HashiCorp Vault website screenshot

HashiCorp Vault

HashiCorp Vault is an open source tool for securely storing and accessing secrets. A secret is anything you want to tightly control access to, such as API keys, passwords, certificates, and more. Vault provides a unified interface to any secret while providing tight access control via policies and recording a detailed audit log. It supports dynamic secrets, data encryption, PKI, SSH certificate issuance, and identity-based access through a comprehensive REST HTTP API.

3 APIs 10 Features
DevOpsEncryptionOpen SourcePKISecrets ManagementSecurity

APIs

HashiCorp Vault KV Secrets Engine API

The KV v2 secrets engine provides key-value secret storage with versioning, metadata management, soft delete, and permanent destruction of secret versions. Essential for storing...

HashiCorp Vault System Backend API

The Vault system backend provides management operations for authentication methods, secrets engine mounts, ACL policies, token lifecycle, and lease management. All sys/ endpoint...

Vault HTTP API

The complete Vault HTTP API gives full access to all Vault operations via REST. Includes authentication method APIs (AppRole, LDAP, JWT, Kubernetes, AWS, Azure), secrets engine ...

Collections

Pricing Plans

Vault Plans Pricing

3 plans

PLANS

Rate Limits

Vault Rate Limits

5 limits

RATE LIMITS

FinOps

Vault Finops

FINOPS

Features

KV Secrets Engine

Versioned key-value secret storage with soft delete, undelete, and permanent destruction.

Dynamic Secrets

On-demand, time-limited credentials for databases, AWS, Azure, GCP, and other backends.

Data Encryption (Transit)

Encryption-as-a-Service for application data without storing plaintext in Vault.

PKI Certificate Authority

Built-in PKI secrets engine for issuing X.509 certificates with configurable TTLs.

SSH Certificate Issuance

Dynamic SSH certificates and OTPs for secure machine access management.

ACL Policies

Fine-grained HCL-based policies controlling access to any secret path with capabilities.

Auth Methods

Pluggable authentication supporting AppRole, LDAP, JWT/OIDC, Kubernetes, AWS, and more.

Lease Management

All dynamic secrets have TTL-bound leases that can be renewed or revoked on demand.

Audit Logging

Comprehensive audit trail of all API requests and responses for compliance.

MCP Server

Official HashiCorp Vault MCP server enabling AI-assisted secrets management workflows.

Use Cases

Application Secret Injection

Inject database credentials, API keys, and config into applications at runtime via Vault Agent.

Kubernetes Secrets Management

Replace Kubernetes secrets with Vault-managed secrets using the Vault Secrets Operator.

Database Credential Rotation

Automatically rotate database credentials with dynamic secrets engine for zero-knowledge security.

PKI Automation

Automate certificate lifecycle management for internal services and mutual TLS.

CI/CD Secret Injection

Provide short-lived credentials to CI/CD pipelines via AppRole or GitHub Actions OIDC.

Secrets as Code

Manage Vault configuration as code using the Terraform Vault provider.

Compliance and Audit

Meet SOC 2, PCI-DSS, HIPAA, and FedRAMP requirements with immutable audit logs.

Integrations

Terraform

Terraform Vault provider for managing Vault configuration and policies as code.

Kubernetes

Vault Secrets Operator and Vault Agent Injector for native Kubernetes integration.

GitHub Actions

OIDC-based authentication from GitHub Actions workflows without static credentials.

AWS

Dynamic AWS IAM credentials and EC2/IAM-based authentication methods.

Consul

Native HashiCorp Consul integration for service mesh secrets and ACL tokens.

PostgreSQL

Dynamic database credentials for PostgreSQL with configurable role TTLs.

Nomad

Native HashiCorp Nomad integration for workload identity and secrets.

Ansible

HashiCorp Vault lookup plugin for Ansible playbook secret retrieval.

