hashicorp · schavis · Oct 3, 2025 · Oct 3, 2025 · Oct 3, 2025 · Oct 3, 2025
@@ -340,4 +340,19 @@ A maximum request size of 32MB is imposed to prevent a denial of service attack
 with arbitrarily large requests; this can be tuned per `listener` block in
 Vault's server configuration file.
 
+Vault also supports several listener options to enforce payload size limits for to incoming JSON
+request bodies.
+
+You can configure the payload limits individullly on each listener and give
+administrators granular control over the:
+
+- maximum allowed nesting depth of a JSON object or array (`max_json_depth`).
+- maximum allowed length for any single string value in the payload (`max_json_string_value_length`.)
+- maximum number of key-value pairs allowed in a single JSON object (`max_json_object_entry_count`).
+- maximum number of elements permitted in a single JSON array `max_json_array_element_count`.
+
+The configuration defaults provide intentionally generous limits to accommodate
+a wide range of legitimate use cases while still guarding against most malicious
+or malformed requests.
+
 [proxy]: /vault/docs/agent-and-proxy/proxy#listener-stanza
@@ -46,7 +46,10 @@ plugin workload identity federation (WIF).
   environment variable. If not specified, Vault will use Azure Public Cloud.
 - `root_password_ttl` `(string: 182d)` - Specifies how long the root password is valid for in Azure when
   rotate-root generates a new client secret. Uses [duration format strings](/vault/docs/concepts/duration-format).
-
+- `metadata` (`map[string]string: {}`) - A map of string to string key/value pairs that will be stored
+  as metadata for the mount. This can be used to store additional information about the
+  mount for reference purposes.
+
 @include 'rotationfields.mdx'
 
