hashicorp · schavis · Sep 23, 2025 · Sep 24, 2025 · Sep 24, 2025
@@ -0,0 +1,15 @@
+### Breaking changes
+
+Introduced | Recommendations | Edition    | Change
+---------- | --------------- | ---------- | ------
+1.21.0     | **Yes**         | All        | [Audiences required for Kubernetes authentication roles](/vault/docs/v1.21.x/updates/important-changes#k8-audience-required)
+
+
+### New behavior
+
+None.
+
+
+### Known issues
+
+None.
@@ -340,4 +340,19 @@ A maximum request size of 32MB is imposed to prevent a denial of service attack
 with arbitrarily large requests; this can be tuned per `listener` block in
 Vault's server configuration file.
 
+Vault also supports several listener options to enforce payload size limits for to incoming JSON
+request bodies.
+
+You can configure the payload limits individullly on each listener and give
+administrators granular control over the:
+
+- maximum allowed nesting depth of a JSON object or array (`max_json_depth`).
+- maximum allowed length for any single string value in the payload (`max_json_string_value_length`.)
+- maximum number of key-value pairs allowed in a single JSON object (`max_json_object_entry_count`).
+- maximum number of elements permitted in a single JSON array `max_json_array_element_count`.
+
+The configuration defaults provide intentionally generous limits to accommodate
+a wide range of legitimate use cases while still guarding against most malicious
+or malformed requests.
+
 [proxy]: /vault/docs/agent-and-proxy/proxy#listener-stanza
@@ -8,8 +8,7 @@ description: This is the API documentation for the Vault Cubbyhole secrets engin
 
 This is the API documentation for the Vault Cubbyhole secrets engine. For
 general information about the usage and operation of the Cubbyhole secrets
-engine, please see the
-[Vault Cubbyhole documentation](/vault/docs/secrets/cubbyhole).
+engine, please see the [Vault Cubbyhole documentation](/vault/docs/secrets/cubbyhole).
 
 This documentation assumes the Cubbyhole secrets engine is enabled at the
 `/cubbyhole` path in Vault. Since it is possible to enable secrets engines at
@@ -25,8 +24,8 @@ This endpoint retrieves the secret at the specified location.
 
 ### Parameters
 
-- `path` `(string: <required>)` – Specifies the path of the secret to read.
-  This is specified as part of the URL.
+- `path` `(string: <required>)` – Specifies the path of the secret to read as
+  part of the URL.
 - `read_snapshot_id` `(string: <optional>)` - Query parameter specifing a loaded snapshot ID to
 read the secret.
 
@@ -152,31 +151,26 @@ $ curl \
 
 ## Recover secret
 
-[Recover](/vault/docs/concepts/integrated-storage/snapshot-recover) a secret at the specified location from the given loaded snapshot.
+[Recover](/vault/docs/sysadmin/snapshots/recover-a-secret) a secret at the
+specified location from the given loaded snapshot.
 
-| Method    | Path               |
-|:----------|:-------------------|
-| `RECOVER` | `/cubbyhole/:path` |
+| Method | Path               |
+| :----- | :----------------- |
+| `POST` | `/cubbyhole/:path?recover_snapshot_id=:recover_snapshot_id` |
 
 ### Query parameters
 
-- `path` `(string: <required>)` – The target path of the secrets you want to recover.
-
-### Headers
-
-- `X-Vault-Recover-Snapshot-Id` `(string: <required>)` - The ID of a snapshot previously loaded into Vault that contains secrets at the provided path.
-- `X-Vault-Recover-Source-Path` `(string: <optional>)` - The original path of the data in the snapshot, if different from the target path.
+- `path` `(string: <required>)` – The target path of the secrets you want to recover. 
+- `recover_snapshot_id` `(string: <required>)` - The ID of a snapshot previously loaded into Vault that contains secrets at the provided path.
 
