HashiCorp Vault · Capability

HashiCorp Vault HTTP API

The Vault HTTP API provides full access to Vault functionality via HTTP. Every aspect of Vault can be controlled via this API including secrets management, authentication, system configuration, identity, and policy management.

Run with Naftiko HashicorpVaultAPI

What You Can Do

GET
Getinitstatus — Check initialization status
/sys/init
PUT
Initialize — Initialize Vault
/sys/init
GET
Getsealstatus — Check seal status
/sys/seal-status
PUT
Seal — Seal the Vault
/sys/seal
PUT
Unseal — Submit an unseal key
/sys/unseal
GET
Gethealth — Health status
/sys/health
GET
Listsecretengines — List mounted secrets engines
/sys/mounts
POST
Enablesecretengine — Enable a secrets engine
/sys/mounts/{path}
DELETE
Disablesecretengine — Disable a secrets engine
/sys/mounts/{path}
GET
Listauthmethods — List auth methods
/sys/auth
POST
Enableauthmethod — Enable an auth method
/sys/auth/{path}
DELETE
Disableauthmethod — Disable an auth method
/sys/auth/{path}
GET
Listaclpolicies — List ACL policies
/sys/policies/acl
GET
Getaclpolicy — Read an ACL policy
/sys/policies/acl/{name}
PUT
Createaclpolicy — Create or update an ACL policy
/sys/policies/acl/{name}
DELETE
Deleteaclpolicy — Delete an ACL policy
/sys/policies/acl/{name}
GET
Listauditdevices — List audit devices
/sys/audit
PUT
Enableauditdevice — Enable an audit device
/sys/audit/{path}
DELETE
Disableauditdevice — Disable an audit device
/sys/audit/{path}
PUT
Lookuplease — Lookup a lease
/sys/leases/lookup
PUT
Renewlease — Renew a lease
/sys/leases/renew
PUT
Revokelease — Revoke a lease
/sys/leases/revoke
POST
Createtoken — Create a token
/auth/token/create
POST
Lookuptoken — Lookup a token
/auth/token/lookup
GET
Lookupselftoken — Lookup own token
/auth/token/lookup-self
POST
Renewtoken — Renew a token
/auth/token/renew
POST
Renewselftoken — Renew own token
/auth/token/renew-self
POST
Revoketoken — Revoke a token
/auth/token/revoke
POST
Revokeselftoken — Revoke own token
/auth/token/revoke-self
POST
Loginuserpass — Login with username and password
/auth/userpass/login/{username}
POST
Loginapprole — Login with AppRole
/auth/approle/login
GET
Readkvsecret — Read KV secret (v2)
/secret/data/{path}
POST
Createkvsecret — Create or update KV secret (v2)
/secret/data/{path}
DELETE
Deletekvsecretlatest — Delete latest version of KV secret
/secret/data/{path}
GET
Getkvmetadata — Read KV secret metadata
/secret/metadata/{path}
DELETE
Deletekvmetadata — Delete all versions and metadata
/secret/metadata/{path}
POST
Deletekvsecretversions — Delete specific versions of KV secret
/secret/delete/{path}
POST
Undeletekvsecretversions — Undelete versions of KV secret
/secret/undelete/{path}
POST
Destroykvsecretversions — Permanently destroy versions
/secret/destroy/{path}
POST
Transitencrypt — Encrypt data
/transit/encrypt/{name}
POST
Transitdecrypt — Decrypt data
/transit/decrypt/{name}
POST
Createtransitkey — Create an encryption key
/transit/keys/{name}
GET
Gettransitkey — Read an encryption key
/transit/keys/{name}
DELETE
Deletetransitkey — Delete an encryption key
/transit/keys/{name}
POST
Createentity — Create an identity entity
/identity/entity
GET
Getentity — Read an entity by ID
/identity/entity/id/{id}
POST
Updateentity — Update an entity
/identity/entity/id/{id}
DELETE
Deleteentity — Delete an entity
/identity/entity/id/{id}
GET
Getrootgenerationprogress — Read root generation progress
/sys/generate-root/attempt
PUT
Startrootgeneration — Start root token generation
/sys/generate-root/attempt
DELETE
Cancelrootgeneration — Cancel root token generation
/sys/generate-root/attempt
GET
Getleader — Get leader information
/sys/leader
POST
Wrap — Wrap data
/sys/wrapping/wrap
POST
Unwrap — Unwrap data
/sys/wrapping/unwrap