Semantic Vocabularies

Vault Kv Context

10 classes · 15 properties

JSON-LD

Vault Sys Context

17 classes · 19 properties

JSON-LD

API Governance Rules

HashiCorp Vault API Rules

28 rules · 11 errors 12 warnings 5 info

SPECTRAL

JSON Structure

Vault Kv Kv Config Request Structure

3 properties

JSON STRUCTURE

Vault Kv Kv Config Response Structure

1 properties

JSON STRUCTURE

Vault Kv Secret Data Request Structure

2 properties

JSON STRUCTURE

Vault Kv Secret Data Response Structure

1 properties

JSON STRUCTURE

Vault Kv Secret Metadata Request Structure

4 properties

JSON STRUCTURE

Vault Kv Secret Metadata Response Structure

1 properties

JSON STRUCTURE

Vault Kv Secret Version Metadata Structure

4 properties

JSON STRUCTURE

Vault Kv Secret Write Response Structure

1 properties

JSON STRUCTURE

Vault Kv Versions Request Structure

1 properties

JSON STRUCTURE

Vault Sys Auth Method Config Structure

3 properties

JSON STRUCTURE

Vault Sys Auth Methods Response Structure

1 properties

JSON STRUCTURE

Vault Sys Enable Mount Request Structure

3 properties

JSON STRUCTURE

Vault Sys Health Response Structure

6 properties

JSON STRUCTURE

Vault Sys Lease Id Request Structure

1 properties

JSON STRUCTURE

Vault Sys Lease Renew Response Structure

3 properties

JSON STRUCTURE

Vault Sys Lease Response Structure

1 properties

JSON STRUCTURE

Vault Sys Mount Config Structure

4 properties

JSON STRUCTURE

Vault Sys Mounts Response Structure

1 properties

JSON STRUCTURE

Vault Sys Policies List Response Structure

1 properties

JSON STRUCTURE

Vault Sys Policy Request Structure

1 properties

JSON STRUCTURE

Vault Sys Policy Response Structure

1 properties

JSON STRUCTURE

Vault Sys Renew Lease Request Structure

2 properties

JSON STRUCTURE

Example Payloads

Resources

🌐
Portal
Portal
🔗
Website
Website
📰
Blog
Blog
🟢
StatusPage
StatusPage
📜
TermsOfService
TermsOfService
📜
PrivacyPolicy
PrivacyPolicy
👥
GitHubOrganization
GitHubOrganization
👥
GitHubRepository
GitHubRepository
🔗
Forums
Forums
👥
StackOverflow
StackOverflow
🎓
Training
Training
🔗
SpectralRules
SpectralRules

