HashiCorp Vault
Vault Auth Methods API

APIs for authentication methods including Token, AppRole, Kubernetes, LDAP, JWT/OIDC, GitHub, and more.
Documentation GitHub OpenAPI
OpenAPI Specification

openapi: 3.1.0
info:
  title: HashiCorp Vault Vault Auth Methods API
  description: >-
    APIs for authentication methods in HashiCorp Vault including Token, AppRole,
    Kubernetes, LDAP, JWT/OIDC, GitHub, Userpass, and AWS auth methods. These
    endpoints handle user and machine authentication to obtain Vault tokens.
  version: '1.0'
  contact:
    name: HashiCorp Support
    email: [email protected]
    url: https://support.hashicorp.com/
  license:
    name: Business Source License 1.1
    url: https://github.com/hashicorp/vault/blob/main/LICENSE
externalDocs:
  description: Vault Auth Methods API Documentation
  url: https://developer.hashicorp.com/vault/api-docs/auth
servers:
  - url: https://vault.example.com/v1
    description: Vault Server
tags:
  - name: AppRole
    description: AppRole auth method for machine-to-machine authentication
  - name: GitHub
    description: GitHub auth method for organization-based authentication
  - name: JWT/OIDC
    description: JWT/OIDC auth method for identity provider authentication
  - name: Kubernetes
    description: Kubernetes auth method for pod authentication
  - name: LDAP
    description: LDAP auth method for directory-based authentication
  - name: Token
    description: Token auth method for token lifecycle management
  - name: Userpass
    description: Username and password auth method
security:
  - vaultToken: []
paths:
  /auth/token/create:
    post:
      operationId: createToken
      summary: HashiCorp Vault Create token
      description: >-
        Creates a new token. Certain options are only available when called by
        a root token. If used via the /auth/token/create/orphan endpoint, a
        root or sudo token is not required.
      tags:
        - Token
      requestBody:
        content:
          application/json:
            schema:
              $ref: '#/components/schemas/CreateTokenRequest'
      responses:
        '200':
          description: Token created
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/AuthResponse'
        '400':
          description: Invalid request
        '403':
          description: Permission denied
  /auth/token/create-orphan:
    post:
      operationId: createOrphanToken
      summary: HashiCorp Vault Create orphan token
      description: >-
        Creates a new orphan token that has no parent. Requires a root token
        or sudo capability.
      tags:
        - Token
      requestBody:
        content:
          application/json:
            schema:
              $ref: '#/components/schemas/CreateTokenRequest'
      responses:
        '200':
          description: Orphan token created
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/AuthResponse'
        '403':
          description: Permission denied
  /auth/token/create/{role_name}:
    post:
      operationId: createTokenWithRole
      summary: HashiCorp Vault Create token with role
      description: Creates a new token based on a named token role.
      tags:
        - Token
      parameters:
        - name: role_name
          in: path
          required: true
          description: Name of the token role
          schema:
            type: string
      requestBody:
        content:
          application/json:
            schema:
              $ref: '#/components/schemas/CreateTokenRequest'
      responses:
        '200':
          description: Token created with role
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/AuthResponse'
        '400':
          description: Invalid request
        '403':
          description: Permission denied
  /auth/token/lookup:
    post:
      operationId: lookupToken
      summary: HashiCorp Vault Lookup token
      description: Returns information about the specified token.
      tags:
        - Token
      requestBody:
        required: true
        content:
          application/json:
            schema:
              type: object
              required:
                - token
              properties:
                token:
                  type: string
                  description: Token to look up
      responses:
        '200':
          description: Token information returned
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/TokenLookupResponse'
        '403':
          description: Permission denied or bad token
  /auth/token/lookup-self:
    get:
      operationId: lookupSelfToken
      summary: HashiCorp Vault Lookup self token
      description: Returns information about the token used to make this request.
      tags:
        - Token
      responses:
        '200':
          description: Self token information returned
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/TokenLookupResponse'
        '403':
          description: Permission denied
  /auth/token/renew:
    post:
      operationId: renewToken
      summary: HashiCorp Vault Renew token
      description: Renews a lease associated with the specified token.
      tags:
        - Token
      requestBody:
        required: true
        content:
          application/json:
            schema:
              type: object
              required:
                - token
              properties:
                token:
                  type: string
                  description: Token to renew
                increment:
                  type: string
                  description: Requested renewal increment (e.g., 1h)
      responses:
        '200':
          description: Token renewed
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/AuthResponse'
        '400':
          description: Token not renewable
        '403':
          description: Permission denied
  /auth/token/renew-self:
    post:
      operationId: renewSelfToken
      summary: HashiCorp Vault Renew self token
      description: Renews the lease on the token used to make this request.
