1--- 2layout: "api" 3page_title: "/sys/init - HTTP API" 4sidebar_title: "<code>/sys/init</code>" 5sidebar_current: "api-http-system-init" 6description: |- 7 The `/sys/init` endpoint is used to initialize a new Vault. 8--- 9 10# `/sys/init` 11 12The `/sys/init` endpoint is used to initialize a new Vault. 13 14## Read Initialization Status 15 16This endpoint returns the initialization status of Vault. 17 18| Method | Path | 19| :--------------------------- | :--------------------- | 20| `GET` | `/sys/init` | 21 22### Sample Request 23 24``` 25$ curl \ 26 http://127.0.0.1:8200/v1/sys/init 27``` 28 29### Sample Response 30 31```json 32{ 33 "initialized": true 34} 35``` 36 37## Start Initialization 38 39This endpoint initializes a new Vault. The Vault must not have been previously 40initialized. The recovery options, as well as the stored shares option, are only 41available when using Vault HSM. 42 43| Method | Path | 44| :--------------------------- | :--------------------- | 45| `PUT` | `/sys/init` | 46 47### Parameters 48 49- `pgp_keys` `(array<string>: nil)` – Specifies an array of PGP public keys used 50 to encrypt the output unseal keys. Ordering is preserved. The keys must be 51 base64-encoded from their original binary representation. The size of this 52 array must be the same as `secret_shares`. 53 54- `root_token_pgp_key` `(string: "")` – Specifies a PGP public key used to 55 encrypt the initial root token. The key must be base64-encoded from its 56 original binary representation. 57 58- `secret_shares` `(int: <required>)` – Specifies the number of shares to 59 split the master key into. 60 61- `secret_threshold` `(int: <required>)` – Specifies the number of shares 62 required to reconstruct the master key. This must be less than or equal 63 `secret_shares`. If using Vault HSM with auto-unsealing, this value must be 64 the same as `secret_shares`. 65 66Additionally, the following options are only supported on Vault Pro/Enterprise: 67 68- `stored_shares` `(int: <required>)` – Specifies the number of shares that 69 should be encrypted by the HSM and stored for auto-unsealing. Currently must 70 be the same as `secret_shares`. 71 72- `recovery_shares` `(int: <required>)` – Specifies the number of shares to 73 split the recovery key into. 74 75- `recovery_threshold` `(int: <required>)` – Specifies the number of shares 76 required to reconstruct the recovery key. This must be less than or equal to 77 `recovery_shares`. 78 79- `recovery_pgp_keys` `(array<string>: nil)` – Specifies an array of PGP public 80 keys used to encrypt the output recovery keys. Ordering is preserved. The keys 81 must be base64-encoded from their original binary representation. The size of 82 this array must be the same as `recovery_shares`. 83 84### Sample Payload 85 86```json 87{ 88 "secret_shares": 10, 89 "secret_threshold": 5 90} 91``` 92 93### Sample Request 94 95``` 96$ curl \ 97 --request PUT \ 98 --data @payload.json \ 99 http://127.0.0.1:8200/v1/sys/init 100``` 101 102### Sample Response 103 104A JSON-encoded object including the (possibly encrypted, if `pgp_keys` was 105provided) master keys, base 64 encoded master keys and initial root token: 106 107```json 108{ 109 "keys": ["one", "two", "three"], 110 "keys_base64": ["cR9No5cBC", "F3VLrkOo", "zIDSZNGv"], 111 "root_token": "foo" 112} 113``` 114