Vault
/sys/audit-hash
Restricted endpoint
The API path can only be called from the root or administrative namespace.The /sys/audit-hash
endpoint is used to calculate the hash of the data used by
an audit device's hash function and salt. This can be used to search audit logs
for a hashed value when the original value is known.
Calculate hash
This endpoint hashes the given input data with the specified audit device's
hash function and salt. This endpoint can be used to discover whether a given
plaintext string (the input
parameter) appears in the audit log in obfuscated
form.
The audit log records requests and responses. Since the Vault API is JSON-based,
any binary data returned from an API call (such as a DER-format certificate) is
base64-encoded by the Vault server in the response. As a result such information
should also be base64-encoded to supply into the input
parameter.
Method | Path |
---|---|
POST | /sys/audit-hash/:path |
Parameters
path
(string: <required>)
– Specifies the path of the audit device to generate hashes for. This is part of the request URL.input
(string: <required>)
– Specifies the input string to hash.
Sample payload
{
"input": "my-secret-vault"
}
Sample request
$ curl \
--header "X-Vault-Token: ..." \
--request POST \
--data @payload.json \
http://127.0.0.1:8200/v1/sys/audit-hash/example-audit
Sample response
{
"hash": "hmac-sha256:08ba35..."
}