Skip to main content

token capabilities

The token capabilities command fetches the capabilities of a token for a given path.

If a TOKEN is provided as an argument, this command uses the "/sys/capabilities" endpoint and permission. If no TOKEN is provided, this command uses the "/sys/capabilities-self" endpoint and permission with the locally authenticated token.

Examples

List capabilities for the local token on the "secret/foo" path:

$ bao token capabilities secret/foo
read

List capabilities for a token on the "cubbyhole/foo" path:

$ bao token capabilities 96ddf4bc-d217-f3ba-f9bd-017055595017 database/creds/readonly
deny

Usage

The following flags are available in addition to the standard set of flags included on all commands.

Output options

  • -format (string: "table") - Print the output in the given format. Valid formats are "table", "json", or "yaml". This can also be specified via the BAO_FORMAT environment variable.