The Vault website is being redesigned to help you find what you are looking for more effectively.Join the Beta

Type '/' to Search

»/sys/license

Enterprise Only – These endpoints require Vault Enterprise.

The /sys/license endpoint is used to view and update the license used in Vault.

»Read License

This API is deprecated as of Vault 1.8 and will be removed in a future version of Vault. Please use license autoloading instead, and see License Status below for the non-deprecated equivalent API.

This endpoint returns information about the currently installed license.

MethodPath
GET/sys/license

»Sample Request

$ curl \
    --header "X-Vault-Token: ..." \
    http://127.0.0.1:8200/v1/sys/license

$ curl \
    --header "X-Vault-Token: ..." \
    http://127.0.0.1:8200/v1/sys/license

»Sample Response

{
  "data": {
    "expiration_time": "2017-11-14T16:34:36.546753-05:00",
    "features": ["UI", "HSM", "Performance Replication", "DR Replication"],
    "license_id": "temporary",
    "start_time": "2017-11-14T16:04:36.546753-05:00"
  },
  "warnings": ["time left on license is 29m33s"]
}

{
  "data": {
    "expiration_time": "2017-11-14T16:34:36.546753-05:00",
    "features": ["UI", "HSM", "Performance Replication", "DR Replication"],
    "license_id": "temporary",
    "start_time": "2017-11-14T16:04:36.546753-05:00"
  },
  "warnings": ["time left on license is 29m33s"]
}

»Read Signed License

This API is deprecated as of Vault 1.8 and will be removed in a future version of Vault. Please use license autoloading instead.

This endpoint returns the signed license blob for the currently installed license.

MethodPath
GET/sys/license/signed

»Sample Request

$ curl \
    --header "X-Vault-Token: ..." \
    http://127.0.0.1:8200/v1/sys/license/signed

$ curl \
    --header "X-Vault-Token: ..." \
    http://127.0.0.1:8200/v1/sys/license/signed

»Sample Response

{
  "data": {
    "signed": "01ABCDEFG..."
  }
}

{
  "data": {
    "signed": "01ABCDEFG..."
  }
}

»Install License

This API is deprecated as of Vault 1.8 and will be removed in a future version of Vault. Please use license autoloading instead.

This endpoint is used to install a license into Vault. The license will be replicated to the Vault instances within the targeted cluster, but will not replicate the license to a performance replication cluster. To license a performance replication cluster, this must be run against a Vault instance within that cluster.

MethodPath
POST/sys/license

»Parameters

  • text (string: <required>) – The text of the license.

DR Secondary Specific Parameters

  • dr_operation_token (string: <required>) - DR operation token used to authorize this request. Note that this is the legacy mechanism for providing a DR operation token. It is equally valid to provide the DR operation token in the X-Vault-Token header, as with a regular vault token.

If you are using a batch dr_operation_token, note you will need to add the following to the token's policy

path "sys/replication/dr/secondary/license" {
capabilities = ["update"]
}```

### Sample Payload

```json
{
  "text": "01ABCDEFG..."
}

path "sys/replication/dr/secondary/license" {
capabilities = ["update"]
}```

### Sample Payload

```json
{
  "text": "01ABCDEFG..."
}

»Sample Request

$ curl \
    --header "X-Vault-Token: ..." \
    --request POST \
    --data @payload.json \
    http://127.0.0.1:8200/v1/sys/license

$ curl \
    --header "X-Vault-Token: ..." \
    --request POST \
    --data @payload.json \
    http://127.0.0.1:8200/v1/sys/license

»Delete License

This API is deprecated as of Vault 1.8 and will be removed in a future version of Vault. Please use license autoloading instead.

This endpoint is used to delete a license from Vault. Note that this API only works if license autoloading is in use. If license autoloading is in use, this API will remove the legacy license from Vault's storage.

