1--- 2layout: "intro" 3page_title: "Using the HTTP APIs with Authentication" 4sidebar_title: "HTTP API" 5sidebar_current: "gettingstarted-apis" 6description: |- 7 Using the HTTP APIs for authentication and secret access. 8--- 9 10# Using the HTTP APIs with Authentication 11 12All of Vault's capabilities are accessible via the HTTP API in addition to the 13CLI. In fact, most calls from the CLI actually invoke the HTTP API. In some 14cases, Vault features are not available via the CLI and can only be accessed 15via the HTTP API. 16 17Once you have started the Vault server, you can use `curl` or any other http 18client to make API calls. For example, if you started the Vault server in 19[dev mode](/docs/concepts/dev-server.html), you could validate the 20initialization status like this: 21 22```text 23$ curl http://127.0.0.1:8200/v1/sys/init 24``` 25 26This will return a JSON response: 27 28```json 29{ 30 "initialized": true 31} 32``` 33 34## Accessing Secrets via the REST APIs 35 36Machines that need access to information stored in Vault will most likely 37access Vault via its REST API. For example, if a machine were using 38[AppRole](/docs/auth/approle.html) for authentication, the application would 39first authenticate to Vault which would return a Vault API token. The 40application would use that token for future communication with Vault. 41 42For the purpose of this guide, we will use the following configuration which 43disables TLS and uses a file-based backend. TLS is disabled here only for 44example purposes; it should never be disabled in production. 45 46```hcl 47backend "file" { 48 path = "vault" 49} 50 51listener "tcp" { 52 tls_disable = 1 53} 54``` 55 56Save this file on disk as `config.hcl` and then start the Vault server: 57 58```text 59$ vault server -config=config.hcl 60``` 61 62At this point, we can use Vault's API for all our interactions. For example, we 63can initialize Vault like this: 64 65```text 66$ curl \ 67 --request POST \ 68 --data '{"secret_shares": 1, "secret_threshold": 1}' \ 69 http://127.0.0.1:8200/v1/sys/init 70``` 71 72The response should be JSON and looks something like this: 73 74```json 75{ 76 "keys": [ 77 "373d500274dd8eb95271cb0f868e4ded27d9afa205d1741d60bb97cd7ce2fe41" 78 ], 79 "keys_base64": [ 80 "Nz1QAnTdjrlSccsPho5N7SfZr6IF0XQdYLuXzXzi/kE=" 81 ], 82 "root_token": "6fa4128e-8bd2-fd02-0ea8-a5e020d9b766" 83} 84``` 85 86This response contains our initial root token. It also includes the unseal key. 87You can use the unseal key to unseal the Vault and use the root token to perform 88other requests in Vault that require authentication. 89 90To make this guide easy to copy-and-paste, we will be using the environment 91variable `$VAULT_TOKEN` to store the root token. You can export this Vault 92token in your current shell like this: 93 94```sh 95$ export VAULT_TOKEN=6fa4128e-8bd2-fd02-0ea8-a5e020d9b766 96``` 97 98Using the unseal key (not the root token) from above, you can unseal the Vault 99via the HTTP API: 100 101```text 102$ curl \ 103 --request POST \ 104 --data '{"key": "Nz1QAnTdjrlSccsPho5N7SfZr6IF0XQdYLuXzXzi/kE="}' \ 105 http://127.0.0.1:8200/v1/sys/unseal 106``` 107 108Note that you should replace `Nz1QAnT...` with the generated key from your 109output. This will return a JSON response: 110 111```json 112{ 113 "sealed": false, 114 "t": 1, 115 "n": 1, 116 "progress": 0, 117 "nonce": "", 118 "version": "1.2.3", 119 "cluster_name": "vault-cluster-9d524900", 120 "cluster_id": "d69ab1b0-7e9a-2523-0d05-b0bfd09caeea" 121} 122``` 123 124Now any of the available auth methods can be enabled and configured. 125For the purposes of this guide lets enable [AppRole](/docs/auth/approle.html) 126authentication. 127 128Start by enabling the AppRole authentication. 