MCP Tools

getinitstatus

Check initialization status

read-only idempotent
initialize

Initialize Vault

idempotent
getsealstatus

Check seal status

read-only idempotent
seal

Seal the Vault

idempotent
unseal

Submit an unseal key

idempotent
gethealth

Health status

read-only idempotent
listsecretengines

List mounted secrets engines

read-only idempotent
enablesecretengine

Enable a secrets engine

disablesecretengine

Disable a secrets engine

idempotent
listauthmethods

List auth methods

read-only idempotent
enableauthmethod

Enable an auth method

disableauthmethod

Disable an auth method

idempotent
listaclpolicies

List ACL policies

read-only idempotent
getaclpolicy

Read an ACL policy

read-only idempotent
createaclpolicy

Create or update an ACL policy

idempotent
deleteaclpolicy

Delete an ACL policy

idempotent
listauditdevices

List audit devices

read-only idempotent
enableauditdevice

Enable an audit device

idempotent
disableauditdevice

Disable an audit device

idempotent
lookuplease

Lookup a lease

idempotent
renewlease

Renew a lease

idempotent
revokelease

Revoke a lease

idempotent
createtoken

Create a token

lookuptoken

Lookup a token

lookupselftoken

Lookup own token

read-only idempotent
renewtoken

Renew a token

renewselftoken

Renew own token

revoketoken

Revoke a token

revokeselftoken

Revoke own token

loginuserpass

Login with username and password

loginapprole

Login with AppRole

readkvsecret

Read KV secret (v2)

read-only idempotent
createkvsecret

Create or update KV secret (v2)

