Retrieve HCP API token

Endpoint: /oauth/token

Before you can interact with the HCP Vault Secrets API, you must request a OAuth token.

You must pass the HCP service principal key pair (client ID and secret ID) to authenticate with HCP.

HCP_CLIENT_ID - set the value to your service principal client ID
HCP_CLIENT_SECRET - set the value to your service principal client secret

Example

This example stores the OAuth token in the HCP_API_TOKEN variable. The HCP_CLIENT_ID and HCP_CLIENT_SECRET values are passed in as variables.

 $ HCP_API_TOKEN=$(curl --location 'https://auth.hashicorp.com/oauth/token' \
     --header 'content-type: application/json' \
     --data '{
         "audience": "https://api.hashicorp.cloud",
         "grant_type": "client_credentials",
         "client_id": "'$HCP_CLIENT_ID'",
         "client_secret": "'$HCP_CLIENT_SECRET'"
     }' | jq -r .access_token)

Retrieve HCP organization and project ID

Once you have the HCP OAuth token, you must also retrieve your HCP Vault Secrets application name, the organization ID, and the project ID.

If you have the HCP Vault Secrets command line interface (CLI) binary installed and configured, you can retrieve the values by reading vlt config.

$ vlt config
App Name: WebApplication
Project ID: ab35ef-d3f4-4fda-b245-s3asam3st
Organization ID: ab35ef-8d87-4443-a8a8-s3asam3st

API request

You can now make an API request using the HCP OAuth token.

Refer to the HCP Vault Secrets API documentation for a list of all available endpoints and parameters.

Examples

Get available applications

The HCP_API_TOKEN,HCP_CLIENT_ID, and HCP_CLIENT_SECRET values are passed in as variables.

$ curl \
     --location "https://api.cloud.hashicorp.com/secrets/2023-06-13/organizations/$HCP_ORG_ID/projects/$HCP_PROJ_ID/apps" \
     --request GET \
     --header "Authorization: Bearer $HCP_API_TOKEN" | jq

Example output:

{
  "apps": [
    {
      "location": {
        "organization_id": "ab35ef-8d87-4443-a8a8-s3asam3st",
        "project_id": "ab35ef-d3f4-4fda-b245-s3asam3st",
        "region": null
      },
      "name": "WebApplication",
      "description": "",
      "created_at": "2023-05-24T12:04:14.279930Z",
      "updated_at": null,
      "created_by": {
        "name": "username",
        "type": "TYPE_USER",
        "email": "username@example.com"
      },
      "updated_by": null,
      "sync_integrations": []
    }
  ]
}

Get available secrets

The HCP_API_TOKEN,HCP_CLIENT_ID, HCP_CLIENT_SECRET, and APP_NAME values are passed in as variables.

$ curl \
    --location "https://api.cloud.hashicorp.com/secrets/2023-06-13/organizations/$HCP_ORG_ID/projects/$HCP_PROJ_ID/apps/$APP_NAME/secrets" \
    --request GET \
    --header "Authorization: Bearer $HCP_API_TOKEN" | jq

Example output:

{
  "secrets": [
    {
      "name": "username",
      "version": {
        "version": "2",
        "type": "kv",
        "created_at": "2023-05-24T12:34:11.138965Z",
        "created_by": {
          "name": "username",
          "type": "TYPE_USER",
          "email": "username@example.com"
        }
      },
      "created_at": "2023-05-24T12:22:18.395158Z",
      "latest_version": "2",
      "created_by": {
        "name": "username",
        "type": "TYPE_USER",
        "email": "username@example.com"
      },
      "sync_status": {}
    }
  ]
}