129 130```text 131$ curl \ 132 --header "X-Vault-Token: $VAULT_TOKEN" \ 133 --request POST \ 134 --data '{"type": "approle"}' \ 135 http://127.0.0.1:8200/v1/sys/auth/approle 136``` 137 138Notice that the request to enable the AppRole endpoint needed an authentication 139token. In this case we are passing the root token generated when we started 140the Vault server. We could also generate tokens using any other authentication 141mechanisms, but we will use the root token for simplicity. 142 143Now create an AppRole with desired set of [ACL 144policies](/docs/concepts/policies.html). In the following command, it is being 145specified that the tokens issued under the AppRole `my-role`, should be 146associated with `dev-policy` and the `my-policy`. 147 148```text 149$ curl \ 150 --header "X-Vault-Token: $VAULT_TOKEN" \ 151 --request POST \ 152 --data '{"policies": ["dev-policy", "my-policy"]}' \ 153 http://127.0.0.1:8200/v1/auth/approle/role/my-role 154``` 155 156The AppRole backend, in its default configuration expects two hard to guess 157credentials, a role ID and a secret ID. This command fetches the role ID of the 158`my-role`. 159 160```text 161$ curl \ 162 --header "X-Vault-Token: $VAULT_TOKEN" \ 163 http://127.0.0.1:8200/v1/auth/approle/role/my-role/role-id 164``` 165 166The response will include a `data` key with the `role_id`: 167 168```json 169{ 170 "data": { 171 "role_id": "86a32a73-1f2b-05e0-113a-dfa930145d72" 172 } 173} 174``` 175 176This command creates a new secret ID under the `my-role`. 177 178```text 179$ curl \ 180 --header "X-Vault-Token: $VAULT_TOKEN" \ 181 --request POST \ 182 http://127.0.0.1:8200/v1/auth/approle/role/my-role/secret-id 183``` 184 185The response will include the `secret_id` in the `data` key: 186 187```json 188{ 189 "data": { 190 "secret_id": "cd4b2002-3e3b-aceb-378d-5caa84dffd14", 191 "secret_id_accessor": "6b9b58f6-d11a-c73c-ffa8-04a47d42716b" 192 } 193} 194``` 195 196These two credentials can be supplied to the login endpoint to fetch a new 197Vault token. 198 199```text 200$ curl \ 201 --request POST \ 202 --data '{"role_id": "86a32a73-1f2b-05e0-113a-dfa930145d72", "secret_id": "cd4b2002-3e3b-aceb-378d-5caa84dffd14"}' \ 203 http://127.0.0.1:8200/v1/auth/approle/login 204``` 205 206The response will be JSON, under the key `auth`: 207 208```json 209{ 210 "auth": { 211 "client_token": "50617721-dfb5-1916-7b13-4091e169d28c", 212 "accessor": "ada8d354-47c0-5d9e-50f9-d74e6de2df9b", 213 "policies": [ 214 "default", 215 "dev-policy", 216 "my-policy" 217 ], 218 "metadata": { 219 "role_name": "my-role" 220 }, 221 "lease_duration": 2764800, 222 "renewable": true 223 } 224} 225``` 226 227The returned client token (`50617721...`) can be used to authenticate with 228Vault. This token will be authorized with specific capabilities on all the 229resources encompassed by the policies `default`, `dev-policy` and `my-policy`. 230 231The newly acquired token can be exported as a new `VAULT_TOKEN` and use it to 232authenticate Vault requests. 233 234```sh 235$ export VAULT_TOKEN="50617721-dfb5-1916-7b13-4091e169d28c" 236``` 237 238```text 239$ curl \ 240 --header "X-Vault-Token: $VAULT_TOKEN" \ 241 --request POST \ 242 --data '{"bar": "baz"}' \ 243 http://127.0.0.1:8200/v1/secret/foo 244``` 245 246This will create a new secret named "foo" with the given JSON contents. We can 247read this value back with the same token: 248 249```text 250$ curl \ 251 --header "X-Vault-Token: $VAULT_TOKEN" \ 252 http://127.0.0.1:8200/v1/secret/foo 253``` 254 255This should return a response like this: 256 257```json 258{ 259 "data": { 260 "bar": "baz" 261 }, 262 "lease_duration": 2764800, 263 "renewable": false, 264 "request_id": "5e246671-ec05-6fc8-9f93-4fe4512f34ab" 265} 266``` 267 268You can see the documentation on the [HTTP APIs](/api/index.html) for 269more details on other available endpoints. 270 271Congratulations! You now know all the basics to get started with Vault. 272 273## Next 274 275Next, we have a page dedicated to [next 276steps](/intro/getting-started/next-steps.html) depending on what you would like 277to achieve. 278