Vault
/sys/capabilities
The /sys/capabilities
endpoint is used to fetch the capabilities of a token
on the given paths. The capabilities returned will be derived from the policies
that are on the token, and from the policies to which the token is entitled to
through the entity and entity's group memberships.
Query token capabilities
This endpoint returns the list of capabilities of a given token on the given
paths. Multiple paths are taken in at once and the capabilities of the token
for each path is returned. For backwards compatibility, if a single path is
supplied, a capabilities
field will also be returned.
Method | Path |
---|---|
POST | /sys/capabilities |
Parameters
paths
(list: <required>)
– Paths on which capabilities are being queried.token
(string: <required>)
– Token for which capabilities are being queried.
Sample payload
{
"token": "abcd1234",
"paths": ["secret/foo"]
}
Sample request
$ curl \
--header "X-Vault-Token: ..." \
--request POST \
--data @payload.json \
http://127.0.0.1:8200/v1/sys/capabilities
Sample response
{
"capabilities": ["delete", "list", "read", "update"],
"secret/foo": ["delete", "list", "read", "update"]
}