 
 ### Sample request
 
 ```shell-session
 $ curl \
     --header "X-Vault-Token: ..." \
-    --request RECOVER \
-    --header "X-Vault-Recover-Snapshot-Id: 2403d301-94f2-46a1-a39d-02be83e2831a" \
-    --header "X-Vault-Recover-Source-Path: cubbyhole/my-old-secret" \
-    https://127.0.0.1:8200/v1/cubbyhole/my-secret
+    --request POST \
+    https://127.0.0.1:8200/v1/cubbyhole/my-secret?recover_snapshot_id=2403d301-94f2-46a1-a39d-02be83e2831a
 ```
 
 ## Delete secret

@@ -43,12 +43,8 @@ has a number of parameters to further configure a connection.
 
 - `connection_url` `(string: <required>)` - Specifies the Snowflake DSN. This field
   can be templated and supports passing the username and password
-  parameters in the format `{{field_name}}` when you use password authentication.
-  If you use root credential rotation for passwords, you must provide a templated
-  connection URL. Refer to the
-  [Snowflake secrets engine docs](/vault/docs/secrets/databases/snowflake#setup)
-  for more information on the connection URL format requirements for different
-  authentication methods.
+  parameters in the following format `{{field_name}}`. A templated connection URL is
+  required when using root credential rotation.
 
 - `max_open_connections` `(int: 4)` - Specifies the maximum number of open
   connections to the database.

@@ -28,7 +28,7 @@ This endpoint retrieves the secret at the specified location.
 
 - `path` `(string: <required>)` – Specifies the path of the secret to read.
   This is specified as part of the URL.
-- `read_snapshot_id` `(string: "")` - Query parameter specifying the ID of a snapshot previously loaded into Vault that contains secrets at the provided path.
+- `recover_snapshot_id` `(string: <required>)` - Query parameter specifying the ID of a snapshot previously loaded into Vault that contains secrets at the provided path.
 
 ### Sample requests
 
@@ -83,7 +83,7 @@ this API.
 
 - `path` `(string: <required>)` – Specifies the path of the secrets to list.
   This is specified as part of the URL.
-- `read_snapshot_id` `(string: "")` - Query parameter specifying the ID of a snapshot previously loaded into Vault that contains secrets at the provided path.
+- `recover_snapshot_id` `(string: <required>)` - Query parameter specifying the ID of a snapshot previously loaded into Vault that contains secrets at the provided path.
 
 ### Sample requests
 
@@ -165,30 +165,25 @@ $ curl \
 
 ## Recover secret
 
-[Recover](/vault/docs/concepts/integrated-storage/snapshot-recover) a secret at the specified location from the given loaded snapshot.
+[Recover](/vault/docs/sysadmin/snapshots/recover-a-secret) a secret at the
+specified location from the given loaded snapshot.
 
-| Method    | Path            |
-|:----------|:----------------|
-| `RECOVER` | `/secret/:path` |
+| Method | Path                                                     |
+| :----- | :------------------------------------------------------- |
+| `POST` | `/secret/:path?recover_snapshot_id=:recover_snapshot_id` |
 
 ### Query parameters
 
 - `path` `(string: <required>)` – The target path of the secrets you want to recover. 
-
-### Headers
-
-- `X-Vault-Recover-Snapshot-Id` `(string: <required>)` - The ID of a snapshot previously loaded into Vault that contains secrets at the provided path.
-- `X-Vault-Recover-Source-Path` `(string: "")` - Optional header specifying the original path of the data in the snapshot, if recovering to a different path than the original path.
+- `recover_snapshot_id` `(string: <required>)` - The ID of a snapshot previously loaded into Vault that contains secrets at the provided path.
 
