Skip to main content
Vault supports API key authentication (server-to-server) and JWT authentication (dashboard and management). POST /tokenize also requires X-Pub-Key in addition to X-API-Key or JWT. Some requests support hybrid (API key + JWT for user attribution).

API key

Header: X-API-Key: <your_api_key> Use for: Tokenization, proxy, verify key. For POST /tokenize you must also send X-Pub-Key (get from dashboard or config). Endpoints that accept API key:
EndpointPermission
POST /tokenizetokenization (+ X-Pub-Key required)
POST /proxy/transactiontokenization
POST /test-tokenstokenization (+ X-Pub-Key)
GET /api/applications/keyany (verify key)
API key format may vary (e.g. provisioned keys); docs often show keys starting with key_ as an example. Never expose API keys in client-side code.

JWT

Header: Authorization: Bearer <jwt> or cookie (after login). Use for: Dashboard and management — projects, applications, audit logs, user settings, MFA. JWT is required for management endpoints (projects, applications, audit logs, token management, user settings); Applications also documents the verify-key endpoint (API key).

Auth endpoints (explicit paths)

MethodPathDescription
POST/auth/loginEmail/password login, returns JWT
POST/auth/logoutLog out
GET/auth/verifyValidate current JWT
POST/auth/change-passwordBody: current_password, new_password (JWT)
POST/auth/forgot-passwordBody: email
GET/auth/verify-reset-tokenQuery: token
POST/auth/reset-passwordBody: token, new_password
POST/auth/reset-expired-passwordBody: token, current_password, new_password
GET/auth/password-expiry-infoJWT
POST/auth/send-verification-codeEmail verification flow
POST/auth/verify-email-codeVerify email code
POST/auth/registerRegistration (when email verification used)
POST/auth/mfa/verifyBody: code
POST/auth/mfa/verify-backupBackup code
POST/auth/mfa/disableBody: code
GET/auth/mfa/statusMFA status
GET/auth/mfa/verify-pageMFA verify page
GET/mfa-statusRoot path for MFA status
MFA setup is via POST /user/settings/mfa (toggle/setup); response can include totp_uri and backup_codes when enabling. There is no separate /auth/mfa/setup path.

Hybrid

Send both X-API-Key and Authorization: Bearer <jwt>. The API key authorizes the request; the JWT identifies the user for audit logging (e.g. on tokenize or proxy).

Verify API key

See GET /api/applications/key to validate a key and read its project and permissions.

Base URL

Use the Vault base URL (sandbox or production).