Vault Authentication using the API

When you migrate from the Vault CLI to its HTTP API, authentication works slightly differently. Instead of the CLI persisting your token, the API returns a JSON payload containing:

You must parse this JSON response, extract the client_token, and include it in the X-Vault-Token header for all future requests.

Authenticating with AppRole

AppRole authentication allows machines or applications to authenticate to Vault. No existing token is required to perform this login.

Prepare the Login Payload

Create a JSON file (auth.json) containing your AppRole credentials:

{
  "role_id": "<your_role_id>",
  "secret_id": "<your_secret_id>"
}

Send the Login Request

curl --request POST \
     --data @auth.json \
     https://vault.example.com:8200/v1/auth/approle/login

• @auth.json: Path to the JSON payload with role_id and secret_id.
• Endpoint: /v1/auth/approle/login signals Vault to authenticate via AppRole.

Sample Response

A successful AppRole login returns a JSON object similar to:

{
  "request_id": "0f874bea-16a6-c3da-8f20-1f2ef9cb5d22",
  "lease_id": "",
  "renewable": false,
  "lease_duration": 0,
  "data": null,
  "wrap_info": null,
  "warnings": null,
  "auth": {
    "client_token": "s.wjkffdrqM9QYTOYrUnUxXyX6",
    "accessor": "Hbhmd3OfVTXnukBv7WxMrWld",
    "policies": [
      "admin",
      "default"
    ]
  }
}

Extract the auth.client_token value—this is your Vault API token.

Using the Vault Token for Subsequent Requests

Include the token in the X-Vault-Token header for all Vault API calls. For example, to read a secret at secret/data/my-secret:

curl --header "X-Vault-Token: s.wjkffdrqM9QYTOYrUnUxXyX6" \
     https://vault.example.com:8200/v1/secret/data/my-secret

Replace my-secret with the path to your desired secret. All reads, writes, renewals, and revocations follow the same pattern.

Links and References

• Vault HTTP API Documentation
• AppRole Auth Method Guide
• Vault CLI vs. API Overview