
        data: '{}'
    docs: Imports an existing valid certificate, containing a private key, into Azure Key Vault. The certificate to be imported
      can be in either PFX or PEM format. Requires the certificates/import permission.
  - info:
      name: Azure Key Vault Get Certificate Policy
      type: http
    http:
      method: GET
      url: https://{vaultName}.vault.azure.net/certificates/:certificate-name/policy
      params:
      - name: certificate-name
        value: ''
        type: path
        description: The name of the certificate.
      - name: api-version
        value: ''
        type: query
        description: The API version to use for this operation.
    docs: Gets the policy for a certificate. Requires the certificates/get permission.
  - info:
      name: Azure Key Vault Update Certificate Policy
      type: http
    http:
      method: PATCH
      url: https://{vaultName}.vault.azure.net/certificates/:certificate-name/policy
      params:
      - name: certificate-name
        value: ''
        type: path
        description: The name of the certificate.
      - name: api-version
        value: ''
        type: query
        description: The API version to use for this operation.
      body:
        type: json
        data: '{}'
    docs: Set specified members in the certificate policy. Requires the certificates/update permission.
  - info:
      name: Azure Key Vault Get Certificate Operation
      type: http
    http:
      method: GET
      url: https://{vaultName}.vault.azure.net/certificates/:certificate-name/pending
      params:
      - name: certificate-name
        value: ''
        type: path
        description: The name of the certificate.
      - name: api-version
        value: ''
        type: query
        description: The API version to use for this operation.
    docs: Gets the creation operation associated with a specified certificate. Requires the certificates/get permission.
  - info:
      name: Azure Key Vault Delete Certificate Operation
      type: http
    http:
      method: DELETE
      url: https://{vaultName}.vault.azure.net/certificates/:certificate-name/pending
      params:
      - name: certificate-name
        value: ''
        type: path
        description: The name of the certificate.
      - name: api-version
        value: ''
        type: query
        description: The API version to use for this operation.
    docs: Deletes the creation operation for a specific certificate. Requires the certificates/update permission.
bundled: true