1---
2layout: "docs"
3page_title: "UI - Configuration"
4sidebar_title: "<code>ui</code>"
5sidebar_current: "docs-configuration-ui"
6description: |-
7  Vault features a user interface (web interface) for interacting with Vault.
8  Easily create, read, update, and delete secrets, authenticate, unseal, and
9  more with the Vault UI.
10---
11
12# Vault UI
13
14Vault features a user interface (web interface) for interacting with Vault.
15Easily create, read, update, and delete secrets, authenticate, unseal, and
16more with the Vault UI.
17
18-> The UI requires **Vault 0.10 or higher** or Vault Enterprise.
19
20## Activating the Vault UI
21
22The Vault UI is not activated by default. To activate the UI, set the `ui`
23configuration option in the Vault server configuration. Vault clients do not
24need to set this option, since they will not be serving the UI.
25
26```hcl
27ui = true
28
29listener "tcp" {
30  # ...
31}
32```
33
34For more information, please see the
35[Vault configuration options](/docs/configuration/index.html).
36
37## Accessing the Vault UI
38
39The UI runs on the same port as the Vault listener. As such, you must configure
40at least one `listener` stanza in order to access the UI.
41
42```hcl
43listener "tcp" {
44  address = "10.0.1.35:8200"
45
46  # If bound to localhost, the Vault UI is only
47  # accessible from the local machine!
48  # address = "127.0.0.1:8200"
49}
50```
51
52In this case, the UI is accessible the following URL from any machine on the
53subnet (provided no network firewalls are in place):
54
55```text
56https://10.0.1.35:8200/ui/
57```
58
59It is also accessible at any DNS entry that resolves to that IP address, such as
60the Consul service address (if using Consul):
61
62```text
63https://vault.service.consul:8200/ui/
64```
65
66### Note on TLS
67
68When using TLS (recommended), the certificate must be valid for all DNS entries
69you will be accessing the Vault UI on, and any IP addresses on the SAN. If you
70are running Vault with a self-signed certificate, any browsers that access the
71Vault UI will need to have the root CA installed. Failure to do so may result in
72the browser displaying a warning that the site is "untrusted". It is highly
73recommended that client browsers accessing the Vault UI install the proper CA
74root for validation to reduce the chance of a MITM attack.
75