      tags:
        - Token
      requestBody:
        content:
          application/json:
            schema:
              type: object
              properties:
                increment:
                  type: string
                  description: Requested renewal increment (e.g., 1h)
      responses:
        '200':
          description: Token renewed
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/AuthResponse'
        '400':
          description: Token not renewable
  /auth/token/revoke:
    post:
      operationId: revokeToken
      summary: HashiCorp Vault Revoke token
      description: Revokes the specified token and all child tokens.
      tags:
        - Token
      requestBody:
        required: true
        content:
          application/json:
            schema:
              type: object
              required:
                - token
              properties:
                token:
                  type: string
                  description: Token to revoke
      responses:
        '204':
          description: Token revoked
        '403':
          description: Permission denied
  /auth/token/revoke-self:
    post:
      operationId: revokeSelfToken
      summary: HashiCorp Vault Revoke self token
      description: Revokes the token used to make this request.
      tags:
        - Token
      responses:
        '204':
          description: Token revoked
  /auth/token/roles/{role_name}:
    get:
      operationId: readTokenRole
      summary: HashiCorp Vault Read token role
      description: Reads the configuration of the named token role.
      tags:
        - Token
      parameters:
        - $ref: '#/components/parameters/roleName'
      responses:
        '200':
          description: Token role configuration
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/TokenRole'
        '404':
          description: Role not found
    post:
      operationId: createOrUpdateTokenRole
      summary: HashiCorp Vault Create or update token role
      description: Creates or updates the named token role.
      tags:
        - Token
      parameters:
        - $ref: '#/components/parameters/roleName'
      requestBody:
        required: true
        content:
          application/json:
            schema:
              $ref: '#/components/schemas/TokenRole'
      responses:
        '204':
          description: Token role created or updated
        '400':
          description: Invalid request
    delete:
      operationId: deleteTokenRole
      summary: HashiCorp Vault Delete token role
      description: Deletes the named token role.
      tags:
        - Token
      parameters:
        - $ref: '#/components/parameters/roleName'
      responses:
        '204':
          description: Token role deleted
  /auth/approle/login:
    post:
      operationId: loginWithAppRole
      summary: HashiCorp Vault Login with AppRole
      description: >-
        Authenticates with Vault using a role ID and secret ID to obtain a
        Vault token.
      tags:
        - AppRole
      requestBody:
        required: true
        content:
          application/json:
            schema:
              type: object
              required:
                - role_id
                - secret_id
              properties:
                role_id:
                  type: string
                  description: The AppRole role ID
                secret_id:
                  type: string
                  description: The AppRole secret ID
      responses:
        '200':
          description: Authentication successful
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/AuthResponse'
        '400':
          description: Invalid credentials
      security: []
  /auth/approle/role/{role_name}:
    get:
      operationId: readAppRole
      summary: HashiCorp Vault Read AppRole
      description: Reads the properties of the named AppRole.
      tags:
        - AppRole
      parameters:
        - $ref: '#/components/parameters/roleName'
      responses:
        '200':
          description: AppRole configuration
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/AppRole'
        '404':
          description: Role not found
    post:
      operationId: createOrUpdateAppRole
      summary: HashiCorp Vault Create or update AppRole
      description: Creates or updates the named AppRole.
      tags:
        - AppRole
      parameters:
        - $ref: '#/components/parameters/roleName'
      requestBody:
        required: true
        content:
          application/json:
            schema:
              $ref: '#/components/schemas/AppRole'
      responses:
        '204':
          description: AppRole created or updated
        '400':
          description: Invalid request
    delete:
      operationId: deleteAppRole
      summary: HashiCorp Vault Delete AppRole
      description: Deletes the named AppRole.
      tags:
        - AppRole
      parameters:
        - $ref: '#/components/parameters/roleName'
      responses:
        '204':
          description: AppRole deleted
  /auth/approle/role/{role_name}/role-id:
    get:
      operationId: readAppRoleRoleId
      summary: HashiCorp Vault Read AppRole role ID
      description: Returns the role ID of the named AppRole.
      tags:
        - AppRole
      parameters:
        - $ref: '#/components/parameters/roleName'
      responses:
        '200':
          description: Role ID returned
          content:
            application/json:
              schema:
                type: object
                properties:
                  data:
                    type: object
                    properties:
                      role_id:
                        type: string
                        description: The AppRole role ID
  /auth/approle/role/{role_name}/secret-id:
    post:
      operationId: generateAppRoleSecretId
      summary: HashiCorp Vault Generate AppRole secret ID
      description: Generates a new secret ID for the named AppRole.