deletekvsecretlatest

Delete latest version of KV secret

idempotent
getkvmetadata

Read KV secret metadata

read-only idempotent
deletekvmetadata

Delete all versions and metadata

idempotent
deletekvsecretversions

Delete specific versions of KV secret

undeletekvsecretversions

Undelete versions of KV secret

destroykvsecretversions

Permanently destroy versions

transitencrypt

Encrypt data

transitdecrypt

Decrypt data

createtransitkey

Create an encryption key

gettransitkey

Read an encryption key

read-only idempotent
deletetransitkey

Delete an encryption key

idempotent
createentity

Create an identity entity

getentity

Read an entity by ID

read-only idempotent
updateentity

Update an entity

deleteentity

Delete an entity

idempotent
getrootgenerationprogress

Read root generation progress

read-only idempotent
startrootgeneration

Start root token generation

idempotent
cancelrootgeneration

Cancel root token generation

idempotent
getleader

Get leader information

read-only idempotent
wrap

Wrap data

unwrap

Unwrap data

Capability Spec

hashicorp-vault-capability.yaml Raw ↑ 
naftiko: 1.0.0-alpha2
info:
  label: HashiCorp Vault HTTP API
  description: The Vault HTTP API provides full access to Vault functionality via HTTP. Every aspect of Vault can be controlled
    via this API including secrets management, authentication, system configuration, identity, and policy management.
  tags:
  - Hashicorp
  - Vault
  - API
  created: '2026-05-06'
  modified: '2026-05-06'
capability:
  consumes:
  - type: http
    namespace: hashicorp-vault
    baseUri: https://127.0.0.1:8200/v1
    description: HashiCorp Vault HTTP API HTTP API.
    authentication:
      type: apikey
      in: header
      name: X-Vault-Token
      value: '{{HASHICORP_VAULT_TOKEN}}'
    resources:
    - name: sys-init
      path: /sys/init
      operations:
      - name: getinitstatus
        method: GET
        description: Check initialization status
        outputRawFormat: json
        outputParameters:
        - name: result
          type: object
          value: $.
      - name: initialize
        method: PUT
        description: Initialize Vault
        outputRawFormat: json
        outputParameters:
        - name: result
          type: object
          value: $.
    - name: sys-seal-status
      path: /sys/seal-status
      operations:
      - name: getsealstatus
        method: GET
        description: Check seal status
        outputRawFormat: json
        outputParameters:
        - name: result
          type: object
          value: $.
    - name: sys-seal
      path: /sys/seal
      operations:
      - name: seal
        method: PUT
        description: Seal the Vault
        outputRawFormat: json
        outputParameters:
        - name: result
          type: object
          value: $.
    - name: sys-unseal
      path: /sys/unseal
      operations:
      - name: unseal
        method: PUT
        description: Submit an unseal key
        outputRawFormat: json
        outputParameters:
        - name: result
          type: object
          value: $.
    - name: sys-health
      path: /sys/health
      operations:
      - name: gethealth
        method: GET
        description: Health status
        inputParameters:
        - name: standbyok
          in: query
          type: boolean
          description: Return 200 for standby nodes too
        - name: activecode
          in: query
          type: integer
          description: Custom status code for active node
        - name: standbycode
          in: query
          type: integer
          description: Custom status code for standby node
        - name: sealedcode
          in: query
          type: integer
          description: Custom status code for sealed node
        - name: uninitcode
          in: query
          type: integer
          description: Custom status code for uninitialized node
        outputRawFormat: json
        outputParameters:
        - name: result
          type: object
          value: $.
    - name: sys-mounts
      path: /sys/mounts
      operations:
      - name: listsecretengines
        method: GET
        description: List mounted secrets engines
        outputRawFormat: json
        outputParameters:
        - name: result
          type: object
          value: $.
    - name: sys-mounts-path
      path: /sys/mounts/{path}
      operations:
      - name: enablesecretengine
        method: POST
        description: Enable a secrets engine
        inputParameters:
        - name: path
          in: path
          type: string
          required: true
        outputRawFormat: json
        outputParameters:
        - name: result
          type: object
          value: $.
      - name: disablesecretengine
        method: DELETE
        description: Disable a secrets engine
        inputParameters:
        - name: path
          in: path
          type: string
          required: true
        outputRawFormat: json
        outputParameters:
        - name: result
          type: object
          value: $.
    - name: sys-auth
      path: /sys/auth
      operations:
      - name: listauthmethods
        method: GET
        description: List auth methods
        outputRawFormat: json
        outputParameters:
        - name: result
          type: object
          value: $.
    - name: sys-auth-path
      path: /sys/auth/{path}
      operations:
      - name: enableauthmethod
        method: POST
        description: Enable an auth method
        inputParameters:
        - name: path
          in: path
          type: string
          required: true
        outputRawFormat: json