 ### Sample payload
@@ -214,12 +217,18 @@ information about roles.
   [roles docs][roles] for details on role definition.
 - `persist_app` (`bool: "false"`) – If set to true, persists the created service principal and application for the lifetime of the role.
  Useful for when the Service Principal needs to maintain ownership of objects it creates
-- `ttl` (`string: ""`) – Specifies the default TTL for service principals generated using this role.
+- `ttl` (`string: ""`) – Specifies the default TTL for service principals generated using the role.
   Accepts time suffixed strings ("1h") or an integer number of seconds. Defaults to the system/engine default TTL time.
-- `max_ttl` (`string: ""`) – Specifies the maximum TTL for service principals generated using this role. Accepts time
-  suffixed strings ("1h") or an integer number of seconds. Defaults to the system/engine max TTL time.
-- `explicit_max_ttl` (`string: ""`) – Specifies the explicit maximum lifetime of the lease and service principal.
-  If not set or set to 0, will use the system default (10 years).
+- `max_ttl` (`string: "0"`) – Specifies the maximum TTL for service principals
+  generated using the role. Accepts time suffixed strings ("1h") or an integer
+  number of seconds. The default (`0`) defers to the system/engine max TTL time.
+- `explicit_max_ttl` (`string: "0"`) – Limits the lifetime of the service
+  principal secret in Azure and sets an upper bound on the TTL for the
+  corresponding lease. You cannot update the service principle lifetime of an
+  existing lease and clients cannot renew a lease once the lifetime expires.
+  Use the default (`0`) to create the service principal with a max TTL of 10
+  years. When the lifetime ends, Vault deletes the service principal and all
+  corresponding leases.
 - `permanently_delete` (`bool: false`) - Specifies whether to permanently delete Applications and Service Principals that are dynamically
   created by Vault. If `application_object_id` is present, `permanently_delete` must be `false`.
 - `sign_in_audience` (`string: ""`) - Specifies the security principal types that are allowed to sign in to the application.
@@ -257,6 +266,64 @@ $ curl \
     https://127.0.0.1:8200/v1/azure/roles/my-role
 ```
 
+## Read role
+
+The Read Role endpoint returns information about the named role:
+
+- Configuration details for the role
+- The constant `invalid_data` for roles created in earlier versions of Vault.
+- A `404` error if the named role does not exist.
+
+| Method | Path               |
+| :----- | :----------------- |
+| `GET`  | `/azure/roles/:name` |
+
+
+### Path parameters
+
+- `name` `(string: <required>)` – Specifies the name of the role to read. This
+  is part of the request URL.
+
+### Sample request
+
+```shell-session
+$ curl \
+    --header "X-Vault-Token: ..." \
+    http://127.0.0.1:8200/v1/azure/roles/example-role
+```
+
+### Sample response
+
+```json
+{
+  "data": {
+    "application_object_id": "",
+    "azure_groups": null,
+    "azure_roles": [
+      {
+        "role_name": "Contributor",
+        "scope": "/subscriptions/<uuid>>/resourceGroups/Website"
+      },
+      {
+        "role_id": "/subscriptions/<uuid>>/providers/Microsoft.Authorization/roleDefinitions/<uuid>",
+        "scope": "/subscriptions/<uuid>"
+      }
+    ],
+    "ttl": 3600,
+    "max_ttl": 0,
+    "explicit_max_ttl": 0,
+    "permanently_delete": false,
+    "persist_app": false,
+    "sign_in_audience": "AzureADMyOrg",
+    "tags": [
+      "team:engineering",
+      "team:development"
+    ],
+  }
+}
+```
+
+
 ## List roles
 
 Lists all of the roles that are registered with the plugin.

@@ -8,8 +8,7 @@ description: This is the API documentation for the Vault Cubbyhole secrets engin
 
 This is the API documentation for the Vault Cubbyhole secrets engine. For
 general information about the usage and operation of the Cubbyhole secrets
-engine, please see the
-[Vault Cubbyhole documentation](/vault/docs/secrets/cubbyhole).
+engine, please see the [Vault Cubbyhole documentation](/vault/docs/secrets/cubbyhole).
 
 This documentation assumes the Cubbyhole secrets engine is enabled at the
 `/cubbyhole` path in Vault. Since it is possible to enable secrets engines at
@@ -25,8 +24,8 @@ This endpoint retrieves the secret at the specified location.
 
 ### Parameters
 
-- `path` `(string: <required>)` – Specifies the path of the secret to read.
-  This is specified as part of the URL.
+- `path` `(string: <required>)` – Specifies the path of the secret to read as
+  part of the URL.
 - `read_snapshot_id` `(string: <optional>)` - Query parameter specifing a loaded snapshot ID to
 read the secret.
 
@@ -152,7 +151,8 @@ $ curl \
 
 ## Recover secret
 
-[Recover](/vault/docs/concepts/integrated-storage/snapshot-recover) a secret at the specified location from the given loaded snapshot.
+[Recover](/vault/docs/sysadmin/snapshots/recover-a-secret) a secret at the
+specified location from the given loaded snapshot.
 
 | Method    | Path               |
 |:----------|:-------------------|

@@ -165,7 +165,8 @@ $ curl \
 
 ## Recover secret
 
-[Recover](/vault/docs/concepts/integrated-storage/snapshot-recover) a secret at the specified location from the given loaded snapshot.
+[Recover](/vault/docs/sysadmin/snapshots/recover-a-secret) a secret at the
+specified location from the given loaded snapshot.
 
 | Method    | Path            |
 |:----------|:----------------|

@@ -42,6 +42,8 @@ to search and change entry passwords in LDAP.
   to use to generate passwords. Note that this accepts the name of the policy, not the policy itself.
 - `schema` `(string: "openldap")` - The LDAP schema to use when storing entry passwords.
   Valid schemas include `openldap`, `ad`, and `racf`.
+- `credential_type` `(string: "password")` - The type of password to generate. Valid values include `password` and `phrase`.
+  When set to `phrase`, the secrets engine will modify the RACF schema for all static roles to manage password phrases instead of passwords.