      tags:
        - AppRole
      parameters:
        - $ref: '#/components/parameters/roleName'
      requestBody:
        content:
          application/json:
            schema:
              type: object
              properties:
                metadata:
                  type: string
                  description: JSON-formatted metadata to associate with the secret ID
                cidr_list:
                  type: array
                  items:
                    type: string
                  description: CIDR blocks restricting secret ID usage
                token_bound_cidrs:
                  type: array
                  items:
                    type: string
                  description: CIDR blocks restricting token usage
      responses:
        '200':
          description: Secret ID generated
          content:
            application/json:
              schema:
                type: object
                properties:
                  data:
                    type: object
                    properties:
                      secret_id:
                        type: string
                        description: The generated secret ID
                      secret_id_accessor:
                        type: string
                        description: Accessor for the secret ID
                      secret_id_num_uses:
                        type: integer
                        description: Number of times this secret ID can be used
                      secret_id_ttl:
                        type: integer
                        description: TTL for this secret ID in seconds
  /auth/kubernetes/login:
    post:
      operationId: loginWithKubernetes
      summary: HashiCorp Vault Login with Kubernetes
      description: >-
        Authenticates with Vault using a Kubernetes service account JWT token.
      tags:
        - Kubernetes
      requestBody:
        required: true
        content:
          application/json:
            schema:
              type: object
              required:
                - role
                - jwt
              properties:
                role:
                  type: string
                  description: Name of the Vault role
                jwt:
                  type: string
                  description: Kubernetes service account JWT token
      responses:
        '200':
          description: Authentication successful
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/AuthResponse'
        '400':
          description: Invalid credentials
      security: []
  /auth/kubernetes/config:
    get:
      operationId: readKubernetesConfig
      summary: HashiCorp Vault Read Kubernetes auth configuration
      description: Returns the Kubernetes auth method configuration.
      tags:
        - Kubernetes
      responses:
        '200':
          description: Configuration returned
          content:
            application/json:
              schema:
                type: object
                properties:
                  data:
                    type: object
                    properties:
                      kubernetes_host:
                        type: string
                        description: Kubernetes API server URL
                      kubernetes_ca_cert:
                        type: string
                        description: PEM-encoded CA certificate
                      pem_keys:
                        type: array
                        items:
                          type: string
                        description: PEM-encoded public keys
                      issuer:
                        type: string
                        description: JWT issuer
    post:
      operationId: configureKubernetesAuth
      summary: HashiCorp Vault Configure Kubernetes auth
      description: Configures the Kubernetes auth method.
      tags:
        - Kubernetes
      requestBody:
        required: true
        content:
          application/json:
            schema:
              type: object
              required:
                - kubernetes_host
              properties:
                kubernetes_host:
                  type: string
                  description: Kubernetes API server URL
                kubernetes_ca_cert:
                  type: string
                  description: PEM-encoded CA certificate
                token_reviewer_jwt:
                  type: string
                  description: Service account JWT for token review
                pem_keys:
                  type: array
                  items:
                    type: string
                  description: PEM-encoded public keys for JWT verification
                issuer:
                  type: string
                  description: JWT issuer to validate
      responses:
        '204':
          description: Configuration updated
        '400':
          description: Invalid request
  /auth/kubernetes/role/{name}:
    get:
      operationId: readKubernetesRole
      summary: HashiCorp Vault Read Kubernetes role
      description: Reads the named Kubernetes auth role configuration.
      tags:
        - Kubernetes
      parameters:
        - name: name
          in: path
          required: true
          description: Name of the role
          schema:
            type: string
      responses:
        '200':
          description: Role configuration returned
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/KubernetesRole'
        '404':
          description: Role not found
    post:
      operationId: createOrUpdateKubernetesRole
      summary: HashiCorp Vault Create or update Kubernetes role
      description: Creates or updates the named Kubernetes auth role.
      tags:
        - Kubernetes
      parameters:
        - name: name
          in: path
          required: true
          description: Name of the role
          schema:
            type: string
      requestBody:
        required: true
        content:
          application/json:
            schema:
              $ref: '#/components/schemas/KubernetesRole'
      responses:
        '204':
          description: Role created or updated
        '400':
          description: Invalid request
    delete:
      operationId: deleteKubernetesRole
      summary: HashiCorp Vault Delete Kubernetes role
      description: Deletes the named Kubernetes auth role.