        outputParameters:
        - name: result
          type: object
          value: $.
      - name: disableauthmethod
        method: DELETE
        description: Disable an auth method
        inputParameters:
        - name: path
          in: path
          type: string
          required: true
        outputRawFormat: json
        outputParameters:
        - name: result
          type: object
          value: $.
    - name: sys-policies-acl
      path: /sys/policies/acl
      operations:
      - name: listaclpolicies
        method: GET
        description: List ACL policies
        outputRawFormat: json
        outputParameters:
        - name: result
          type: object
          value: $.
    - name: sys-policies-acl-name
      path: /sys/policies/acl/{name}
      operations:
      - name: getaclpolicy
        method: GET
        description: Read an ACL policy
        inputParameters:
        - name: name
          in: path
          type: string
          required: true
        outputRawFormat: json
        outputParameters:
        - name: result
          type: object
          value: $.
      - name: createaclpolicy
        method: PUT
        description: Create or update an ACL policy
        inputParameters:
        - name: name
          in: path
          type: string
          required: true
        outputRawFormat: json
        outputParameters:
        - name: result
          type: object
          value: $.
      - name: deleteaclpolicy
        method: DELETE
        description: Delete an ACL policy
        inputParameters:
        - name: name
          in: path
          type: string
          required: true
        outputRawFormat: json
        outputParameters:
        - name: result
          type: object
          value: $.
    - name: sys-audit
      path: /sys/audit
      operations:
      - name: listauditdevices
        method: GET
        description: List audit devices
        outputRawFormat: json
        outputParameters:
        - name: result
          type: object
          value: $.
    - name: sys-audit-path
      path: /sys/audit/{path}
      operations:
      - name: enableauditdevice
        method: PUT
        description: Enable an audit device
        inputParameters:
        - name: path
          in: path
          type: string
          required: true
        outputRawFormat: json
        outputParameters:
        - name: result
          type: object
          value: $.
      - name: disableauditdevice
        method: DELETE
        description: Disable an audit device
        inputParameters:
        - name: path
          in: path
          type: string
          required: true
        outputRawFormat: json
        outputParameters:
        - name: result
          type: object
          value: $.
    - name: sys-leases-lookup
      path: /sys/leases/lookup
      operations:
      - name: lookuplease
        method: PUT
        description: Lookup a lease
        outputRawFormat: json
        outputParameters:
        - name: result
          type: object
          value: $.
    - name: sys-leases-renew
      path: /sys/leases/renew
      operations:
      - name: renewlease
        method: PUT
        description: Renew a lease
        outputRawFormat: json
        outputParameters:
        - name: result
          type: object
          value: $.
    - name: sys-leases-revoke
      path: /sys/leases/revoke
      operations:
      - name: revokelease
        method: PUT
        description: Revoke a lease
        outputRawFormat: json
        outputParameters:
        - name: result
          type: object
          value: $.
    - name: auth-token-create
      path: /auth/token/create
      operations:
      - name: createtoken
        method: POST
        description: Create a token
        outputRawFormat: json
        outputParameters:
        - name: result
          type: object
          value: $.
    - name: auth-token-lookup
      path: /auth/token/lookup
      operations:
      - name: lookuptoken
        method: POST
        description: Lookup a token
        outputRawFormat: json
        outputParameters:
        - name: result
          type: object
          value: $.
    - name: auth-token-lookup-self
      path: /auth/token/lookup-self
      operations:
      - name: lookupselftoken
        method: GET
        description: Lookup own token
        outputRawFormat: json
        outputParameters:
        - name: result
          type: object
          value: $.
    - name: auth-token-renew
      path: /auth/token/renew
      operations:
      - name: renewtoken
        method: POST
        description: Renew a token
        outputRawFormat: json
        outputParameters:
        - name: result
          type: object
          value: $.
    - name: auth-token-renew-self
      path: /auth/token/renew-self
      operations:
      - name: renewselftoken
        method: POST
        description: Renew own token
        outputRawFormat: json
        outputParameters:
        - name: result
          type: object
          value: $.
    - name: auth-token-revoke
      path: /auth/token/revoke
      operations:
      - name: revoketoken
        method: POST
        description: Revoke a token
        outputRawFormat: json
        outputParameters:
        - name: result
          type: object
          value: $.
    - name: auth-token-revoke-self
      path: /auth/token/revoke-self
      operations:
      - name: revokeselftoken
        method: POST
        description: Revoke own token
        outputRawFormat: json
        outputParameters:
        - name: result
          type: object
          value: $.
