A new platform for documentation and tutorials is launching soon.
We are migrating Vault documentation into HashiCorp Developer, our new developer experience.
token capabilities command fetches the capabilities of a token for a given
If a TOKEN is provided as an argument, this command uses the "/sys/capabilities" endpoint and permission. If no TOKEN is provided, this command uses the "/sys/capabilities-self" endpoint and permission with the locally authenticated token.
List capabilities for the local token on the "secret/foo" path:
$ vault token capabilities secret/foo read
List capabilities for a token on the "cubbyhole/foo" path:
$ vault token capabilities 96ddf4bc-d217-f3ba-f9bd-017055595017 database/creds/readonly deny
The following flags are available in addition to the standard set of flags included on all commands.
(string: "table")- Print the output in the given format. Valid formats are "table", "json", or "yaml". This can also be specified via the