API authentication
Bearer authorization header
The Piiano Vault REST API uses API keys or JWT access tokens generated by an external identity provider to authenticate and authorize requests. It accepts Bearer tokens in the HTTP Authorization header using the Bearer <api-key|jwt-token> scheme.
To enable evaluation and testing, Vault ships with a default API key of pvaultauth for the admin user. See Set the admin's API key for information on how to set a value for this key.
To obtain an API key for any other user, use the regenerate user API key REST API operation or CLI command.
To learn how to create a JWT access token and set up Vault to authenticate it, see Configure JWT authentication.
See Manage users and policies to learn more about how Vault controls access to operations and data.
Tenant isolation header
The Piiano Vault REST API supports an optional enforcement header to ensure tenant isolation. This header ensures that each operation is limited to the intended tenant.
The enforcement header is X-Tenant-Id; its value is a comma-separated list of tenant IDs. The entire request fails with status code 403 when an enforcement violation is detected.
For example, if the enforcement header is X-Tenant-Id: 1,2,3, then the operation is executed only if the resources are owned by tenant 1, 2, or 3.
Object-level access
When using JWT authentication, Vault supports object-level access control using special claims included in the JWT token. See Namespace claims for JWT tokens for more information.
Object-level access control for the tenant takes precedence over the tenant enforcement header if both are present.