tokens
Configure the identity tokens backend
This endpoint updates configurations for OIDC-compliant identity tokens issued by OpenBao.
Method | Path |
---|---|
POST | identity/oidc/config |
Parameters
issuer
(string: "")
– Issuer URL to be used in the iss claim of the token. If not set, OpenBao's api_addr will be used. The issuer is a case sensitive URL using the https scheme that contains scheme, host, and an optional port number.
Sample payload
{
"issuer": "https://example.com:1234"
}
Sample request
$ curl \
--header "X-Vault-Token: ..." \
--request POST \
--data @payload.json \
http://127.0.0.1:8200/v1/identity/oidc/config
Sample response
{
"data": null,
"warnings": [
"If \"issuer\" is set explicitly, all tokens must be validated against that address, including those issued by secondary clusters. Setting issuer to \"\" will restore the default behavior of using the cluster's api_addr as the issuer."
]
}
Read configurations for the identity tokens backend
This endpoint queries OpenBao identity tokens configurations.
Method | Path |
---|---|
GET | identity/oidc/config |
Sample request
$ curl \
--header "X-Vault-Token: ..." \
--request GET \
http://127.0.0.1:8200/v1/identity/oidc/config
Sample response
{
"data": {
"issuer": "https://example.com:1234"
}
}
Create a named key
This endpoint creates or updates a named key which is used by a role to sign tokens.
Method | Path |
---|---|
POST | identity/oidc/key/:name |
Parameters
-
name
(string)
– Name of the named key. -
rotation_period
(int or time string: "24h")
- How often to generate a new signing key. Uses duration format strings. -
verification_ttl
(int or time string: "24h")
- Controls how long the public portion of a signing key will be available for verification after being rotated. Uses duration format strings. -
allowed_client_ids
(list: [])
- Array of role client ids allowed to use this key for signing. If empty, no roles are allowed. If "*", all roles are allowed. -
algorithm
(string: "RS256")
- Signing algorithm to use. Allowed values are: RS256 (default), RS384, RS512, ES256, ES384, ES512, EdDSA.
Sample payload
{
"rotation_period": "12h",
"verification_ttl": 43200
}
Sample request
$ curl \
--header "X-Vault-Token: ..." \
--request POST \
--data @payload.json \
http://127.0.0.1:8200/v1/identity/oidc/key/named-key-001
Read a named key
This endpoint queries a named key and returns its configurations.
Method | Path |
---|---|
GET | identity/oidc/key/:name |
Parameters
name
(string)
– Name of the key.
Sample request
$ curl \
--header "X-Vault-Token: ..." \
--request GET \
http://127.0.0.1:8200/v1/identity/oidc/key/named-key-001
Sample response
{
"data": {
"algorithm": "RS256",
"rotation_period": 43200,
"verification_ttl": 43200
}
}
Delete a named key
This endpoint deletes a named key.
Method | Path |
---|---|
DELETE | identity/oidc/key/:name |
Parameters
name
(string)
– Name of the key.