Vault
Audit log entry schema
Vault logs audit entries as individual JSON objects separated by line breaks. Audit log entries include attributes that are common across all API endpoints and endpoint-specific request and response attributes.
Audit log entries represent API requests received by Vault and API response sent by Vault. You can match response entries to the corresponding request entry with the ID field of the request object (.request.id) included in both entries.
| Attribute | Type | Description |
|---|---|---|
auth | object | authentication object describing the authenticated principal making the API call. |
error | string | Error string generated by the request or returned in the response. Omitted for successful transactions. |
forwarded_from | string | Host and port of the performance standby node forwarding the request. Omitted for requests not forwarded. |
request | object | request object describing the request details. |
response | object | response object describing response details. Omitted for request entries. |
time | string | Date and time of the API request/response in ISO 8601 format. |
type | string | Type of the audit log entry. One of request or response. |
{
"auth": <authentication object>,
"error": "error converting input {\"name\":\"John\"} for field \"data\": '' expected a map, got 'string'",
"forwarded_from": "vault-1.prod.corp.com:443",
"request": <request object>,
"time": "2025-06-05T16:10:22.292517Z",
"type": "request"
}
Authentication object
Vault omits irrelevant authentication object attributes from the audit entry. For example, accessor and client_token are irrelevant for unauthenticated requests and metadata is irrelevant if the authentication token lacks metadata.
| Attribute | Type | Description |
|---|---|---|
accessor | string | Accessor of the Vault token that performed the request. This value is hashed by default; the example shows a non-hashed token accessor. Refer to token accessors for more information. |
client_token | string | Vault token that performed the request, in hashed form. |
display_name | string | Name associated with the Vault token that performed the request. This is a non-sensitive value that can help identify tokens. If a display name is not set, "token" will be shown. |
token_type | string | Whether the Vault token is a service, batch, or periodic token. Refer to token types. |
token_issue_time | string | Date and time when the Vault token was issued, in ISO 8601 format. |
token_ttl | integer | Validity period of the Vault token, in seconds and as of when the token was first issued, relative to token_issue_time. Note that this value is not updated when the token's lifetime is changed subsequent to initial issuance. |
metadata | object | Metadata associated with the Vault token. |
num_uses | integer | When the API request results in a token being issued, which token has a limited number of uses, the number of uses on that token. |
remaining_uses | integer | If the Vault token has a limit on the number of uses, the number of uses remaining prior to the current request. |
entity_created | boolean | Whether the request resulted in an entity being created, i.e. an authorized principal logs into Vault for the first time. Omitted when false. |
entity_id | string | If the Vault token is associated with an entity, the ID of that entity. |
policies | list(string) | List of the names of the ACL policies associated with either the Vault token or the corresponding entity. |
identity_policies | list(string) | If the Vault token is associated with an entity, a list of the names of the ACL policies associated (directly or via group membership) with that entity. |
token_policies | list(string) | A list of the names of the ACL policies associated directly with the Vault token. |
no_default_policy | boolean | Whether the Vault token does not have Vault's "default" ACL policy associated with it. Omitted when false. |
external_namespace_ policies | object | If the Vault token is associated with an entity, and that entity inherits ACL policies from a namespace other than the namespace in which the entity exists, a JSON object containing a boolean attribute allowed and granting_policies, a list of those inherited ACL policies. Refer to the JSON structure below for more information about granting_policies. |
policy_results | object | JSON object containing a boolean attribute allowed and granting_policies, a list of ACL policies associated with either the Vault token or the corresponding entity that resulted in the request being allowed. Refer to the JSON structure below for more information about granting_policies. |
{
"accessor": "",
"client_token": "",
"display_name": "",
"entity_created": "",
"entity_id": "",
"external_namespace_policies": {
"allowed": true,
"granting_policies": [
{
"name": "",
"namespace_id": "",
"namespace_path": "",
"type": ""
}
]
},
"identity_policies": [""],
"metadata": {},
"no_default_policy": false,
"num_uses": 10,
"policies": [""],
"policy_results": {
"allowed": true,
"granting_policies": [
{
"name": "",
"namespace_id": "",
"namespace_path": "",
"type": ""
}
]
},
"remaining_uses": 5,
"token_policies": [""],
"token_issue_time": "",
"token_ttl": 3600,
"token_type": ""
}
Request object
The following request object definition includes example data with simple types (string, bool, int) and used in other JSON examples that include a <request> object.