 ### Sample request
 
 ```shell-session
 $ curl \
     --header "X-Vault-Token: ..." \
-    --request RECOVER \
-    --header "X-Vault-Recover-Snapshot-Id: 2403d301-94f2-46a1-a39d-02be83e2831a" \
-    --header "X-Vault-Recover-Source-Path: secret/my-old-secret" \
-    https://127.0.0.1:8200/v1/secret/my-secret
+    --request POST \
+    https://127.0.0.1:8200/v1/secret/my-secret?recover_snapshot_id=2403d301-94f2-46a1-a39d-02be83e2831a
 ```
 
 ## Delete secret

@@ -42,6 +42,8 @@ to search and change entry passwords in LDAP.
   to use to generate passwords. Note that this accepts the name of the policy, not the policy itself.
 - `schema` `(string: "openldap")` - The LDAP schema to use when storing entry passwords.
   Valid schemas include `openldap`, `ad`, and `racf`.
+- `credential_type` `(string: "password")` - The type of password to generate. Valid values include `password` and `phrase`.
+  When set to `phrase`, the secrets engine will modify the RACF schema for all static roles to manage password phrases instead of passwords.
 - `userdn` `(string: <optional>)` - The base DN under which to perform user search in
   [library management](/vault/api-docs/secret/ldap#library-management) and [static roles](/vault/api-docs/secret/ldap#static-roles).
   For example, `ou=Users,dc=hashicorp,dc=com`.

@@ -883,6 +883,7 @@ $ curl \
     "enabled": true,
     "external_validation": {},
     "last_updated": "2025-05-26T09:59:24-04:00",
+    "log_level" : "WARN",
     "restrict_ca_chain_to_issuer": true
   }
 }
@@ -940,6 +941,8 @@ refer to the [SCEP documentation](/vault/docs/secrets/pki/scep).
   chain within GetCACert responses. Set `restrict_ca_chain_to_issuer` to `true`
   to make your PKI configuration compatible with Microsoft Intune.
 
+- `log_level` `(string: "")` - the log level to use for logging SCEP-specific requests.  One of standard log levels: `TRACE`, `DEBUG`, `INFO`, `WARN`, `ERROR`, or use the empty string to reset to the vault-level default. (1.20.1+ only)
+
 - `external_validation` `(map[string]map[string]string: "")` - a map specifying
   configuration for 3rd party validation of SCEP requests. Map keys can
 	be any of the following:

@@ -559,8 +559,9 @@ $ curl \
 ## Submit CA information
 
 This endpoint allows submitting the CA information for the secrets engine via an SSH
-key pair. _If you have already set a certificate and key, they will be
-overridden._
+key pair. If you call submit CA with an existing certificate or key, the
+endpoint returns an error. To update existing values, call the delete CA
+information endpoint before calling the submit endpoint.
 
 | Method | Path             |
 | :----- | :--------------- | -------------------------- |
@@ -639,28 +640,6 @@ This will return a `200` response if `generate_signing_key` was true:
 }
 ```
 
-## Recover CA information
-
-This endpoint recovers the CA information for the backend via an SSH key pair.
-
-| Method    | Path             |
-|:----------|:-----------------|
-| `RECOVER` | `/ssh/config/ca` |
-
-### Headers
-
-- `X-Vault-Recover-Snapshot-Id` `(string: <required>)` - The ID of a snapshot previously loaded into Vault that contains SSH CA information.
-
-### Sample request
-
-```shell-session
-$ curl \
-    --header "X-Vault-Token: ..." \
-    --request RECOVER \
-    --header "X-Vault-Recover-Snapshot-Id: 2403d301-94f2-46a1-a39d-02be83e2831a" \
-    https://127.0.0.1:8200/v1/ssh/config/ca
-```
-
 ## Delete CA information
 
 This endpoint deletes the CA information for the backend via an SSH key pair.
@@ -711,11 +690,6 @@ This endpoint reads the configured/generated public key.
 | :----- | :--------------- |
 | `GET`  | `/ssh/config/ca` |
 
-### Query Parameters
-
-- `read_snapshot_id` `(string: "")` - Query parameter specifying the ID of a snapshot previously loaded into Vault that an SSH public key.
-
-
 ### Sample request
 
