Vault
/sys/health
Restricted endpoint
The API path can only be called from the root namespace.The /sys/health
endpoint is used to check the health status of Vault.
Read health information
This endpoint returns the health status of Vault. This matches the semantics of a Consul HTTP health check and provides a simple way to monitor the health of a Vault instance.
Method | Path |
---|---|
HEAD | /sys/health |
GET | /sys/health |
The default status codes are:
200
if initialized, unsealed, and active429
if unsealed and standby472
if disaster recovery secondary (both active and standby nodes within the DR secondary)473
if performance standby501
if not initialized503
if sealed
Note
In rare occasions such as during cluster instability, a node may return 429 even when it was part of a DR secondary (472) or a perf-standby (473). When configuring a Load Balancer based on health status API, it's important to recognize that a 429 indicates a standby node that doesn't process the request itself, read or write.Parameters
standbyok
(bool: false)
– Specifies if being a standby should still return the active status code instead of the standby status code. This is useful when Vault is behind a non-configurable load balancer that just wants a 200-level response. This will not apply if the node is a performance standby.perfstandbyok
(bool: false)
– Specifies if being a performance standby should still return the active status code instead of the performance standby status code. This is useful when Vault is behind a non-configurable load balancer that just wants a 200-level response.activecode
(int: 200)
– Specifies the status code that should be returned for an active node.standbycode
(int: 429)
– Specifies the status code that should be returned for a standby node.drsecondarycode
(int: 472)
– Specifies the status code that should be returned for a DR secondary node.performancestandbycode
(int: 473)
– Specifies the status code that should be returned for a performance standby node.sealedcode
(int: 503)
– Specifies the status code that should be returned for a sealed node.uninitcode
(int: 501)
– Specifies the status code that should be returned for a uninitialized node.
Sample request
$ curl \
http://127.0.0.1:8200/v1/sys/health
Sample request to customize the status code being returned
$ curl -i https://127.0.0.1:8200/v1/sys/health\?drsecondarycode\=200
HTTP/2 200
cache-control: no-store
content-type: application/json
strict-transport-security: max-age=31536000; includeSubDomains
content-length: 364
date: Wed, 26 Jan 2022 09:21:13 GMT
Sample response - CE active node
{
"clock_skew_ms": 0,
"cluster_id": "995f749a-9bc3-fbe0-a185-ccba6999fc73",
"cluster_name": "vault-cluster-e65c0563",
"echo_duration_ms": 0,
"enterprise": false,
"initialized": true,
"performance_standby": false,
"replication_dr_mode": "disabled",
"replication_performance_mode": "disabled",
"sealed": false,
"server_time_utc": 1709559327,
"standby": false,
"version": "1.16.0-rc2"
}
Sample response - Enterprise active node
This response is only returned for a GET
request.
Note: replication_performance_mode
and replication_dr_mode
reflect the state of
the active node in the cluster; if you are querying it for a standby that has
just come up, it may take time for the active node to inform the
standby of its status.
{
"clock_skew_ms": 0,
"cluster_id": "e278ff10-60da-4248-0b0a-dd174d22172d",
"cluster_name": "vault-cluster-88b4e092",
"echo_duration_ms": 0,
"enterprise": true,
"initialized": true,
"last_wal": 362,
"license": {
"expiry_time": "2024-08-03T23:59:59Z",
"state": "autoloaded",
"terminated": false
},
"performance_standby": false,
"replication_dr_mode": "disabled",
"replication_performance_mode": "disabled",
"replication_primary_canary_age_ms": 0,
"sealed": false,
"server_time_utc": 1709558830,
"standby": false,
"version": "1.17.0-beta1+ent"
}