| Attribute | Type | Description |
|---|---|---|
id | string | Random ID generated by Vault to uniquely identify the API request. |
operation | string | Whether the request is a create, read, update, delete, or list operation. |
namespace | object | JSON object with the namespace's unique id and its path. |
path | string | API path that received the request. |
request_uri | string | The original request path from the HTTP request, if it differs from path (e.g., when the Vault namespace is specified as an HTTP header). |
mount_accessor | string | Unique identifier of the Vault mount (secret engine or authentication backend) that received the API request. |
mount_type | string | Type of Vault mount that received the API request. |
mount_running_version | string | Version string for the Vault mount that received the API request. |
mount_running_sha256 | string | If the mount that received the API request is an external plugin, the SHA-256 hash of the plugin's running version. |
mount_is_external_ plugin | boolean | Whether the mount that received the API request is an external plugin. |
remote_address | string | IP address of the client making the request, as seen by Vault. Note that load balancers, proxies, and reverse proxies may all mask the true client's IP address. |
remote_port | integer | Port number used by the client making the request, as seen by Vault. |
headers | object | JSON object containing request headers configured to be logged. |
policy_override | boolean | Whether the client requested an override of a Sentinel policy. |
client_id | string | ID of the Vault client making the request. |
client_token | string | Vault token that performed the request, in hashed form. |
client_token_accessor | string | Accessor of the Vault token that performed the request. This value is hashed by default; the example shows a non-hashed token accessor. Refer to token accessors for more information. |
client_certificate_ serial_number | string | If the client's connection to Vault is mutually authenticated, the serial number of the client's TLS certificate. |
wrap_ttl | integer | If the client requested the response to be wrapped, the number of seconds for which the wrapped response will be available. |
data | object | JSON object containing the request's payload. This is dependent on the API endpoint called. |
replication_cluster | string | If the request was forwarded from a Performance Replication secondary cluster, the name of the secondary cluster. |
{
"client_certificate_serial_number": "",
"client_id": "",
"client_token": "",
"client_token_accessor": "",
"data": {},
"id": "",
"headers": {},
"mount_accessor": "",
"mount_class": "",
"mount_point": "",
"mount_type": "",
"mount_running_version": "",
"mount_running_sha256": "",
"mount_is_external_plugin": "",
"namespace": {
"id": "",
"path": ""
},
"operation": "",
"path": "",
"policy_override": true,
"remote_address": "",
"remote_port": 1234,
"replication_cluster": "",
"request_uri": "",
"wrap_ttl": 60
}
Response object
The following response object definition includes example data with simple types (string, bool, int) and used in other JSON examples that include a <response> object.