 ```shell-session
@@ -724,15 +698,6 @@ $ curl \
     http://127.0.0.1:8200/v1/ssh/config/ca
 ```
 
-To read the SSH pubic key from a loaded snapshot with ID `2403d301-94f2-46a1-a39d-02be83e2831a`:
-
-```shell-session
-$ curl \
-    --header "X-Vault-Token: ..." \
-    https://127.0.0.1:8200/v1/ssh/config/ca?read_snapshot_id=2403d301-94f2-46a1-a39d-02be83e2831a
-```
-
-
 ### Sample response
 
 ```json

@@ -70,8 +70,7 @@ values set here cannot be changed after key creation.
   - `aes256-cmac` - AES-256 CMAC (CMAC generation, verification) <EnterpriseAlert inline="true" />
   - `ml-dsa` - ML-DSA (asymmetric) (experimental) <EnterpriseAlert inline="true" />
   - `hybrid` - hybrid signatures combining a post-quantum algorithm and an elliptic curve algorithm (asymmetric) (experimental) <EnterpriseAlert inline="true" />
-  - `aes128-cbc` - AES-128 in CBC mode (symmetric, supports derivation and convergent encryption)
-  - `aes256-cbc` - AES-256 in CBC mode (symmetric, supports derivation and convergent encryption)
+  - `slh-dsa` - SLH-DSA (asymmetric) (experimental) <EnterpriseAlert inline="true" />
 
   ~> **Note**: In FIPS 140-3 mode, the following algorithms are not certified
      and thus should not be used: `chacha20-poly1305`.
@@ -90,7 +89,7 @@ values set here cannot be changed after key creation.
   ~> **Note**: When key type is `hybrid`, `parameter_set`, `hybrid_key_type_pqc`,
   and `hybrid_key_type_ec` are required.
 
-  ~> **Warning**: ML-DSA and hybrid schemes are considered experimental functionality and
+  ~> **Warning**: ML-DSA, hybrid, and SLH-DSA schemes are considered experimental functionality and
   should not be used in production environments.
 
 - `key_size` `(int: "0", optional)` - The key size in bytes for algorithms
@@ -102,8 +101,14 @@ values set here cannot be changed after key creation.
   hour. Uses [duration format strings](/vault/docs/concepts/duration-format).
 - `managed_key_name` `(string: "")` - The name of the managed key to use for this transit key.
 - `managed_key_id` `(string: "")` - The UUID of the managed key to use for this transit key.
-- `parameter_set` `(string:"")` - The parameter set to use for ML-DSA. Required for
-ML-DSA and hybrid keys. Valid values are `44`, `65`, and `87`.
+- `parameter_set` `(string:"")` - The parameter set to use for ML-DSA or SLH-DSA.
+  Required for ML-DSA, SLH-DSA, and hybrid keys. Must be one of the following:
+    - ML-DSA - `44`, `65`, `87`
+    - SLH-DSA - `slh-dsa-sha2-128s`, `slh-dsa-shake-128s`, `slh-dsa-sha2-128f`,
+      `slh-dsa-shake-128`, `slh-dsa-sha2-192s`,
+      `slh-dsa-shake-192s`, `slh-dsa-sha2-192f`, `slh-dsa-shake-192f`,
+      `slh-dsa-sha2-256s`, `slh-dsa-shake-256s`,
+      `slh-dsa-sha2-256f`, and `slh-dsa-shake-256f`
 - `hybrid_key_type_pqc` `(string: "")` - The post-quantum algorithm to use for hybrid signatures.
 Currently, ML-DSA is the only supported key type.
 - `hybrid_key_type_ec` `(string: "")` - The elliptic curve algorithm to use for hybrid signatures.
@@ -833,9 +838,10 @@ will be returned.
 - `context` `(string: "")` – Specifies the **base64 encoded** context for key
   derivation. This is required if key derivation is enabled for this key.
 
-- `key_version` `(int: 0)` – Specifies the version of the key to use for
-  encryption. If not set, uses the latest version. Must be greater than or
-  equal to the key's `min_encryption_version`, if set.
+- `key_version` `(int: 0)` – Specifies the version of the key to use for the
+  operation. Leave `key_version` unset to use the latest version. `key_version`
+  must be unset or greater than or equal to the associated
+  `min_encryption_version` value.
 