    - name: auth-userpass-login-username
      path: /auth/userpass/login/{username}
      operations:
      - name: loginuserpass
        method: POST
        description: Login with username and password
        inputParameters:
        - name: username
          in: path
          type: string
          required: true
        outputRawFormat: json
        outputParameters:
        - name: result
          type: object
          value: $.
    - name: auth-approle-login
      path: /auth/approle/login
      operations:
      - name: loginapprole
        method: POST
        description: Login with AppRole
        outputRawFormat: json
        outputParameters:
        - name: result
          type: object
          value: $.
    - name: secret-data-path
      path: /secret/data/{path}
      operations:
      - name: readkvsecret
        method: GET
        description: Read KV secret (v2)
        inputParameters:
        - name: path
          in: path
          type: string
          required: true
        - name: version
          in: query
          type: integer
          description: Specific version to read
        outputRawFormat: json
        outputParameters:
        - name: result
          type: object
          value: $.
      - name: createkvsecret
        method: POST
        description: Create or update KV secret (v2)
        inputParameters:
        - name: path
          in: path
          type: string
          required: true
        outputRawFormat: json
        outputParameters:
        - name: result
          type: object
          value: $.
      - name: deletekvsecretlatest
        method: DELETE
        description: Delete latest version of KV secret
        inputParameters:
        - name: path
          in: path
          type: string
          required: true
        outputRawFormat: json
        outputParameters:
        - name: result
          type: object
          value: $.
    - name: secret-metadata-path
      path: /secret/metadata/{path}
      operations:
      - name: getkvmetadata
        method: GET
        description: Read KV secret metadata
        inputParameters:
        - name: path
          in: path
          type: string
          required: true
        outputRawFormat: json
        outputParameters:
        - name: result
          type: object
          value: $.
      - name: deletekvmetadata
        method: DELETE
        description: Delete all versions and metadata
        inputParameters:
        - name: path
          in: path
          type: string
          required: true
        outputRawFormat: json
        outputParameters:
        - name: result
          type: object
          value: $.
    - name: secret-delete-path
      path: /secret/delete/{path}
      operations:
      - name: deletekvsecretversions
        method: POST
        description: Delete specific versions of KV secret
        inputParameters:
        - name: path
          in: path
          type: string
          required: true
        outputRawFormat: json
        outputParameters:
        - name: result
          type: object
          value: $.
    - name: secret-undelete-path
      path: /secret/undelete/{path}
      operations:
      - name: undeletekvsecretversions
        method: POST
        description: Undelete versions of KV secret
        inputParameters:
        - name: path
          in: path
          type: string
          required: true
        outputRawFormat: json
        outputParameters:
        - name: result
          type: object
          value: $.
    - name: secret-destroy-path
      path: /secret/destroy/{path}
      operations:
      - name: destroykvsecretversions
        method: POST
        description: Permanently destroy versions
        inputParameters:
        - name: path
          in: path
          type: string
          required: true
        outputRawFormat: json
        outputParameters:
        - name: result
          type: object
          value: $.
    - name: transit-encrypt-name
      path: /transit/encrypt/{name}
      operations:
      - name: transitencrypt
        method: POST
        description: Encrypt data
        inputParameters:
        - name: name
          in: path
          type: string
          required: true
          description: Name of the encryption key
        outputRawFormat: json
        outputParameters:
        - name: result
          type: object
          value: $.
    - name: transit-decrypt-name
      path: /transit/decrypt/{name}
      operations:
      - name: transitdecrypt
        method: POST
        description: Decrypt data
        inputParameters:
        - name: name
          in: path
          type: string
          required: true
        outputRawFormat: json
        outputParameters:
        - name: result
          type: object
          value: $.
    - name: transit-keys-name
      path: /transit/keys/{name}
      operations:
      - name: createtransitkey
        method: POST
        description: Create an encryption key
        inputParameters:
        - name: name
          in: path
          type: string
          required: true
        outputRawFormat: json
        outputParameters:
        - name: result
          type: object
          value: $.
      - name: gettransitkey
        method: GET
        description: Read an encryption key
        inputParameters:
        - name: name
          in: path
          type: string
          required: true
        outputRawFormat: json
        outputParameters:
        - name: result
          type: object
          value: $.
      - name: deletetransitkey
        method: DELETE
        description: Delete an encryption key