      tags:
        - Kubernetes
      parameters:
        - name: name
          in: path
          required: true
          description: Name of the role
          schema:
            type: string
      responses:
        '204':
          description: Role deleted
  /auth/ldap/login/{username}:
    post:
      operationId: loginWithLdap
      summary: HashiCorp Vault Login with LDAP
      description: Authenticates with Vault using LDAP credentials.
      tags:
        - LDAP
      parameters:
        - name: username
          in: path
          required: true
          description: LDAP username
          schema:
            type: string
      requestBody:
        required: true
        content:
          application/json:
            schema:
              type: object
              required:
                - password
              properties:
                password:
                  type: string
                  description: LDAP password
      responses:
        '200':
          description: Authentication successful
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/AuthResponse'
        '400':
          description: Invalid credentials
      security: []
  /auth/jwt/login:
    post:
      operationId: loginWithJwt
      summary: HashiCorp Vault Login with JWT/OIDC
      description: Authenticates with Vault using a JWT token.
      tags:
        - JWT/OIDC
      requestBody:
        required: true
        content:
          application/json:
            schema:
              type: object
              required:
                - role
                - jwt
              properties:
                role:
                  type: string
                  description: Name of the Vault role
                jwt:
                  type: string
                  description: Signed JWT token
      responses:
        '200':
          description: Authentication successful
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/AuthResponse'
        '400':
          description: Invalid credentials
      security: []
  /auth/userpass/login/{username}:
    post:
      operationId: loginWithUserpass
      summary: HashiCorp Vault Login with username and password
      description: Authenticates with Vault using a username and password.
      tags:
        - Userpass
      parameters:
        - name: username
          in: path
          required: true
          description: Username
          schema:
            type: string
      requestBody:
        required: true
        content:
          application/json:
            schema:
              type: object
              required:
                - password
              properties:
                password:
                  type: string
                  description: Password for the user
      responses:
        '200':
          description: Authentication successful
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/AuthResponse'
        '400':
          description: Invalid credentials
      security: []
  /auth/userpass/users/{username}:
    get:
      operationId: readUserpassUser
      summary: HashiCorp Vault Read userpass user
      description: Reads the properties of the named userpass user.
      tags:
        - Userpass
      parameters:
        - name: username
          in: path
          required: true
          description: Username
          schema:
            type: string
      responses:
        '200':
          description: User configuration returned
          content:
            application/json:
              schema:
                type: object
                properties:
                  data:
                    type: object
                    properties:
                      token_policies:
                        type: array
                        items:
                          type: string
                      token_ttl:
                        type: integer
                      token_max_ttl:
                        type: integer
                      token_bound_cidrs:
                        type: array
                        items:
                          type: string
        '404':
          description: User not found
    post:
      operationId: createOrUpdateUserpassUser
      summary: HashiCorp Vault Create or update userpass user
      description: Creates or updates the named userpass user.
      tags:
        - Userpass
      parameters:
        - name: username
          in: path
          required: true
          description: Username
          schema:
            type: string
      requestBody:
        required: true
        content:
          application/json:
            schema:
              type: object
              required:
                - password
              properties:
                password:
                  type: string
                  description: Password for the user
                token_policies:
                  type: array
                  items:
                    type: string
                  description: Policies to assign to tokens
                token_ttl:
                  type: string
                  description: Default token TTL
                token_max_ttl:
                  type: string
                  description: Maximum token TTL
      responses:
        '204':
          description: User created or updated
        '400':
          description: Invalid request
    delete:
      operationId: deleteUserpassUser
      summary: HashiCorp Vault Delete userpass user
      description: Deletes the named userpass user.
      tags:
        - Userpass
      parameters:
        - name: username
          in: path
          required: true
          description: Username
          schema:
            type: string
      responses:
        '204':
          description: User deleted
  /auth/github/login:
    post:
      operationId: loginWithGithub
      summary: HashiCorp Vault Login with GitHub
      description: Authenticates with Vault using a GitHub personal access token.
