From 9df5cf81cce1a40974f1f06eec708ad77604e7e7 Mon Sep 17 00:00:00 2001 From: jonathanfrappier <92055993+jonathanfrappier@users.noreply.github.com> Date: Thu, 18 May 2023 17:38:30 -0400 Subject: [PATCH 1/7] Add additional endpoints, remove non-protected endpoints --- website/content/docs/concepts/policies.mdx | 26 ++++++++++++---------- 1 file changed, 14 insertions(+), 12 deletions(-) diff --git a/website/content/docs/concepts/policies.mdx b/website/content/docs/concepts/policies.mdx index 4df90be91488..65c98addda91 100644 --- a/website/content/docs/concepts/policies.mdx +++ b/website/content/docs/concepts/policies.mdx @@ -800,32 +800,34 @@ authenticated user. The following paths requires a root token or `sudo` capability in the policy: -| Path | HTTP verb | Description | -| --------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ----------------- | --------------------------------------------------------------------------------------------------------------------------------------------------- | -| [auth/token/accessors](/vault/api-docs/auth/token#list-accessors) | LIST | List token accessor | -| [auth/token/create-orphan](/vault/api-docs/auth/token#create-token) | POST | Create an orphan token (the same as `no_parent` option) | -| [auth/token](/vault/api-docs/auth/token#create-token) | POST | Create a periodic or an orphan token (`period` or `no_parent`) option | -| [pki/root](/vault/api-docs/secret/pki#delete-root) | DELETE | Delete the current CA key ([pki secrets engine](/vault/docs/secrets/pki)) | -| [pki/root/sign-self-issued](/vault/api-docs/secret/pki#sign-self-issued) | POST | Use the configured CA certificate to sign a self-issued certificate ([pki secrets engine](/vault/docs/secrets/pki)) | +| Path | HTTP verb | Description | +| -------------------------------------------------------------------------------------------------------------------------------------------------------| ----------------- | --------------------------------------------------------------------------------------------------------------------------------------------------- | +| [auth/token/accessors](/vault/api-docs/auth/token#list-accessors) | LIST | List token accessor | +| [auth/token/create](/vault/api-docs/auth/token#create-token) | POST | Create a periodic or an orphan token (`period` or `no_parent`) option | +| [pki/root](/vault/api-docs/secret/pki#delete-root) | DELETE | Delete the current CA key ([pki secrets engine](/vault/docs/secrets/pki)) | +| [pki/root/sign-self-issued](/vault/api-docs/secret/pki#sign-self-issued) | POST | Use the configured CA certificate to sign a self-issued certificate ([pki secrets engine](/vault/docs/secrets/pki)) | | [sys/audit](/vault/api-docs/system/audit) | GET | List enabled audit devices | | [sys/audit/:path](/vault/api-docs/system/audit) | PUT, DELETE | Enable or remove an audit device | | [sys/auth/:path](/vault/api-docs/system/auth) | GET, POST, DELETE | Manage the auth methods (enable, read, delete, and tune) | +| [sys/auth/:path/tune](/vault/api-docs/system/auth#tune-auth-method) | GET, POST, DELETE | Manage the auth methods (enable, read, delete, and tune) | | [sys/config/auditing/request-headers](/vault/api-docs/system/config-auditing) | GET | List the request headers that are configured to be audited | -| [sys/config/auditing/request-headers:name](/vault/api-docs/system/config-auditing) | GET, PUT, DELETE | Manage the auditing headers (create, update, read and delete) | +| [sys/config/auditing/request-headers/:name](/vault/api-docs/system/config-auditing) | GET, PUT, DELETE | Manage the auditing headers (create, update, read and delete) | | [sys/config/cors](/vault/api-docs/system/config-cors) | GET, PUT, DELETE | Configure CORS setting | -| [sys/config-ui](/vault/api-docs/system/config-ui) | GET | Configure the UI settings | -| [sys/internal/specs/openapi](/vault/api-docs/system/internal-specs-openapi) | GET | Generate an OpenAPI document of the mounted backends | +| [sys/config-ui/headers](/vault/api-docs/system/config-ui) | GET | Configure the UI settings | +| [sys/config-ui/headers/:name](/vault/api-docs/system/config-ui#name) | POST, DELETE | Configure the values to be returned for the UI header | | [sys/leases/lookup/:prefix](/vault/api-docs/system/leases#list-leases) | LIST | List lease IDs | | [sys/leases/revoke-force/:prefix](/vault/api-docs/system/leases#revoke-force) | PUT | Revoke all secrets or tokens ignoring backend errors | | [sys/leases/revoke-prefix/:prefix](/vault/api-docs/system/leases#revoke-prefix) | PUT | Revoke all secrets generated under a given prefix | | [sys/plugins/catalog/:type/:name](/vault/api-docs/system/plugins-catalog#register-plugin) | GET, PUT, DELETE | Register a new plugin, or read/remove an existing plugin | | [sys/raw](/vault/api-docs/system/raw#list-raw) | LIST, GET | Returns a list of keys for a given path prefix | -| [sys/replication/reindex](/vault/api-docs/system/replication#reindex-replication) | POST | Reindex the local data storage | +| [sys/remount](/vault/api-docs/system/remount) | POST | Moves an already-mounted backend to a new mount point | +| [sys/replication/reindex](/vault/api-docs/system/replication#reindex-replication) | POST | Reindex the local data storage | | [sys/replication/performance/primary/secondary-token](/vault/api-docs/system/replication/replication-performance#generate-performance-secondary-token) | POST | Generate a performance secondary activation token | | [sys/replication/dr/primary/secondary-token](/vault/api-docs/system/replication/replication-dr#generate-dr-secondary-token) | POST | Generate a DR secondary activation token | | [sys/rotate](/vault/api-docs/system/rotate) | PUT | Trigger a rotation of the backend encryption key | | [sys/seal](/vault/api-docs/system/seal) | PUT | Seals the Vault | -| [sys/step-down](/vault/api-docs/system/step-down) +| [sys/storage/raft/snapshot-auto/config](/vault/api-docs/system/storage/raftautosnapshots#list-automated-snapshots-configs) | LIST | Lists named configurations | +| [sys/storage/raft/snapshot-auto/config/:name](/vault/api-docs/system/storage/raftautosnapshots) | POST, GET, DELETE | Creates or updates a named configuration | ### Tokens From 4aea29dcdee7f0ed569d481887a028e4989e820f Mon Sep 17 00:00:00 2001 From: jonathanfrappier <92055993+jonathanfrappier@users.noreply.github.com> Date: Fri, 19 May 2023 07:45:09 -0400 Subject: [PATCH 2/7] Add step-down per engineering --- website/content/docs/concepts/policies.mdx | 1 + 1 file changed, 1 insertion(+) diff --git a/website/content/docs/concepts/policies.mdx b/website/content/docs/concepts/policies.mdx index 65c98addda91..43de4bfe35e1 100644 --- a/website/content/docs/concepts/policies.mdx +++ b/website/content/docs/concepts/policies.mdx @@ -826,6 +826,7 @@ The following paths requires a root token or `sudo` capability in the policy: | [sys/replication/dr/primary/secondary-token](/vault/api-docs/system/replication/replication-dr#generate-dr-secondary-token) | POST | Generate a DR secondary activation token | | [sys/rotate](/vault/api-docs/system/rotate) | PUT | Trigger a rotation of the backend encryption key | | [sys/seal](/vault/api-docs/system/seal) | PUT | Seals the Vault | +| [sys/step-down](/vault/api-docs/system/step-down) | POST | Forces a node to give up active status | | [sys/storage/raft/snapshot-auto/config](/vault/api-docs/system/storage/raftautosnapshots#list-automated-snapshots-configs) | LIST | Lists named configurations | | [sys/storage/raft/snapshot-auto/config/:name](/vault/api-docs/system/storage/raftautosnapshots) | POST, GET, DELETE | Creates or updates a named configuration | From e84cd97db1a0efb63b266fe2682b9037156a5ba3 Mon Sep 17 00:00:00 2001 From: jonathanfrappier <92055993+jonathanfrappier@users.noreply.github.com> Date: Fri, 19 May 2023 08:17:12 -0400 Subject: [PATCH 3/7] Match HTTP verb to individual doc pages --- website/content/docs/concepts/policies.mdx | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-) diff --git a/website/content/docs/concepts/policies.mdx b/website/content/docs/concepts/policies.mdx index 43de4bfe35e1..b7a13d8fb055 100644 --- a/website/content/docs/concepts/policies.mdx +++ b/website/content/docs/concepts/policies.mdx @@ -804,28 +804,28 @@ The following paths requires a root token or `sudo` capability in the policy: | -------------------------------------------------------------------------------------------------------------------------------------------------------| ----------------- | --------------------------------------------------------------------------------------------------------------------------------------------------- | | [auth/token/accessors](/vault/api-docs/auth/token#list-accessors) | LIST | List token accessor | | [auth/token/create](/vault/api-docs/auth/token#create-token) | POST | Create a periodic or an orphan token (`period` or `no_parent`) option | -| [pki/root](/vault/api-docs/secret/pki#delete-root) | DELETE | Delete the current CA key ([pki secrets engine](/vault/docs/secrets/pki)) | +| [pki/root](/vault/api-docs/secret/pki#delete-all-issuers-and-keys) | DELETE | Delete the current CA key ([pki secrets engine](/vault/docs/secrets/pki)) | | [pki/root/sign-self-issued](/vault/api-docs/secret/pki#sign-self-issued) | POST | Use the configured CA certificate to sign a self-issued certificate ([pki secrets engine](/vault/docs/secrets/pki)) | | [sys/audit](/vault/api-docs/system/audit) | GET | List enabled audit devices | -| [sys/audit/:path](/vault/api-docs/system/audit) | PUT, DELETE | Enable or remove an audit device | +| [sys/audit/:path](/vault/api-docs/system/audit) | POST, DELETE | Enable or remove an audit device | | [sys/auth/:path](/vault/api-docs/system/auth) | GET, POST, DELETE | Manage the auth methods (enable, read, delete, and tune) | | [sys/auth/:path/tune](/vault/api-docs/system/auth#tune-auth-method) | GET, POST, DELETE | Manage the auth methods (enable, read, delete, and tune) | | [sys/config/auditing/request-headers](/vault/api-docs/system/config-auditing) | GET | List the request headers that are configured to be audited | -| [sys/config/auditing/request-headers/:name](/vault/api-docs/system/config-auditing) | GET, PUT, DELETE | Manage the auditing headers (create, update, read and delete) | -| [sys/config/cors](/vault/api-docs/system/config-cors) | GET, PUT, DELETE | Configure CORS setting | +| [sys/config/auditing/request-headers/:name](/vault/api-docs/system/config-auditing) | GET, POST, DELETE | Manage the auditing headers (create, update, read and delete) | +| [sys/config/cors](/vault/api-docs/system/config-cors) | GET, POST, DELETE | Configure CORS setting | | [sys/config-ui/headers](/vault/api-docs/system/config-ui) | GET | Configure the UI settings | | [sys/config-ui/headers/:name](/vault/api-docs/system/config-ui#name) | POST, DELETE | Configure the values to be returned for the UI header | | [sys/leases/lookup/:prefix](/vault/api-docs/system/leases#list-leases) | LIST | List lease IDs | -| [sys/leases/revoke-force/:prefix](/vault/api-docs/system/leases#revoke-force) | PUT | Revoke all secrets or tokens ignoring backend errors | -| [sys/leases/revoke-prefix/:prefix](/vault/api-docs/system/leases#revoke-prefix) | PUT | Revoke all secrets generated under a given prefix | -| [sys/plugins/catalog/:type/:name](/vault/api-docs/system/plugins-catalog#register-plugin) | GET, PUT, DELETE | Register a new plugin, or read/remove an existing plugin | +| [sys/leases/revoke-force/:prefix](/vault/api-docs/system/leases#revoke-force) | POST | Revoke all secrets or tokens ignoring backend errors | +| [sys/leases/revoke-prefix/:prefix](/vault/api-docs/system/leases#revoke-prefix) | POST | Revoke all secrets generated under a given prefix | +| [sys/plugins/catalog/:type/:name](/vault/api-docs/system/plugins-catalog#register-plugin) | GET, POST, DELETE | Register a new plugin, or read/remove an existing plugin | | [sys/raw](/vault/api-docs/system/raw#list-raw) | LIST, GET | Returns a list of keys for a given path prefix | | [sys/remount](/vault/api-docs/system/remount) | POST | Moves an already-mounted backend to a new mount point | | [sys/replication/reindex](/vault/api-docs/system/replication#reindex-replication) | POST | Reindex the local data storage | | [sys/replication/performance/primary/secondary-token](/vault/api-docs/system/replication/replication-performance#generate-performance-secondary-token) | POST | Generate a performance secondary activation token | | [sys/replication/dr/primary/secondary-token](/vault/api-docs/system/replication/replication-dr#generate-dr-secondary-token) | POST | Generate a DR secondary activation token | -| [sys/rotate](/vault/api-docs/system/rotate) | PUT | Trigger a rotation of the backend encryption key | -| [sys/seal](/vault/api-docs/system/seal) | PUT | Seals the Vault | +| [sys/rotate](/vault/api-docs/system/rotate) | POST | Trigger a rotation of the backend encryption key | +| [sys/seal](/vault/api-docs/system/seal) | POST | Seals the Vault | | [sys/step-down](/vault/api-docs/system/step-down) | POST | Forces a node to give up active status | | [sys/storage/raft/snapshot-auto/config](/vault/api-docs/system/storage/raftautosnapshots#list-automated-snapshots-configs) | LIST | Lists named configurations | | [sys/storage/raft/snapshot-auto/config/:name](/vault/api-docs/system/storage/raftautosnapshots) | POST, GET, DELETE | Creates or updates a named configuration | From 754cce8873024cc6a1c99bd71f93de96aec6401f Mon Sep 17 00:00:00 2001 From: jonathanfrappier <92055993+jonathanfrappier@users.noreply.github.com> Date: Fri, 19 May 2023 08:31:47 -0400 Subject: [PATCH 4/7] Add /sys/internal/inspect/router to table --- website/content/docs/concepts/policies.mdx | 1 + 1 file changed, 1 insertion(+) diff --git a/website/content/docs/concepts/policies.mdx b/website/content/docs/concepts/policies.mdx index b7a13d8fb055..3bbfda2623d1 100644 --- a/website/content/docs/concepts/policies.mdx +++ b/website/content/docs/concepts/policies.mdx @@ -815,6 +815,7 @@ The following paths requires a root token or `sudo` capability in the policy: | [sys/config/cors](/vault/api-docs/system/config-cors) | GET, POST, DELETE | Configure CORS setting | | [sys/config-ui/headers](/vault/api-docs/system/config-ui) | GET | Configure the UI settings | | [sys/config-ui/headers/:name](/vault/api-docs/system/config-ui#name) | POST, DELETE | Configure the values to be returned for the UI header | +| [sys/internal/inspect/router](/vault/api-docs/system/inspect/router ) | GET | Inspect the internal components of Vault's router | | [sys/leases/lookup/:prefix](/vault/api-docs/system/leases#list-leases) | LIST | List lease IDs | | [sys/leases/revoke-force/:prefix](/vault/api-docs/system/leases#revoke-force) | POST | Revoke all secrets or tokens ignoring backend errors | | [sys/leases/revoke-prefix/:prefix](/vault/api-docs/system/leases#revoke-prefix) | POST | Revoke all secrets generated under a given prefix | From 6f486914955b305e5800147c25e0bff0b395a6fb Mon Sep 17 00:00:00 2001 From: jonathanfrappier <92055993+jonathanfrappier@users.noreply.github.com> Date: Fri, 19 May 2023 14:43:11 -0400 Subject: [PATCH 5/7] Apply additional suggestions --- website/content/docs/concepts/policies.mdx | 20 +++++++++++++------- 1 file changed, 13 insertions(+), 7 deletions(-) diff --git a/website/content/docs/concepts/policies.mdx b/website/content/docs/concepts/policies.mdx index 3bbfda2623d1..7e6201c6d1cd 100644 --- a/website/content/docs/concepts/policies.mdx +++ b/website/content/docs/concepts/policies.mdx @@ -798,24 +798,30 @@ authenticated user. ## Root protected API endpoints +~> **Note:** Vault treats the HTTP POST and PUT verbs as equivalent, so for each mention + of POST in the table above, PUT may also be used. Vault uses the non-standard LIST HTTP + verb, but also allows list requests to be made using the GET verb along with `?list=true` + as a query parameter, so for each mention of LIST in the table above, GET with `?list=true` + may also be used. + The following paths requires a root token or `sudo` capability in the policy: | Path | HTTP verb | Description | | -------------------------------------------------------------------------------------------------------------------------------------------------------| ----------------- | --------------------------------------------------------------------------------------------------------------------------------------------------- | -| [auth/token/accessors](/vault/api-docs/auth/token#list-accessors) | LIST | List token accessor | +| [auth/token/accessors](/vault/api-docs/auth/token#list-accessors) | LIST | List token accessors for all current Vault service tokens | | [auth/token/create](/vault/api-docs/auth/token#create-token) | POST | Create a periodic or an orphan token (`period` or `no_parent`) option | | [pki/root](/vault/api-docs/secret/pki#delete-all-issuers-and-keys) | DELETE | Delete the current CA key ([pki secrets engine](/vault/docs/secrets/pki)) | | [pki/root/sign-self-issued](/vault/api-docs/secret/pki#sign-self-issued) | POST | Use the configured CA certificate to sign a self-issued certificate ([pki secrets engine](/vault/docs/secrets/pki)) | | [sys/audit](/vault/api-docs/system/audit) | GET | List enabled audit devices | | [sys/audit/:path](/vault/api-docs/system/audit) | POST, DELETE | Enable or remove an audit device | -| [sys/auth/:path](/vault/api-docs/system/auth) | GET, POST, DELETE | Manage the auth methods (enable, read, delete, and tune) | -| [sys/auth/:path/tune](/vault/api-docs/system/auth#tune-auth-method) | GET, POST, DELETE | Manage the auth methods (enable, read, delete, and tune) | +| [sys/auth/:path](/vault/api-docs/system/auth) | GET, POST, DELETE | Manage the auth methods (enable, read, and delete) | +| [sys/auth/:path/tune](/vault/api-docs/system/auth#tune-auth-method) | GET, POST | Manage the auth methods (enable, read, delete, and tune) | | [sys/config/auditing/request-headers](/vault/api-docs/system/config-auditing) | GET | List the request headers that are configured to be audited | | [sys/config/auditing/request-headers/:name](/vault/api-docs/system/config-auditing) | GET, POST, DELETE | Manage the auditing headers (create, update, read and delete) | | [sys/config/cors](/vault/api-docs/system/config-cors) | GET, POST, DELETE | Configure CORS setting | -| [sys/config-ui/headers](/vault/api-docs/system/config-ui) | GET | Configure the UI settings | -| [sys/config-ui/headers/:name](/vault/api-docs/system/config-ui#name) | POST, DELETE | Configure the values to be returned for the UI header | -| [sys/internal/inspect/router](/vault/api-docs/system/inspect/router ) | GET | Inspect the internal components of Vault's router | +| [sys/config/ui/headers](/vault/api-docs/system/config-ui) | GET, LIST | Configure the UI settings | +| [sys/config/ui/headers/:name](/vault/api-docs/system/config-ui#name) | POST, DELETE | Configure custom HTTP headers to be served with the UI | +| [sys/internal/inspect/router](/vault/api-docs/system/inspect/router) | GET | Inspect the internal components of Vault's router | | [sys/leases/lookup/:prefix](/vault/api-docs/system/leases#list-leases) | LIST | List lease IDs | | [sys/leases/revoke-force/:prefix](/vault/api-docs/system/leases#revoke-force) | POST | Revoke all secrets or tokens ignoring backend errors | | [sys/leases/revoke-prefix/:prefix](/vault/api-docs/system/leases#revoke-prefix) | POST | Revoke all secrets generated under a given prefix | @@ -829,7 +835,7 @@ The following paths requires a root token or `sudo` capability in the policy: | [sys/seal](/vault/api-docs/system/seal) | POST | Seals the Vault | | [sys/step-down](/vault/api-docs/system/step-down) | POST | Forces a node to give up active status | | [sys/storage/raft/snapshot-auto/config](/vault/api-docs/system/storage/raftautosnapshots#list-automated-snapshots-configs) | LIST | Lists named configurations | -| [sys/storage/raft/snapshot-auto/config/:name](/vault/api-docs/system/storage/raftautosnapshots) | POST, GET, DELETE | Creates or updates a named configuration | +| [sys/storage/raft/snapshot-auto/config/:name](/vault/api-docs/system/storage/raftautosnapshots) | GET, POST, DELETE | Creates or updates a named configuration | ### Tokens From db309c0dc135fa87cf4e4e079faa12b6f1c8f2ca Mon Sep 17 00:00:00 2001 From: jonathanfrappier <92055993+jonathanfrappier@users.noreply.github.com> Date: Wed, 24 May 2023 16:52:24 -0400 Subject: [PATCH 6/7] Updates based on engineering feedback --- website/content/docs/concepts/policies.mdx | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/website/content/docs/concepts/policies.mdx b/website/content/docs/concepts/policies.mdx index 7e6201c6d1cd..b86e64864896 100644 --- a/website/content/docs/concepts/policies.mdx +++ b/website/content/docs/concepts/policies.mdx @@ -821,12 +821,15 @@ The following paths requires a root token or `sudo` capability in the policy: | [sys/config/cors](/vault/api-docs/system/config-cors) | GET, POST, DELETE | Configure CORS setting | | [sys/config/ui/headers](/vault/api-docs/system/config-ui) | GET, LIST | Configure the UI settings | | [sys/config/ui/headers/:name](/vault/api-docs/system/config-ui#name) | POST, DELETE | Configure custom HTTP headers to be served with the UI | -| [sys/internal/inspect/router](/vault/api-docs/system/inspect/router) | GET | Inspect the internal components of Vault's router | + +| [sys/internal/inspect/router/:tag](/vault/api-docs/system/inspect/router) | GET | Inspect the internal components of Vault's router. `tag` must be one of root, uuid, accessor, or storage | + | [sys/leases/lookup/:prefix](/vault/api-docs/system/leases#list-leases) | LIST | List lease IDs | | [sys/leases/revoke-force/:prefix](/vault/api-docs/system/leases#revoke-force) | POST | Revoke all secrets or tokens ignoring backend errors | | [sys/leases/revoke-prefix/:prefix](/vault/api-docs/system/leases#revoke-prefix) | POST | Revoke all secrets generated under a given prefix | | [sys/plugins/catalog/:type/:name](/vault/api-docs/system/plugins-catalog#register-plugin) | GET, POST, DELETE | Register a new plugin, or read/remove an existing plugin | -| [sys/raw](/vault/api-docs/system/raw#list-raw) | LIST, GET | Returns a list of keys for a given path prefix | +| [sys/raw:path](/vault/api-docs/system/raw) | GET, POST, DELETE | Used to access the raw underlying store in Vault | +| [sys/raw:prefix](/vault/api-docs/system/raw#list-raw) | GET, LIST | Returns a list keys for a given path prefix | | [sys/remount](/vault/api-docs/system/remount) | POST | Moves an already-mounted backend to a new mount point | | [sys/replication/reindex](/vault/api-docs/system/replication#reindex-replication) | POST | Reindex the local data storage | | [sys/replication/performance/primary/secondary-token](/vault/api-docs/system/replication/replication-performance#generate-performance-secondary-token) | POST | Generate a performance secondary activation token | From 92d25fcc0b451679b48bae249ae3e3eea8c09bf3 Mon Sep 17 00:00:00 2001 From: jonathanfrappier <92055993+jonathanfrappier@users.noreply.github.com> Date: Wed, 24 May 2023 16:58:09 -0400 Subject: [PATCH 7/7] Adding unsaved changes --- website/content/docs/concepts/policies.mdx | 2 -- 1 file changed, 2 deletions(-) diff --git a/website/content/docs/concepts/policies.mdx b/website/content/docs/concepts/policies.mdx index b86e64864896..a58a39262b8a 100644 --- a/website/content/docs/concepts/policies.mdx +++ b/website/content/docs/concepts/policies.mdx @@ -821,9 +821,7 @@ The following paths requires a root token or `sudo` capability in the policy: | [sys/config/cors](/vault/api-docs/system/config-cors) | GET, POST, DELETE | Configure CORS setting | | [sys/config/ui/headers](/vault/api-docs/system/config-ui) | GET, LIST | Configure the UI settings | | [sys/config/ui/headers/:name](/vault/api-docs/system/config-ui#name) | POST, DELETE | Configure custom HTTP headers to be served with the UI | - | [sys/internal/inspect/router/:tag](/vault/api-docs/system/inspect/router) | GET | Inspect the internal components of Vault's router. `tag` must be one of root, uuid, accessor, or storage | - | [sys/leases/lookup/:prefix](/vault/api-docs/system/leases#list-leases) | LIST | List lease IDs | | [sys/leases/revoke-force/:prefix](/vault/api-docs/system/leases#revoke-force) | POST | Revoke all secrets or tokens ignoring backend errors | | [sys/leases/revoke-prefix/:prefix](/vault/api-docs/system/leases#revoke-prefix) | POST | Revoke all secrets generated under a given prefix |