        inputParameters:
        - name: name
          in: path
          type: string
          required: true
        outputRawFormat: json
        outputParameters:
        - name: result
          type: object
          value: $.
    - name: identity-entity
      path: /identity/entity
      operations:
      - name: createentity
        method: POST
        description: Create an identity entity
        outputRawFormat: json
        outputParameters:
        - name: result
          type: object
          value: $.
    - name: identity-entity-id-id
      path: /identity/entity/id/{id}
      operations:
      - name: getentity
        method: GET
        description: Read an entity by ID
        inputParameters:
        - name: id
          in: path
          type: string
          required: true
        outputRawFormat: json
        outputParameters:
        - name: result
          type: object
          value: $.
      - name: updateentity
        method: POST
        description: Update an entity
        inputParameters:
        - name: id
          in: path
          type: string
          required: true
        outputRawFormat: json
        outputParameters:
        - name: result
          type: object
          value: $.
      - name: deleteentity
        method: DELETE
        description: Delete an entity
        inputParameters:
        - name: id
          in: path
          type: string
          required: true
        outputRawFormat: json
        outputParameters:
        - name: result
          type: object
          value: $.
    - name: sys-generate-root-attempt
      path: /sys/generate-root/attempt
      operations:
      - name: getrootgenerationprogress
        method: GET
        description: Read root generation progress
        outputRawFormat: json
        outputParameters:
        - name: result
          type: object
          value: $.
      - name: startrootgeneration
        method: PUT
        description: Start root token generation
        outputRawFormat: json
        outputParameters:
        - name: result
          type: object
          value: $.
      - name: cancelrootgeneration
        method: DELETE
        description: Cancel root token generation
        outputRawFormat: json
        outputParameters:
        - name: result
          type: object
          value: $.
    - name: sys-leader
      path: /sys/leader
      operations:
      - name: getleader
        method: GET
        description: Get leader information
        outputRawFormat: json
        outputParameters:
        - name: result
          type: object
          value: $.
    - name: sys-wrapping-wrap
      path: /sys/wrapping/wrap
      operations:
      - name: wrap
        method: POST
        description: Wrap data
        inputParameters:
        - name: X-Vault-Wrap-TTL
          in: header
          type: string
          required: true
          description: TTL for the wrapping token
        outputRawFormat: json
        outputParameters:
        - name: result
          type: object
          value: $.
    - name: sys-wrapping-unwrap
      path: /sys/wrapping/unwrap
      operations:
      - name: unwrap
        method: POST
        description: Unwrap data
        outputRawFormat: json
        outputParameters:
        - name: result
          type: object
          value: $.
  exposes:
  - type: rest
    port: 8080
    namespace: hashicorp-vault-rest
    description: REST adapter for HashiCorp Vault HTTP API.
    resources:
    - path: /sys/init
      name: getinitstatus
      operations:
      - method: GET
        name: getinitstatus
        description: Check initialization status
        call: hashicorp-vault.getinitstatus
        outputParameters:
        - type: object
          mapping: $.
    - path: /sys/init
      name: initialize
      operations:
      - method: PUT
        name: initialize
        description: Initialize Vault
        call: hashicorp-vault.initialize
        outputParameters:
        - type: object
          mapping: $.
    - path: /sys/seal-status
      name: getsealstatus
      operations:
      - method: GET
        name: getsealstatus
        description: Check seal status
        call: hashicorp-vault.getsealstatus
        outputParameters:
        - type: object
          mapping: $.
    - path: /sys/seal
      name: seal
      operations:
      - method: PUT
        name: seal
        description: Seal the Vault
        call: hashicorp-vault.seal
        outputParameters:
        - type: object
          mapping: $.
    - path: /sys/unseal
      name: unseal
      operations:
      - method: PUT
        name: unseal
        description: Submit an unseal key
        call: hashicorp-vault.unseal
        outputParameters:
        - type: object
          mapping: $.
    - path: /sys/health
      name: gethealth
      operations:
      - method: GET
        name: gethealth
        description: Health status
        call: hashicorp-vault.gethealth
        outputParameters:
        - type: object
          mapping: $.
    - path: /sys/mounts
      name: listsecretengines
      operations:
      - method: GET
        name: listsecretengines
        description: List mounted secrets engines
        call: hashicorp-vault.listsecretengines
        outputParameters:
        - type: object
          mapping: $.
    - path: /sys/mounts/{path}
      name: enablesecretengine
      operations:
      - method: POST
        name: enablesecretengine
        description: Enable a secrets engine
        call: hashicorp-vault.enablesecretengine
        with:
          path: rest.path
        outputParameters:
