Skip to main content


This page collects brief definitions of some of the technical terms used in the documentation for OpenBao.

Audit device

An audit device is responsible for managing audit logs. Every request to OpenBao and response from OpenBao goes through the configured audit devices. This provides a simple way to integrate OpenBao with multiple audit logging destinations of different types.

Auth method

An auth method is used to authenticate users or applications which are connecting to OpenBao. Once authenticated, the auth method returns the list of applicable policies which should be applied. OpenBao takes an authenticated user and returns a client token that can be used for future requests. As an example, the userpass auth method uses a username and password to authenticate the user. Alternatively, the github auth method allows users to authenticate via GitHub.


Almost everything OpenBao writes to storage is encrypted using the keyring, which is protected by the seal. We refer to this practice as "the barrier". There are a few exceptions to the rule, for example, the seal configuration is stored in an unencrypted file since it's needed to unseal the barrier, and the keyring is encrypted using the root key, while the root key is encrypted using the seal.

Client token

A client token (aka "OpenBao Token") is conceptually similar to a session cookie on a web site. Once a user authenticates, OpenBao returns a client token which is used for future requests. The token is used by OpenBao to verify the identity of the client and to enforce the applicable ACL policies. This token is passed via HTTP headers.


Plugins are a feature of OpenBao that can be enabled, disabled, and customized to some degree. All OpenBao auth methods and secrets engines are considered plugins.

Built-in plugin

Built-in plugins are shipped with OpenBao, often for commonly used implementations, and require no additional operator intervention to run. Built-in plugins are just like any other backend code inside OpenBao.

External plugin

External plugins are not shipped with OpenBao and require additional operator intervention to run. OpenBao's external plugins are completely separate, standalone applications that OpenBao executes and communicates with over RPC. Each time an OpenBao secret engine or auth method is mounted, a new process is spawned.

External multiplexed plugin

An external plugin may make use of plugin multiplexing. A multiplexed plugin allows a single plugin process to be used for multiple mounts of the same type.


A secret is the term for anything returned by OpenBao which contains confidential or cryptographic material. Not everything returned by OpenBao is a secret, for example system configuration, status information, or policies are not considered secrets. Dynamic secrets always have an associated lease, and static secrets do not. This means clients cannot assume that the dynamic secret contents can be used indefinitely. OpenBao will revoke a dynamic secret at the end of the lease, and an operator may intervene to revoke the Dynamic Secret before the lease is over. This contract between OpenBao and its clients is critical, as it allows for changes in keys and policies without manual intervention.

Secrets engine

A secrets engine is responsible for managing secrets. Simple secrets engines, such as the "kv" secrets engine, return the same secret when queried. Some secrets engines support using policies to dynamically generate a secret each time they are queried. This allows for unique secrets to be used which allows OpenBao to do fine-grained revocation and policy updates. As an example, a MySQL secrets engine could be configured with a "web" policy. When the "web" secret is read, a new MySQL user/password pair will be generated with a limited set of privileges for the web server.


OpenBao depends on a long-running instance which operates as a server. The OpenBao server provides an API which clients interact with and manages the interaction between all the secrets engines, ACL enforcement, and secret lease revocation. Having a server based architecture decouples clients from the security keys and policies, enables centralized audit logging, and simplifies administration for operators.

Storage backend

A storage backend is responsible for durable storage of encrypted data. Backends are not trusted by OpenBao and are only expected to provide durability. The storage backend is configured when starting the OpenBao server.