HashiConf More sessions have been added to the conference agenda. Buy your pass and plan your schedule. Register
Vault
Vault Home

/sys/capabilities

[!IMPORTANT]
Documentation Update: Product documentation, which were located in this repository under /website, are now located in hashicorp/web-unified-docs, colocated with all other product documentation. Contributions to this content should be done in the web-unified-docs repo, and not this one. Changes made to /website content in this repo will not be reflected on the developer.hashicorp.com website.

The /sys/capabilities endpoint is used to fetch the capabilities of a token on the given paths. The capabilities returned will be derived from the policies that are on the token, and from the policies to which the token is entitled to through the entity and entity's group memberships.

Query token capabilities

This endpoint returns the list of capabilities of a given token on the given paths. Multiple paths are taken in at once and the capabilities of the token for each path is returned. For backwards compatibility, if a single path is supplied, a capabilities field will also be returned.

Note

Paths that do not exist or have no capabilities return [deny] in the response.

MethodPath
POST/sys/capabilities

Parameters

  • paths (list: <required>) – Paths on which capabilities are being queried.

  • token (string: <required>) – Token for which capabilities are being queried.

Sample payload

{
  "token": "abcd1234",
  "paths": ["secret/foo"]
}

Sample request

$ curl \
    --header "X-Vault-Token: ..." \
    --request POST \
    --data @payload.json \
    http://127.0.0.1:8200/v1/sys/capabilities

Sample response

{
  "capabilities": ["delete", "list", "read", "update"],
  "secret/foo": ["delete", "list", "read", "update"]
}
Edit this page on GitHub