 - `userdn` `(string: <optional>)` - The base DN under which to perform user search in
   [library management](/vault/api-docs/secret/ldap#library-management) and [static roles](/vault/api-docs/secret/ldap#static-roles).
   For example, `ou=Users,dc=hashicorp,dc=com`.

@@ -883,6 +883,7 @@ $ curl \
     "enabled": true,
     "external_validation": {},
     "last_updated": "2025-05-26T09:59:24-04:00",
+    "log_level" : "WARN",
     "restrict_ca_chain_to_issuer": true
   }
 }
@@ -940,6 +941,8 @@ refer to the [SCEP documentation](/vault/docs/secrets/pki/scep).
   chain within GetCACert responses. Set `restrict_ca_chain_to_issuer` to `true`
   to make your PKI configuration compatible with Microsoft Intune.
 
+- `log_level` `(string: "")` - the log level to use for logging SCEP-specific requests.  One of standard log levels: `TRACE`, `DEBUG`, `INFO`, `WARN`, `ERROR`, or use the empty string to reset to the vault-level default. (1.20.1+ only)
+
 - `external_validation` `(map[string]map[string]string: "")` - a map specifying
   configuration for 3rd party validation of SCEP requests. Map keys can
 	be any of the following:

@@ -559,13 +559,15 @@ $ curl \
 ## Submit CA information
 
 This endpoint allows submitting the CA information for the secrets engine via an SSH
-key pair. _If you have already set a certificate and key, they will be
-overridden._
+key pair. If you call submit CA with an existing certificate or key, the
+endpoint returns an error. To update existing values, call the delete CA
+information endpoint before calling the submit endpoint.
 
 | Method | Path             |
 | :----- | :--------------- | -------------------------- |
 | `POST` | `/ssh/config/ca` | `200/204 application/json` |
 
+
 ### Parameters
 
 - `private_key` `(string: "")` – Specifies the private key part the SSH CA key
@@ -649,7 +651,8 @@ This endpoint recovers the CA information for the backend via an SSH key pair.
 
 ### Headers
 
-- `X-Vault-Recover-Snapshot-Id` `(string: <required>)` - The ID of a snapshot previously loaded into Vault that contains SSH CA information.
+- `X-Vault-Recover-Snapshot-Id` `(string: <required>)` - The ID of a snapshot
+previously loaded into Vault that contains SSH CA information.
 
 ### Sample request
 

@@ -70,6 +70,7 @@ values set here cannot be changed after key creation.
   - `aes256-cmac` - AES-256 CMAC (CMAC generation, verification) <EnterpriseAlert inline="true" />
   - `ml-dsa` - ML-DSA (asymmetric) (experimental) <EnterpriseAlert inline="true" />
   - `hybrid` - hybrid signatures combining a post-quantum algorithm and an elliptic curve algorithm (asymmetric) (experimental) <EnterpriseAlert inline="true" />
+   - `slh-dsa` - SLH-DSA (asymmetric) (experimental) <EnterpriseAlert inline="true" />
   - `aes128-cbc` - AES-128 in CBC mode (symmetric, supports derivation and convergent encryption)
   - `aes256-cbc` - AES-256 in CBC mode (symmetric, supports derivation and convergent encryption)
 
@@ -102,8 +103,14 @@ values set here cannot be changed after key creation.
   hour. Uses [duration format strings](/vault/docs/concepts/duration-format).
 - `managed_key_name` `(string: "")` - The name of the managed key to use for this transit key.
 - `managed_key_id` `(string: "")` - The UUID of the managed key to use for this transit key.
-- `parameter_set` `(string:"")` - The parameter set to use for ML-DSA. Required for
-ML-DSA and hybrid keys. Valid values are `44`, `65`, and `87`.
+- `parameter_set` `(string:"")` - The parameter set to use for ML-DSA or SLH-DSA.
+  Required for ML-DSA, SLH-DSA, and hybrid keys. Must be one of the following:
+    - ML-DSA - `44`, `65`, `87`
+    - SLH-DSA - `slh-dsa-sha2-128s`, `slh-dsa-shake-128s`, `slh-dsa-sha2-128f`,
+      `slh-dsa-shake-128`, `slh-dsa-sha2-192s`,
+      `slh-dsa-shake-192s`, `slh-dsa-sha2-192f`, `slh-dsa-shake-192f`,
+      `slh-dsa-sha2-256s`, `slh-dsa-shake-256s`,
+      `slh-dsa-sha2-256f`, and `slh-dsa-shake-256f`
 - `hybrid_key_type_pqc` `(string: "")` - The post-quantum algorithm to use for hybrid signatures.
 Currently, ML-DSA is the only supported key type.
 - `hybrid_key_type_ec` `(string: "")` - The elliptic curve algorithm to use for hybrid signatures.
@@ -834,8 +841,9 @@ will be returned.
   derivation. This is required if key derivation is enabled for this key.
 
 - `key_version` `(int: 0)` – Specifies the version of the key to use for
-  encryption. If not set, uses the latest version. Must be greater than or
-  equal to the key's `min_encryption_version`, if set.
+  encryption. Leave `key_version` unset to use the latest version. `key_version`
+  must be unset or greater than or equal to the associated
+  `min_encryption_version` value.
 
 - `nonce` `(string: "")` – Specifies the **base64 encoded** nonce value. This
   must be provided if convergent encryption is enabled for this key and the key
@@ -1073,8 +1081,9 @@ functionality to untrusted users or scripts.
   derivation. This is required if key derivation is enabled.
 
 - `key_version` `(int: 0)` – Specifies the version of the key to use for the
-  operation. If not set, uses the latest version. Must be greater than or equal
-  to the key's `min_encryption_version`, if set.
+  operation. Leave `key_version` unset to use the latest version. `key_version`
+  must be unset or greater than or equal to the associated
+  `min_encryption_version` value.
 
 - `nonce` `(string: "")` – Specifies a base64 encoded nonce value used during
   encryption. Must be provided if convergent encryption is enabled for this key
@@ -1180,6 +1189,11 @@ then made available to trusted users.
   It is recommended that the default of OAEP be used unless specific backwards
   compatibility is required.
 
+- `key_version` `(int: 0)` – Specifies the version of the key to use for the
+  operation. Leave `key_version` unset to use the latest version. `key_version`
+  must be unset or greater than or equal to the associated
+  `min_encryption_version` value.
+
 ### Sample payload
 