Sources

Raw ↑
opencollection: 1.0.0
info:
  name: HashiCorp Vault System Backend API
  version: '2.0'
request:
  auth:
    type: apikey
    key: X-Vault-Token
    value: '{{X-Vault-Token}}'
    placement: header
items:
- info:
    name: Health
    type: folder
  items:
  - info:
      name: HashiCorp Vault Get Health Status
      type: http
    http:
      method: GET
      url: https://vault.example.com/v1/sys/health
    docs: Returns the health status of Vault. Returns HTTP 200 if Vault is initialized and unsealed, 429 if standby, 472 if
      recovery mode, and 503 if sealed or uninitialized.
- info:
    name: Auth Methods
    type: folder
  items:
  - info:
      name: HashiCorp Vault List Auth Methods
      type: http
    http:
      method: GET
      url: https://vault.example.com/v1/sys/auth
    docs: List all currently enabled authentication methods. Returns configuration details for each auth method including
      type, description, and tuning settings.
  - info:
      name: HashiCorp Vault Enable Auth Method
      type: http
    http:
      method: POST
      url: https://vault.example.com/v1/sys/auth/:path
      params:
      - name: path
        value: ''
        type: path
        description: Mount path for the auth method or secrets engine. Must not contain slashes at the beginning or end.
      body:
        type: json
        data: '{}'
    docs: Enable a new auth method at the specified path. Requires sudo capability. Supported types include approle, aws,
      azure, github, jwt, kubernetes, ldap, oidc, okta, radius, token, and userpass.
  - info:
      name: HashiCorp Vault Disable Auth Method
      type: http
    http:
      method: DELETE
      url: https://vault.example.com/v1/sys/auth/:path
      params:
      - name: path
        value: ''
        type: path
        description: Mount path for the auth method or secrets engine. Must not contain slashes at the beginning or end.
    docs: Disable the auth method at the specified path. Any tokens associated with this auth method will be revoked. Requires
      sudo capability.
- info:
    name: Secrets Engines
    type: folder
  items:
  - info:
      name: HashiCorp Vault List Secrets Engine Mounts
      type: http
    http:
      method: GET
      url: https://vault.example.com/v1/sys/mounts
    docs: List all mounted secrets engines with their configuration, accessor, and options. Returns a map of mount path to
      engine configuration.
  - info:
      name: HashiCorp Vault Enable Secrets Engine
      type: http
    http:
      method: POST
      url: https://vault.example.com/v1/sys/mounts/:path
      params:
      - name: path
        value: ''
        type: path
        description: Mount path for the auth method or secrets engine. Must not contain slashes at the beginning or end.
      body:
        type: json
        data: '{}'
    docs: Mount a new secrets engine at the specified path. Supported types include aws, azure, consul, database, gcp, kv,
      nomad, pki, rabbitmq, ssh, totp, transit, and more.
  - info:
      name: HashiCorp Vault Disable Secrets Engine
      type: http
    http:
      method: DELETE
      url: https://vault.example.com/v1/sys/mounts/:path
      params:
      - name: path
        value: ''
        type: path
        description: Mount path for the auth method or secrets engine. Must not contain slashes at the beginning or end.
    docs: Unmount a secrets engine. All secrets stored in this engine will be revoked. This operation is irreversible.
- info:
    name: Policies
    type: folder
  items:
  - info:
      name: HashiCorp Vault List ACL Policies
      type: http
    http:
      method: GET
      url: https://vault.example.com/v1/sys/policies/acl
    docs: List all ACL policies currently configured in Vault. Returns a list of policy names.
  - info:
      name: HashiCorp Vault Read ACL Policy
      type: http
    http:
      method: GET
      url: https://vault.example.com/v1/sys/policies/acl/:name
      params:
      - name: name
        value: ''
        type: path
        description: Name of the policy.
    docs: Retrieve the HCL rules for an ACL policy by name. Returns the policy document which defines path-based access rules.
  - info:
      name: HashiCorp Vault Write ACL Policy
      type: http
    http:
      method: POST
      url: https://vault.example.com/v1/sys/policies/acl/:name
      params:
      - name: name
        value: ''
        type: path
        description: Name of the policy.
      body:
        type: json
        data: '{}'
    docs: Create or update an ACL policy. Policies are written in HashiCorp Configuration Language (HCL) and define path-based
      access rules with capabilities such as create, read, update, delete, list, and sudo.
  - info:
      name: HashiCorp Vault Delete ACL Policy
      type: http
    http:
      method: DELETE
      url: https://vault.example.com/v1/sys/policies/acl/:name
      params:
      - name: name
        value: ''
        type: path
        description: Name of the policy.
    docs: Delete an ACL policy from Vault. Tokens associated with this policy will lose access defined by the policy.
- info:
    name: Leases
    type: folder
  items:
  - info:
      name: HashiCorp Vault Lookup Lease
      type: http
    http:
      method: PUT
      url: https://vault.example.com/v1/sys/leases/lookup
      body:
        type: json
        data: '{}'
    docs: Retrieve information about a lease including its expiration time, renewable status, and associated secret path.
  - info:
      name: HashiCorp Vault Renew Lease
      type: http
    http:
      method: PUT
      url: https://vault.example.com/v1/sys/leases/renew
      body:
        type: json
        data: '{}'
    docs: Renew a lease, extending the TTL of the associated secret or token. Only renewable leases can be renewed.
  - info:
      name: HashiCorp Vault Revoke Lease
      type: http
    http:
      method: PUT
      url: https://vault.example.com/v1/sys/leases/revoke
      body:
        type: json
        data: '{}'
    docs: Revoke a lease and the associated secret. For dynamic secrets, this will trigger revocation of the credential in
      the target system.
bundled: true