The /sys/audit-hash endpoint is used to calculate the hash of the data used by an audit device's hash function and salt. This can be used to search audit logs for a hashed value when the original value is known.

»Calculate Hash

This endpoint hashes the given input data with the specified audit device's hash function and salt. This endpoint can be used to discover whether a given plaintext string (the input parameter) appears in the audit log in obfuscated form.

The audit log records requests and responses. Since the Vault API is JSON-based, any binary data returned from an API call (such as a DER-format certificate) is base64-encoded by the Vault server in the response. As a result such information should also be base64-encoded to supply into the input parameter.



  • path (string: <required>) – Specifies the path of the audit device to generate hashes for. This is part of the request URL.

  • input (string: <required>) – Specifies the input string to hash.

»Sample Payload

  "input": "my-secret-vault"
{  "input": "my-secret-vault"}

»Sample Request

$ curl \
    --header "X-Vault-Token: ..." \
    --request POST \
    --data @payload.json \
$ curl \    --header "X-Vault-Token: ..." \    --request POST \    --data @payload.json \

»Sample Response

  "hash": "hmac-sha256:08ba35..."
{  "hash": "hmac-sha256:08ba35..."}