| Attribute | Type | Description |
|---|---|---|
auth | object | If the request results in a token being created, an authentication object with the token information. See authentication above. |
headers | object | Set of HTTP response headers sent by the plugin that handled the API request. |
redirect | string | For requests sent to authentication backends, the URL to which the authentication backend redirected the user for further authentication. |
warnings | list(string) | If the API returned one or more warnings, a list of the warning messages. |
data | object | JSON object containing the response payload. This is dependent on the API endpoint called. |
secret | object | If the API returned a leased secret, a JSON object with one attribute, lease_id, that identifies that leased secret. |
wrap_info | object | If the API returned a response-wrapped secret, a JSON object containing the properties of the wrapping token. See below for the attributes in the JSON object. |
mount_class | string | Type of API mount, auth or secret. |
mount_accessor | string | Unique identifier of the Vault mount (secret engine or authentication backend) that responded to the API request. |
mount_type | string | Type of Vault mount that responded to the API request. |
mount_running_plugin_version | string | Version string for the Vault mount that responded to the API request. |
mount_running_sha256 | string | If the mount that received the API request is an external plugin, the SHA-256 hash of the plugin's running version. |
mount_is_external_plugin | boolean | Whether the mount that received the API request is an external plugin. |
{
"auth": <auth>,
"data": {},
"headers": {},
"mount_accessor": "",
"mount_class": "",
"mount_is_external_plugin": false,
"mount_point": "",
"mount_running_sha256": "",
"mount_running_plugin_version": "",
"mount_type": "",
"redirect": "",
"secret": {
"lease_id": ""
},
"wrap_info": {
"accessor": "",
"creation_path": "",
"creation_time": "",
"token": "",
"ttl": 60,
"wrapped_accessor": ""
},
"warnings": [
""
]
}
JSON schemas
Request audit entries
{
"type": "object",
"properties": {
"auth": {
"type": "object",
"properties": {
"accessor": {
"type": "string"
},
"client_token": {
"type": "string"
},
"display_name": {
"type": "string"
},
"entity_created": {
"type": "boolean"
},
"entity_id": {
"type": "string"
},
"external_namespace_policies": {
"type": "object",
"additionalProperties": {
"type": "array",
"items": {
"type": "string"
}
}
},
"identity_policies": {
"type": "array",
"items": {
"type": "string"
}
},
"metadata": {
"type": "object",
"additionalProperties": {
"type": "string"
}
},
"no_default_policy": {
"type": "boolean"
},
"num_uses": {
"type": "integer",
"format": "int32"
},
"policies": {
"type": "array",
"items": {
"type": "string"
}
},
"policy_results": {
"type": "object",
"properties": {
"allowed": {
"type": "boolean"
},
"granting_policies": {
"type": "array",
"items": {
"type": "object",
"properties": {
"name": {
"type": "string"
},
"namespace_id": {
"type": "string"
},
"namespace_path": {
"type": "string"
},
"type": {
"type": "string"
}
},
"additionalProperties": false,
"required": [
"type"
]
}
}
},
"additionalProperties": false,
"required": [
"allowed"
]
},
"remaining_uses": {
"type": "integer",
"format": "int32"
},
"token_issue_time": {
"type": "string"
},
"token_policies": {
"type": "array",
"items": {
"type": "string"
}
},
"token_ttl": {
"type": "integer",
"format": "int64"
},
"token_type": {
"type": "string"
}
},
"additionalProperties": false
},
"error": {
"type": "string"
},
"forwarded_from": {
"type": "string"
},
"request": {
"type": "object",
"properties": {
"client_certificate_serial_number": {
"type": "string"
},
"client_id": {
"type": "string"
},
"client_token": {
"type": "string"
},
"client_token_accessor": {
"type": "string"
},
"data": {
"type": "object",
"additionalProperties": {}