      tags:
        - GitHub
      requestBody:
        required: true
        content:
          application/json:
            schema:
              type: object
              required:
                - token
              properties:
                token:
                  type: string
                  description: GitHub personal access token
      responses:
        '200':
          description: Authentication successful
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/AuthResponse'
        '400':
          description: Invalid credentials
      security: []
components:
  securitySchemes:
    vaultToken:
      type: apiKey
      in: header
      name: X-Vault-Token
      description: Vault authentication token
  parameters:
    roleName:
      name: role_name
      in: path
      required: true
      description: Name of the role
      schema:
        type: string
  schemas:
    AuthResponse:
      type: object
      properties:
        request_id:
          type: string
          description: Unique request identifier
        lease_id:
          type: string
          description: Lease identifier (empty for auth responses)
        renewable:
          type: boolean
          description: Whether the token is renewable
        lease_duration:
          type: integer
          description: Token TTL in seconds
        auth:
          type: object
          properties:
            client_token:
              type: string
              description: The Vault authentication token
            accessor:
              type: string
              description: Token accessor
            policies:
              type: array
              items:
                type: string
              description: Policies attached to the token
            token_policies:
              type: array
              items:
                type: string
              description: Token-specific policies
            identity_policies:
              type: array
              items:
                type: string
              description: Identity-derived policies
            metadata:
              type: object
              additionalProperties:
                type: string
              description: Metadata associated with the token
            lease_duration:
              type: integer
              description: Token TTL in seconds
            renewable:
              type: boolean
              description: Whether the token is renewable
            entity_id:
              type: string
              description: Identity entity ID
            token_type:
              type: string
              description: Type of token (service, batch)
            orphan:
              type: boolean
              description: Whether the token is an orphan
    CreateTokenRequest:
      type: object
      properties:
        id:
          type: string
          description: Custom token ID (root only)
        role_name:
          type: string
          description: Name of the token role
        policies:
          type: array
          items:
            type: string
          description: Policies to attach to the token
        meta:
          type: object
          additionalProperties:
            type: string
          description: Metadata to associate with the token
        no_parent:
          type: boolean
          description: Create an orphan token
        no_default_policy:
          type: boolean
          description: Do not attach the default policy
        renewable:
          type: boolean
          description: Whether the token is renewable
        ttl:
          type: string
          description: Token TTL (e.g., 1h)
        explicit_max_ttl:
          type: string
          description: Explicit maximum TTL
        display_name:
          type: string
          description: Display name for the token
        num_uses:
          type: integer
          description: Maximum number of uses (0 for unlimited)
        period:
          type: string
          description: Renewal period
        entity_alias:
          type: string
          description: Entity alias name
        type:
          type: string
          enum:
            - service
            - batch
          description: Type of token to create
    TokenLookupResponse:
      type: object
      properties:
        data:
          type: object
          properties:
            accessor:
              type: string
              description: Token accessor
            creation_time:
              type: integer
              description: Token creation time as Unix epoch
            creation_ttl:
              type: integer
              description: Original TTL in seconds
            display_name:
              type: string
              description: Display name
            entity_id:
              type: string
              description: Identity entity ID
            expire_time:
              type: string
              format: date-time
              description: Token expiration time
            explicit_max_ttl:
              type: integer
              description: Explicit max TTL in seconds
            id:
              type: string
              description: Token ID
            issue_time:
              type: string
              format: date-time
              description: Token issue time
            meta:
              type: object
              additionalProperties:
                type: string
              description: Token metadata
            num_uses:
              type: integer
              description: Remaining number of uses
            orphan:
              type: boolean
              description: Whether the token is an orphan
            path:
              type: string
              description: Auth path that created this token
            policies:
              type: array
              items:
                type: string
              description: Policies attached to the token
            renewable:
              type: boolean
              description: Whether the token is renewable
            ttl:
              type: integer
              description: Remaining TTL in seconds
            type:
              type: string
              description: Token type (service, batch)
    TokenRole:
      type: object
      properties:
        allowed_entity_aliases:
          type: array
          items:
            type: string
          description: Allowed entity aliases
        allowed_policies:
          type: array
          items:
            type: string
          description: Policies allowed for tokens created with this role
        disallowed_policies:
          type: array
          items:
            type: string
          description: Policies disallowed for tokens
        orphan:
          type: boolean
          description: Whether tokens are created as orphans
        path_suffix:
          type: string
          description: Path suffix for audit logging
        renewable:
          type: boolean
          description: Whether tokens are renewable
        explicit_max_ttl:
          type: string
          description: Explicit max TTL
        token_period:
          type: string
          description: Token period
        token_type:
          type: string
          enum:
            - default
            - service
            - batch
          description: Token type
    AppRole:
      type: object
      properties:
        bind_secret_id:
          type: bo

# --- truncated at 32 KB (34 KB total) ---
# Full source: https://raw.githubusercontent.com/api-evangelist/hvault/refs/heads/main/openapi/hvault-auth-methods-openapi.yml
Vault Auth Methods API

Documentation

Specifications

Other Resources

OpenAPI Specification