MethodPath
DELETE/sys/license

»Sample Request

$ curl \
    --header "X-Vault-Token: ..." \
    --request DELETE \
    http://127.0.0.1:8200/v1/sys/license

$ curl \
    --header "X-Vault-Token: ..." \
    --request DELETE \
    http://127.0.0.1:8200/v1/sys/license

»License Status

This endpoint returns information about licensing. It returns similar information to a GET of sys/license, but whereas that endpoint reports solely on the license Vault is currently using, this one reports on all licensing information the Vault cluster has. See license autoloading for background.

In the response:

  • autoloading_used will be true if an autoloaded license was provided to the node, false otherwise.
  • autoloaded is the autoloaded license if autoloading_used is true.
  • persisted_autoload is the autoloaded license the active node last wrote to storage; this is only used to detect inconsistently licensed nodes in the cluster. It cannot be used as a license itself.
  • stored is the stored license if any, i.e. one written using POST sys/license.

autoloaded, persisted_autoload, and stored all have the same structure, which is also the same structure as the top-level data returned by GET sys/license.

MethodPath
GET/sys/license/status

»Sample Request

$ curl \
    --header "X-Vault-Token: ..." \
    http://127.0.0.1:8200/v1/sys/license/status

$ curl \
    --header "X-Vault-Token: ..." \
    http://127.0.0.1:8200/v1/sys/license/status

»Sample Response

{
  "data": {
    "autoloading_used": true,
    "autoloaded": {
      "expiration_time": "2022-05-17T23:59:59.999Z",
      "features": [
        "HSM",
        "Performance Replication",
        "DR Replication",
        "MFA",
        "Sentinel",
        "Seal Wrapping",
        "Control Groups",
        "Performance Standby",
        "Namespaces",
        "KMIP",
        "Entropy Augmentation",
        "Transform Secrets Engine",
        "Lease Count Quotas",
        "Key Management Secrets Engine",
        "Automated Snapshots"
      ],
      "license_id": "060d7820-fa59-f95c-832b-395db0aeb9ba",
      "performance_standby_count": 9999,
      "start_time": "2021-05-17T00:00:00Z"
    },
    "persisted_autoload": {
      "expiration_time": "2022-05-17T23:59:59.999Z",
      "features": [
        "HSM",
        "Performance Replication",
        "DR Replication",
        "MFA",
        "Sentinel",
        "Seal Wrapping",
        "Control Groups",
        "Performance Standby",
        "Namespaces",
        "KMIP",
        "Entropy Augmentation",
        "Transform Secrets Engine",
        "Lease Count Quotas",
        "Key Management Secrets Engine",
        "Automated Snapshots"
      ],
      "license_id": "060d7820-fa59-f95c-832b-395db0aeb9ba",
      "performance_standby_count": 9999,
      "start_time": "2021-05-17T00:00:00Z"
    }
  },
}

{
  "data": {
    "autoloading_used": true,
    "autoloaded": {
      "expiration_time": "2022-05-17T23:59:59.999Z",
      "features": [
        "HSM",
        "Performance Replication",
        "DR Replication",
        "MFA",
        "Sentinel",
        "Seal Wrapping",
        "Control Groups",
        "Performance Standby",
        "Namespaces",
        "KMIP",
        "Entropy Augmentation",
        "Transform Secrets Engine",
        "Lease Count Quotas",
        "Key Management Secrets Engine",
        "Automated Snapshots"
      ],
      "license_id": "060d7820-fa59-f95c-832b-395db0aeb9ba",
      "performance_standby_count": 9999,
      "start_time": "2021-05-17T00:00:00Z"
    },
    "persisted_autoload": {
      "expiration_time": "2022-05-17T23:59:59.999Z",
      "features": [
        "HSM",
        "Performance Replication",
        "DR Replication",
        "MFA",
        "Sentinel",
        "Seal Wrapping",
        "Control Groups",
        "Performance Standby",
        "Namespaces",
        "KMIP",
        "Entropy Augmentation",
        "Transform Secrets Engine",
        "Lease Count Quotas",
        "Key Management Secrets Engine",
        "Automated Snapshots"
      ],
      "license_id": "060d7820-fa59-f95c-832b-395db0aeb9ba",
      "performance_standby_count": 9999,
      "start_time": "2021-05-17T00:00:00Z"
    }
  },
}