tokens
Configure the identity tokens backend
This endpoint updates configurations for OIDC-compliant identity tokens issued by Vault.
Method | Path |
---|---|
POST | identity/oidc/config |
Parameters
issuer
(string: "")
– Issuer URL to be used in the iss claim of the token. If not set, Vault's api_addr will be used. The issuer is a case sensitive URL using the https scheme that contains scheme, host, and an optional port number.
Sample payload
Sample request
Sample response
Read configurations for the identity tokens backend
This endpoint queries vault identity tokens configurations.
Method | Path |
---|---|
GET | identity/oidc/config |
Sample request
Sample response
Create a named key
This endpoint creates or updates a named key which is used by a role to sign tokens.
Method | Path |
---|---|
POST | identity/oidc/key/:name |
Parameters
name
(string)
– Name of the named key.rotation_period
(int or time string: "24h")
- How often to generate a new signing key. Uses duration format strings.verification_ttl
(int or time string: "24h")
- Controls how long the public portion of a signing key will be available for verification after being rotated. Uses duration format strings.allowed_client_ids
(list: [])
- Array of role client ids allowed to use this key for signing. If empty, no roles are allowed. If "*", all roles are allowed.algorithm
(string: "RS256")
- Signing algorithm to use. Allowed values are: RS256 (default), RS384, RS512, ES256, ES384, ES512, EdDSA.
Sample payload
Sample request
Read a named key
This endpoint queries a named key and returns its configurations.
Method | Path |
---|---|
GET | identity/oidc/key/:name |
Parameters
name
(string)
– Name of the key.
Sample request
Sample response
Delete a named key
This endpoint deletes a named key.
Method | Path |
---|---|
DELETE | identity/oidc/key/:name |
Parameters
name
(string)
– Name of the key.
Sample request
List named keys
This endpoint will List all named keys.
Method | Path |
---|---|
LIST | identity/oidc/key |
Sample request
Sample response
Rotate a named key
This endpoint rotates a named key.
Method | Path |
---|---|
POST | identity/oidc/key/:name/rotate |
Parameters
name
(string)
– Name of the key to be rotated.verification_ttl
(string: <optional>)
- Controls how long the public portion of the key will be available for verification after being rotated. Setting verification_ttl here will override the verification_ttl set on the key.
Sample payload
Sample request
Create or update a role
Create or update a role. ID tokens are generated against a role and signed against a named key.
Method | Path |
---|---|
POST | identity/oidc/role/:name |
Parameters
name
(string)
– Name of the role.key
(string)
– A configured named key, the key must already exist.template
(string: <optional>)
- The template string to use for generating tokens. This may be in string-ified JSON or base64 format.client_id
(string: <optional>)
- Optional client ID. A random ID will be generated if left unset.ttl
(int or time string: "24h")
- TTL of the tokens generated against the role. Uses duration format strings.
Sample payload
Sample request
Read a role
This endpoint queries a role and returs its configuration.
Method | Path |
---|---|
GET | identity/oidc/role/:name |
Parameters
name
(string)
– Name of the role.
Sample request
Sample response
Delete a role
This endpoint deletes a role.
Method | Path |
---|---|
DELETE | identity/oidc/role/:name |
Parameters
name
(string)
– Name of the role.
Sample request
List roles
This endpoint will list all signing keys.
Method | Path |
---|---|
LIST | identity/oidc/role |
Sample request
Sample response
Generate a signed ID token
Use this endpoint to generate a signed ID (OIDC) token.
Method | Path |
---|---|
GET | identity/oidc/token/:name |
Parameters
name
(string: "")
– The name of the role against which to generate a signed ID token
Sample request
Sample response
Introspect a signed ID token
This endpoint can verify the authenticity and active state of a signed ID token.
Method | Path |
---|---|
POST | identity/oidc/introspect |
Parameters
token
(string)
– A signed OIDC compliant ID tokenclient_id
(string: <optional>)
- Specifying the client ID additionally requires the token to contain a matchingaud
claim
Sample payload
Sample request
Sample response
Read the OpenID configuration from an identity token issuer
Use the .well-known
endpoint to retrieve an
OpenID Provider Configuration Response
with a set of claims about the identity token issuer.
Method | Path |
---|---|
GET | identity/oidc/.well-known/openid-configuration |
Sample request
Sample response
Read identity token issuer's public JWKS
Query identity/oidc/.well-known/keys
to retrieve the public portion of named keys. Clients can use this to validate the authenticity of an identity token.
Sample request
Sample response
Read plugin identity token issuer's OpenID configuration Enterprise
Use the .well-known
endpoint to retrieve an
OpenID Provider Configuration Response
with a set of claims about the plugin identity token issuer.
Method | Path |
---|---|
GET | identity/oidc/plugins/.well-known/openid-configuration |
Sample request
Sample response
Read the public JWKS from a plugin identity token issuer Enterprise
Query this path to retrieve the public portion of named keys. Clients can use this to validate the authenticity of an identity token.
Sample request
Sample response