HashiConf 2025 Don't miss the live stream of HashiConf Day 2 happening now View live stream
Vault
Vault Home

You are viewing documentation for version v1.18.x. View latest version.

token capabilities

The token capabilities command fetches the capabilities of a token for a given path.

If you pass a token value as an argument, this command uses the /sys/capabilities endpoint and permission. In the absence of an explicit token value, this command uses the /sys/capabilities-self endpoint and permission with the locally authenticated token.

Examples

List capabilities for the local token on the secret/foo path:

$ vault token capabilities secret/foo
read

The output shows the local token has read permission on the secret/foo path.

List capabilities for a token (hvs.CAESI...WtiSW5mWUY) on the cubbyhole/foo path:

$ vault token capabilities hvs.CAESI...WtiSW5mWUY database/creds/readonly
deny

The output shows the token (hvs.CAESI...WtiSW5mWUY) has no permission to operate on the cubbyhole/foo path.

Usage

The following flags are available in addition to the standard set of flags included on all commands.

Output options

  • -format (string: "table") - Print the output in the given format. Valid formats are "table", "json", or "yaml". This can also be specified via the VAULT_FORMAT environment variable.
Edit this page on GitHub