 ```json
@@ -1405,8 +1419,9 @@ be used.
   generate hmac against. This is specified as part of the URL.
 
 - `key_version` `(int: 0)` – Specifies the version of the key to use for the
-  operation. If not set, uses the latest version. Must be greater than or equal
-  to the key's `min_encryption_version`, if set.
+  operation. Leave `key_version` unset to use the latest version. `key_version`
+  must be unset or greater than or equal to the associated
+  `min_encryption_version` value.
 
 - `algorithm` `(string: "sha2-256")` – Specifies the hash algorithm to use. This
   can also be specified as part of the URL. Currently-supported algorithms are:
@@ -1536,8 +1551,9 @@ supports signing.
   use for signing. This is specified as part of the URL.
 
 - `key_version` `(int: 0)` – Specifies the version of the key to use for
-  signing. If not set, uses the latest version. Must be greater than or equal
-  to the key's `min_encryption_version`, if set.
+  signing. Leave `key_version` unset to use the latest version. `key_version`
+  must be unset or greater than or equal to the associated
+  `min_encryption_version` value.
 
 - `hash_algorithm` `(string: "sha2-256")` – Specifies the hash algorithm to use for
   supporting key types (notably, not including `ed25519` which specifies its
@@ -1937,8 +1953,9 @@ argument to verify returned CMACs.
   CMAC function. This is specified as part of the URL.
 
 - `key_version` `(int: 0)` – Specifies the version of the key to use for the
-  operation. If not set, uses the latest version. Must be greater than or equal
-  to the key's `min_encryption_version`, if set.
+  operation. Leave `key_version` unset to use the latest version. `key_version`
+  must be unset or greater than or equal to the associated
+  `min_encryption_version` value.
 