},
"headers": {
"type": "object",
"additionalProperties": {
"type": "array",
"items": {
"type": "string"
}
}
},
"id": {
"type": "string"
},
"mount_accessor": {
"type": "string"
},
"mount_class": {
"type": "string"
},
"mount_is_external_plugin": {
"type": "boolean"
},
"mount_point": {
"type": "string"
},
"mount_running_sha256": {
"type": "string"
},
"mount_running_version": {
"type": "string"
},
"mount_type": {
"type": "string"
},
"namespace": {
"type": "object",
"properties": {
"id": {
"type": "string"
},
"path": {
"type": "string"
}
},
"additionalProperties": false
},
"operation": {
"type": "string"
},
"path": {
"type": "string"
},
"policy_override": {
"type": "boolean"
},
"remote_address": {
"type": "string"
},
"remote_port": {
"type": "integer",
"format": "int32"
},
"replication_cluster": {
"type": "string"
},
"request_uri": {
"type": "string"
},
"wrap_ttl": {
"type": "integer",
"format": "int32"
}
},
"additionalProperties": false
},
"time": {
"type": "string"
},
"type": {
"type": "string"
}
},
"additionalProperties": false
}
Response audit entries
{
"type": "object",
"properties": {
"auth": {
"type": "object",
"properties": {
"accessor": {
"type": "string"
},
"client_token": {
"type": "string"
},
"display_name": {
"type": "string"
},
"entity_created": {
"type": "boolean"
},
"entity_id": {
"type": "string"
},
"external_namespace_policies": {
"type": "object",
"additionalProperties": {
"type": "array",
"items": {
"type": "string"
}
}
},
"identity_policies": {
"type": "array",
"items": {
"type": "string"
}
},
"metadata": {
"type": "object",
"additionalProperties": {
"type": "string"
}
},
"no_default_policy": {
"type": "boolean"
},
"num_uses": {
"type": "integer",
"format": "int32"
},
"policies": {
"type": "array",
"items": {
"type": "string"
}
},
"policy_results": {
"type": "object",
"properties": {
"allowed": {
"type": "boolean"
},
"granting_policies": {
"type": "array",
"items": {
"type": "object",
"properties": {
"name": {
"type": "string"
},
"namespace_id": {
"type": "string"
},
"namespace_path": {
"type": "string"
},
"type": {
"type": "string"
}
},
"additionalProperties": false,
"required": [
"type"
]
}
}
},
"additionalProperties": false,
"required": [
"allowed"
]
},
"remaining_uses": {
"type": "integer",
"format": "int32"
},
"token_issue_time": {
"type": "string"
},
"token_policies": {
"type": "array",
"items": {
"type": "string"
}
},
"token_ttl": {
"type": "integer",
"format": "int64"
},
"token_type": {
"type": "string"
}
},
"additionalProperties": false
},
"error": {
"type": "string"
},
"forwarded": {
"type": "boolean"
},
"request": {
"type": "object",
"properties": {
"client_certificate_serial_number": {
"type": "string"
},
"client_id": {
"type": "string"
},
"client_token": {
"type": "string"
},
"client_token_accessor": {
"type": "string"
},
"data": {
"type": "object",
"additionalProperties": {}
},
"headers": {
"type": "object",
"additionalProperties": {
"type": "array",
"items": {
"type": "string"
}
}
},
"id": {
"type": "string"
},
"mount_accessor": {
"type": "string"
},
"mount_class": {
"type": "string"
},
"mount_is_external_plugin": {
"type": "boolean"
},
"mount_point": {
"type": "string"
},
"mount_running_sha256": {
"type": "string"
},
"mount_running_version": {
"type": "string"
},
"mount_type": {
"type": "string"
},
"namespace": {
"type": "object",
"properties": {
"id": {
"type": "string"
},
"path": {
"type": "string"
}
},
"additionalProperties": false
},
"operation": {
"type": "string"
},
"path": {
"type": "string"
},
"policy_override": {
"type": "boolean"
},
"remote_address": {
"type": "string"
},
"remote_port": {
"type": "integer",
"format": "int32"
},
"replication_cluster": {
"type": "string"
},
"request_uri": {
"type": "string"
},
"wrap_ttl": {
"type": "integer",
"format": "int32"
}
},
"additionalProperties": false
},
"response": {
"type": "object",
"properties": {