 - `nonce` `(string: "")` – Specifies the **base64 encoded** nonce value. This
   must be provided if convergent encryption is enabled for this key and the key
@@ -892,12 +898,6 @@ will be returned.
   decrypt) could be indicative of a security breach and should not be
   ignored.
 
-- `iv` `(string: "")` - Specifies the base64-encoded IV value to use with
-  AES-CBC. The value must be exactly 128 bits (16 bytes) long and you must
-  ensure that the IV is never reused for any given context or encryption key. If
-  you do not provide an IV value, Vault generates and prepends a random IV value
-  to the ciphertext.
-
 ~>**NOTE:** All plaintext data **must be base64-encoded**. The reason for this
 requirement is that Vault does not require that the plaintext is "text". It
 could be a binary file such as a PDF or image. The easiest safe transport
@@ -1073,8 +1073,9 @@ functionality to untrusted users or scripts.
   derivation. This is required if key derivation is enabled.
 
 - `key_version` `(int: 0)` – Specifies the version of the key to use for the
-  operation. If not set, uses the latest version. Must be greater than or equal
-  to the key's `min_encryption_version`, if set.
+  operation. Leave `key_version` unset to use the latest version. `key_version`
+  must be unset or greater than or equal to the associated
+  `min_encryption_version` value.
 
 - `nonce` `(string: "")` – Specifies a base64 encoded nonce value used during
   encryption. Must be provided if convergent encryption is enabled for this key
@@ -1180,6 +1181,11 @@ then made available to trusted users.
   It is recommended that the default of OAEP be used unless specific backwards
   compatibility is required.
 
+- `key_version` `(int: 0)` – Specifies the version of the key to use for the
+  operation. Leave `key_version` unset to use the latest version. `key_version`
+  must be unset or greater than or equal to the associated
+  `min_encryption_version` value.
+
 ### Sample payload
 
 ```json
@@ -1332,8 +1338,9 @@ be used.
   generate hmac against. This is specified as part of the URL.
 
 - `key_version` `(int: 0)` – Specifies the version of the key to use for the
-  operation. If not set, uses the latest version. Must be greater than or equal
-  to the key's `min_encryption_version`, if set.
+  operation. Leave `key_version` unset to use the latest version. `key_version`
+  must be unset or greater than or equal to the associated
+  `min_encryption_version` value.
 
 - `algorithm` `(string: "sha2-256")` – Specifies the hash algorithm to use. This
   can also be specified as part of the URL. Currently-supported algorithms are:
@@ -1462,9 +1469,10 @@ supports signing.
 - `name` `(string: <required>)` – Specifies the name of the encryption key to
   use for signing. This is specified as part of the URL.
 
-- `key_version` `(int: 0)` – Specifies the version of the key to use for
-  signing. If not set, uses the latest version. Must be greater than or equal
-  to the key's `min_encryption_version`, if set.
+- `key_version` `(int: 0)` – Specifies the version of the key to use for the
+  operation. Leave `key_version` unset to use the latest version. `key_version`
+  must be unset or greater than or equal to the associated
+  `min_encryption_version` value.
 
 - `hash_algorithm` `(string: "sha2-256")` – Specifies the hash algorithm to use for
   supporting key types (notably, not including `ed25519` which specifies its
@@ -1864,8 +1872,9 @@ argument to verify returned CMACs.
   CMAC function. This is specified as part of the URL.
 
 - `key_version` `(int: 0)` – Specifies the version of the key to use for the
-  operation. If not set, uses the latest version. Must be greater than or equal
-  to the key's `min_encryption_version`, if set.
+  operation. Leave `key_version` unset to use the latest version. `key_version`
+  must be unset or greater than or equal to the associated
+  `min_encryption_version` value.
 
 - `input` `(string: "")` – Specifies the **base64 encoded** input data. One of
   `input` or `batch_input` must be supplied.