 - `input` `(string: "")` – Specifies the **base64 encoded** input data. One of
   `input` or `batch_input` must be supplied.

@@ -211,6 +211,18 @@ The `start_time` in the response is the earliest time there is activity data
 in the queried period. The `end_time` is the end of the final month of the queried
 period.
 
+The `/sys/internal/counters` endpoint only supports monthly granularity. As a
+result, the `start_time` and `end_time` values in API reponses are normalized to
+align with full calendar months.
+
+Normalization occurs whether you provide explicit times in the request or use
+the defaults:
+
+- `start_time` normalizes to the start of the month in which the effective
+  `start_time` falls.
+- `end_time` normalizes to the end of the month in which the effective
+  `end_time` falls.
+
 - If the `end_date` supplied to the API is the current month, exact activity
 information will be returned for all months in the queried period. The last element 
 in the `months` response stanza will signify the current month.
@@ -464,9 +476,15 @@ is unknown.
 
 ### Parameters
 
-- `start_time` `(string, optional)` - An RFC3339 timestamp or Unix epoch time. Specifies the start of the
-  period for which client counts will be reported. If no start time is specified, the billing start date will be used.
-  The [billing start date](/vault/docs/concepts/billing-start-date) automatically rolls over to the latest billing year at the end of the last cycle.
+- `start_time` `(string, optional)` - An RFC3339 timestamp or Unix epoch time.
+  Specifies the start of the period for which client counts will be reported.
+  Vault uses the [billing start date](/vault/docs/concepts/billing-start-date)
+  by default, which automatically rolls over to the latest billing year at the
+  end of the last cycle. Vault Community **requires** `start_time`, but Vault
+  Enterprise uses the billing start date as defined by the cluster license by
+  default. Vault Community does not have a billing start time, so ommitting
+  `start_time` can lead to undefined behavior. We recommend setting an explicit
+  start time to ensure reliable behavior in all Vault versions.
 - `end_time` `(string, optional)` - An RFC3339 timestamp or Unix epoch time. Specifies the end of the period
   for which client counts will be reported. If no end time is specified, the end of the current month will be used.
 - `limit_namespaces` `(int, optional)` - Controls the total number of by_namespace data returned. This can
@@ -1283,7 +1301,9 @@ There are a few things to keep in mind while using this API.
 
 - The response includes the actual time period covered, which may not exactly
 match the query parameters due to the month granularity of data or missing
-months in the requested time range.
+months in the requested time range. Vault always normalizes the effective
+`start_time` and `end_time` to full calendar months by adjusting `start_time` to
+the beginning of the month and `end_time` to the end of the month.
 
 - If the `end_date` supplied to the API is for the current month, the activity
 information returned by this API will include activity for this month, however
@@ -1301,8 +1321,15 @@ it may be up to 20 minutes delayed.
 
 ### Parameters
 
-- `start_time` `(string, optional)` - An RFC3339 timestamp or Unix epoch time. Specifies the start of the
-  period for which client counts will be reported. If no start time is specified, the billing start time will be used.
+- `start_time` `(string, optional)` - An RFC3339 timestamp or Unix epoch time.
+  Specifies the start of the period for which client counts will be reported.
+  Vault uses the [billing start date](/vault/docs/concepts/billing-start-date)
+  by default, which automatically rolls over to the latest billing year at the
+  end of the last cycle. Vault Community **requires** `start_time`, but Vault
+  Enterprise uses the billing start date as defined by the cluster license by
+  default. Vault Community does not have a billing start time, so ommitting
+  `start_time` can lead to undefined behavior. We recommend setting an explicit
+  start time to ensure reliable behavior in all Vault versions.
 - `end_time` `(string, optional)` - An RFC3339 timestamp or Unix epoch time. Specifies the end of the period
   for which client counts will be reported. If no end time is specified, the end of current month will be used.
 - `format` `(string, optional)` - The desired format of the output file. Allowed