"auth": {
"type": "object",
"properties": {
"accessor": {
"type": "string"
},
"client_token": {
"type": "string"
},
"display_name": {
"type": "string"
},
"entity_created": {
"type": "boolean"
},
"entity_id": {
"type": "string"
},
"external_namespace_policies": {
"type": "object",
"additionalProperties": {
"type": "array",
"items": {
"type": "string"
}
}
},
"identity_policies": {
"type": "array",
"items": {
"type": "string"
}
},
"metadata": {
"type": "object",
"additionalProperties": {
"type": "string"
}
},
"no_default_policy": {
"type": "boolean"
},
"num_uses": {
"type": "integer",
"format": "int32"
},
"policies": {
"type": "array",
"items": {
"type": "string"
}
},
"policy_results": {
"type": "object",
"properties": {
"allowed": {
"type": "boolean"
},
"granting_policies": {
"type": "array",
"items": {
"type": "object",
"properties": {
"name": {
"type": "string"
},
"namespace_id": {
"type": "string"
},
"namespace_path": {
"type": "string"
},
"type": {
"type": "string"
}
},
"additionalProperties": false,
"required": [
"type"
]
}
}
},
"additionalProperties": false,
"required": [
"allowed"
]
},
"remaining_uses": {
"type": "integer",
"format": "int32"
},
"token_issue_time": {
"type": "string"
},
"token_policies": {
"type": "array",
"items": {
"type": "string"
}
},
"token_ttl": {
"type": "integer",
"format": "int64"
},
"token_type": {
"type": "string"
}
},
"additionalProperties": false
},
"data": {
"type": "object",
"additionalProperties": {}
},
"headers": {
"type": "object",
"additionalProperties": {
"type": "array",
"items": {
"type": "string"
}
}
},
"mount_accessor": {
"type": "string"
},
"mount_class": {
"type": "string"
},
"mount_is_external_plugin": {
"type": "boolean"
},
"mount_point": {
"type": "string"
},
"mount_running_plugin_version": {
"type": "string"
},
"mount_running_sha256": {
"type": "string"
},
"mount_type": {
"type": "string"
},
"redirect": {
"type": "string"
},
"secret": {
"type": "object",
"properties": {
"lease_id": {
"type": "string"
}
},
"additionalProperties": false
},
"warnings": {
"type": "array",
"items": {
"type": "string"
}
},
"wrap_info": {
"type": "object",
"properties": {
"accessor": {
"type": "string"
},
"creation_path": {
"type": "string"
},
"creation_time": {
"type": "string"
},
"token": {
"type": "string"
},
"ttl": {
"type": "integer",
"format": "int32"
},
"wrapped_accessor": {
"type": "string"
}
},
"additionalProperties": false
}
},
"additionalProperties": false
},
"time": {
"type": "string"
},
"type": {
"type": "string"
}
},
"additionalProperties": false
}
Full entry examples
{
"auth": {
"accessor": "hmac-sha256:3348fe9b24b078f97d747363dda2d55bb0445e90b512e9f68f48d289fed798b3",
"client_token": "hmac-sha256:c39c69748f0894cb4cd0333c779e72343ba45af287649d0fbcc37e9b079abe5d",
"display_name": "userpass-alice",
"entity_id": "62ff123b-7609-1ed9-5707-ea621da72de7",
"metadata": { "username": "alice" },
"policies": ["default"],
"policy_results": {
"allowed": true,
"granting_policies": [
{ "type": "" },
{ "name": "default", "namespace_id": "root", "type": "acl" }
]
},
"token_policies": ["default"],
"token_issue_time": "2025-06-04T16:01:31-04:00",
"token_ttl": 2764800,
"token_type": "service"
},
"request": {
"client_id": "62ff123b-7609-1ed9-5707-ea621da72de7",
"client_token": "hmac-sha256:3431e8c2ce0e5f5e179a857fcf9d948afd83363de9f64a5e956851262e1285e0",
"client_token_accessor": "hmac-sha256:3348fe9b24b078f97d747363dda2d55bb0445e90b512e9f68f48d289fed798b3",
"headers": { "user-agent": ["Go-http-client/1.1"] },
"id": "79cc9b26-488f-eabf-2a97-303ed3bef0d6",
"mount_class": "auth",
"mount_point": "auth/token/",
"mount_running_version": "v1.19.1+builtin.vault",
"mount_type": "token",
"namespace": { "id": "root" },
"operation": "read",
"path": "auth/token/lookup-self",
"remote_address": "127.0.0.1",
"remote_port": 64199
},
"time": "2025-06-04T20:02:46.117181Z",
"type": "request"
}