        - type: object
          mapping: $.
    - path: /sys/mounts/{path}
      name: disablesecretengine
      operations:
      - method: DELETE
        name: disablesecretengine
        description: Disable a secrets engine
        call: hashicorp-vault.disablesecretengine
        with:
          path: rest.path
        outputParameters:
        - type: object
          mapping: $.
    - path: /sys/auth
      name: listauthmethods
      operations:
      - method: GET
        name: listauthmethods
        description: List auth methods
        call: hashicorp-vault.listauthmethods
        outputParameters:
        - type: object
          mapping: $.
    - path: /sys/auth/{path}
      name: enableauthmethod
      operations:
      - method: POST
        name: enableauthmethod
        description: Enable an auth method
        call: hashicorp-vault.enableauthmethod
        with:
          path: rest.path
        outputParameters:
        - type: object
          mapping: $.
    - path: /sys/auth/{path}
      name: disableauthmethod
      operations:
      - method: DELETE
        name: disableauthmethod
        description: Disable an auth method
        call: hashicorp-vault.disableauthmethod
        with:
          path: rest.path
        outputParameters:
        - type: object
          mapping: $.
    - path: /sys/policies/acl
      name: listaclpolicies
      operations:
      - method: GET
        name: listaclpolicies
        description: List ACL policies
        call: hashicorp-vault.listaclpolicies
        outputParameters:
        - type: object
          mapping: $.
    - path: /sys/policies/acl/{name}
      name: getaclpolicy
      operations:
      - method: GET
        name: getaclpolicy
        description: Read an ACL policy
        call: hashicorp-vault.getaclpolicy
        with:
          name: rest.name
        outputParameters:
        - type: object
          mapping: $.
    - path: /sys/policies/acl/{name}
      name: createaclpolicy
      operations:
      - method: PUT
        name: createaclpolicy
        description: Create or update an ACL policy
        call: hashicorp-vault.createaclpolicy
        with:
          name: rest.name
        outputParameters:
        - type: object
          mapping: $.
    - path: /sys/policies/acl/{name}
      name: deleteaclpolicy
      operations:
      - method: DELETE
        name: deleteaclpolicy
        description: Delete an ACL policy
        call: hashicorp-vault.deleteaclpolicy
        with:
          name: rest.name
        outputParameters:
        - type: object
          mapping: $.
    - path: /sys/audit
      name: listauditdevices
      operations:
      - method: GET
        name: listauditdevices
        description: List audit devices
        call: hashicorp-vault.listauditdevices
        outputParameters:
        - type: object
          mapping: $.
    - path: /sys/audit/{path}
      name: enableauditdevice
      operations:
      - method: PUT
        name: enableauditdevice
        description: Enable an audit device
        call: hashicorp-vault.enableauditdevice
        with:
          path: rest.path
        outputParameters:
        - type: object
          mapping: $.
    - path: /sys/audit/{path}
      name: disableauditdevice
      operations:
      - method: DELETE
        name: disableauditdevice
        description: Disable an audit device
        call: hashicorp-vault.disableauditdevice
        with:
          path: rest.path
        outputParameters:
        - type: object
          mapping: $.
    - path: /sys/leases/lookup
      name: lookuplease
      operations:
      - method: PUT
        name: lookuplease
        description: Lookup a lease
        call: hashicorp-vault.lookuplease
        outputParameters:
        - type: object
          mapping: $.
    - path: /sys/leases/renew
      name: renewlease
      operations:
      - method: PUT
        name: renewlease
        description: Renew a lease
        call: hashicorp-vault.renewlease
        outputParameters:
        - type: object
          mapping: $.
    - path: /sys/leases/revoke
      name: revokelease
      operations:
      - method: PUT
        name: revokelease
        description: Revoke a lease
        call: hashicorp-vault.revokelease
        outputParameters:
        - type: object
          mapping: $.
    - path: /auth/token/create
      name: createtoken
      operations:
      - method: POST
        name: createtoken
        description: Create a token
        call: hashicorp-vault.createtoken
        outputParameters:
        - type: object
          mapping: $.
    - path: /auth/token/lookup
      name: lookuptoken
      operations:
      - method: POST
        name: lookuptoken
        description: Lookup a token
        call: hashicorp-vault.lookuptoken
        outputParameters:
        - type: object
          mapping: $.
    - path: /auth/token/lookup-self
      name: lookupselftoken
      operations:
      - method: GET
        name: lookupselftoken
        description: Lookup own token
        call: hashicorp-vault.lookupselftoken
        outputParameters:
        - type: object
          mapping: $.
    - path: /auth/token/renew
      name: renewtoken
      operations:
      - method: POST
        name: renewtoken
        description: Renew a token
        call: hashicorp-vault.renewtoken
        outputParameters:
        - type: object
          mapping: $.
    - path: /auth/token/renew-self
      name: renewselftoken
      operations:
      - method: POST
        name: renewselftoken
        description: Renew own token
        call: hashicorp-vault.renewselftoken
        outputParameters:
        - type: object
          mapping: $.
    - path: /auth/token/revoke
      name: revoketoken
      operations:
      - method: POST
        name: revoketoken
        description: Revoke a token
        call: hashicorp-vault.revoketoken
        outputParameters:
        - type: object
          mapping: $.
    - path: /auth/token/revoke-self
      name: revokeselftoken
      operations:
      - method: POST
        name: revokeselftoken
        description: Revoke own token
        call: hashicorp-vault.revokeselftoken
        outputParameters:
        - type: object
          mapping: $.
    - path: /auth/userpass/login/{username}
      name: loginuserpass
      operations:
      - method: POST
        name: loginuserpass
        description: Login with username and password
        call: hashicorp-vault.loginuserpass
        with:
          username: rest.username
        outputParameters:
        - type: object
          mapping: $.
    - path: /auth/approle/login
      name: loginapprole
      operations:
      - method: POST
        name: loginapprole
        description: Login with AppRole
        call: hashicorp-vault.loginapprole
        outputParameters:
        - type: object
          mapping: $.
    - path: /secret/data/{path}
      name: readkvsecret
      operations:
      - method: GET
        name: readkvsecret
        description: Read KV secret (v2)
        call: hashicorp-vault.readkvsecret
        with:
          path: rest.path
        outputParameters:
        - type: object
          mapping: $.
    - path: /secret/data/{path}
      name: createkvsecret
      operations:
      - method: POST
        name: createkvsecret
        description: Create or update KV secret (v2)
        call: hashicorp-vault.createkvsecret
        with:
          path: rest.path
        outputParameters:
        - type: object
          mapping: $.
    - path: /secret/data/{path}
      name: deletekvsecretlatest
      operations:
      - method: DELETE
        name: deletekvsecretlatest
        description: Delete latest version of KV secret
        call: hashicorp-vault.deletekvsecretlatest
        with:
          path: rest.path
        outputParameters:
        - type: object
          mapping: $.
    - path: /secret/metadata/{path}
      name: getkvmetadata
      operations:
      - method: GET
        name: getkvmetadata
        description: Read KV secret metadata
        call: hashicorp-vault.getkvmetadata
        with:
          path: rest.path
        outputParameters:
        - type: object
          mapping: $.
    - path: /secret/metadata/{path}
      name: deletekvmetadata
      operations:
      - method: DELETE
        name: deletekvmetadata
        description: Delete all versions and metadata
        call: hashicorp-vault.deletekvmetadata
        with:
          path: rest.path
        outputParameters:
        - type: object
          mapping: $.
    - path: /secret/delete/{path}
      name: deletekvsecretversions
      operations:
      - method: POST
        name: deletekvsecretversions
        description: Delete specific versions of KV secret
        call: hashicorp-vault.deletekvsecretversions
        with:
          path: rest.path
        outputParameters:
        - type: object
          mapping: $.
    - path: /secret/undelete/{path}
      name: undeletekvsecretversions
      operations:
      - method: POST
        name: undeletekvsecretversions
        description: Undelete versions of KV secret
        call: hashicorp-vault.undeletekvsecretversions
        with:
          path: rest.path
        outputParameters:
        - type: object
          mapping: $.
    - path: /secret/destroy/{path}
      name: destroykvsecretversions
      operations:
      - method: POST
        name: destroykvsecretversions
        description: Permanently destroy versions
        call: hashicorp-vault.destroykvsecretversions
        with:
          path: rest.path
        outputParameters:
        - type: object
          mapping: $.
    - path: /transit/encrypt/{name}
      name: transitencrypt
      operations:
      - method: POST
        name: transitencrypt
        description: Encrypt data
        call: hashicorp-vault.transitencrypt
        with:
          name: rest.name
        outputParameters:
        - type: object
          mapping: $.
    - path: /transit/decrypt/{name}
      name: transitdecrypt
      operations:
      - method: POST
        name: transitdecrypt
        description: Decrypt data
        call: hashicorp-vault.transitdecrypt
        with:
          name: rest.name
        outputParameters:
        - type: object
          mapping: $.
    - path: /transit/keys/{name}
      name: createtransitkey
      operations:
      - method: POST
        name: createtransitkey
        description: Create an encryption key
        call: hashicorp-vault.createtransitkey
        with:
          name: rest.name
        outputParameters:
        - type: object
          mapping: $.
    - path: /transit/keys/{name}
      name: gettransitkey
      operations:
      - method: GET
        name: gettransitkey
        description: Read an encryption key
        call: hashicorp-vault.gettransitkey
        with:
          name: rest.name
        outputParameters:
        - type: object
          mapping: $.
    - path: /transit/keys/{name}
      name: deletetransitkey
      operations:
      - method: DELETE
        name: deletetransitkey
        description: Delete an

# --- truncated at 32 KB (53 KB total) ---
# Full source: https://raw.githubusercontent.com/api-evangelist/hashicorp-vault/refs/heads/main/capabilities/hashicorp-vault-capability.yaml