Skip to main content

CLI reference

Global flags

FlagDescriptionDefaultEnvironment variable
--addr[Global] The URL of the Piiano Vault implementation.http://localhost:8123$PVAULT_ADDR
--json
-j
[Global] Where JSON is used in the command, return the output in JSON format.(Optional)
--compact
--co
[Global] When used with the --json flag, the JSON output is compact.(Optional)
--insecure
-k
[Global] Skip TLS certificate verification.(Optional)
--reason[Global] The REASON for accessing Piiano Vault, using one of these codes: AppFunctionality, Analytics, Notifications, ThirdPartyMarketing, Marketing, FraudPreventionSecurityAndCompliance, AccountManagement, DataSubjectRequest, and Maintenance.Maintenance$PVAULT_ACCESS_REASON
--authtoken[Global] The authorization TOKEN that is passed in the header of each request.pvaultauth$PVAULT_AUTH_TOKEN
--log-level[Global] The LOG_LEVEL of the log recorded by this transaction. The allowed values are debug, info, warn, and error.info$PVAULT_LOG_LEVEL
--verbose
-v
[Global] Print debug information.(Optional)
--no-color[Global] Disable colored output.(Optional)$NO_COLOR

Collection

List collections

Lists all collections.

The default table output lists the collection names and their corresponding types, creation time, and last modification time. To obtain details of the collection and its properties, use the JSON or PVSchema flags.

pvault collection list [ --show-builtins ] [ --pvschema ]
FlagDescriptionDefaultEnvironment variable
--show-builtinsShow the built-in properties in the response.(Optional)
--pvschemaReturn the collections list in the PVSchema format.(Optional)

Get collection

Gets a collection and its properties.

The default response to this command is a PVSchema for the collection.

pvault collection get [ --pvschema ] [ --show-builtins ] { --name | --collection | -c | -n=NAME }
FlagDescriptionDefaultEnvironment variable
--pvschemaReturn the collection details in PVSchema format.(Optional)
--show-builtinsShow the built-in properties in the response.(Optional)
--name
--collection
-c
-n
The collection NAME.Required

Add collection

Adds a collection.

The collection can be defined using a specification in JSON or PVSchema format. A template can also be used, with or without test data.

pvault collection add [ --collection-json=value ] [ --collection-pvschema=value ] [ --pvschema ] [ --show-builtins ] [ --collection-template=value ] [ --add-test-data ] [ --name | --collection | -n | -c=NAME ]
FlagDescriptionDefaultEnvironment variable
--collection-jsonThe collection details to add in JSON format. To read from a file path prefix with '@' or to use stdin use '-'.(Optional)
--collection-pvschemaThe collection details to add in PVSchema format. To read from a file path prefix with '@' or to use stdin use '-'.(Optional)
--pvschemaReturn the collection in PVSchema format.(Optional)
--show-builtinsShow the built-in properties in the response.(Optional)
--collection-templateThe collection template to use. This template provides example properties and can be combined with --add-test-data to add example data to the collection. Supported values are: persons and credit_cards.(Optional)
--add-test-dataAdd example data to the collection. Can only be used with --collection-template.(Optional)
--name
--collection
-n
-c
The collection NAME.(Optional)

Update collection

Updates properties of a collection.

The update includes:

  • Adding any properties in the request that are not in the collection.

  • Amending the description, is_index, and is_nullable attributes, where they have changed, for any properties in the request that are in the collection. is_nullable can only be changed from false to true. All other attributes of existing properties are ignored. This command may take a long time to complete.

This command may take a long time to complete.

The default response to this command is a PVSchema for the properties added.

pvault collection update [ --collection-json=value ] [ --collection-pvschema=value ] [ --pvschema ] [ --show-builtins ] { --name | --collection | -c | -n=NAME }
FlagDescriptionDefaultEnvironment variable
--collection-jsonThe collection details to update in JSON format. To read from a file path prefix with '@' or to use stdin use '-'.(Optional)
--collection-pvschemaThe collection details to update in PVSchema format. To read from a file path prefix with '@' or to use stdin use '-'.(Optional)
--pvschemaReturn the collection in PVSchema format.(Optional)
--show-builtinsShow the built-in properties in the response.(Optional)
--name
--collection
-c
-n
The collection NAME.Required

Apply collection

Updates properties of a collection or creates a new collection if the collection is not found.

The update includes:

  • Adding any properties in the request that are not in the collection.

  • Amending the description, is_index, and is_nullable attributes, where they have changed, for any properties in the request that are in the collection. is_nullable can only be changed from false to true. All other attributes of existing properties are ignored. This command may take a long time to complete.

This command may take a long time to complete.

The default response to this command is a PVSchema for the collections and properties added.

pvault collection apply [ --collection-json=value ] [ --collection-pvschema=value ] [ --pvschema ] [ --show-builtins ] { --name | --collection | -c | -n=NAME }
FlagDescriptionDefaultEnvironment variable
--collection-jsonThe collection details to apply in JSON format. To read from a file path prefix with '@' or to use stdin use '-'.(Optional)
--collection-pvschemaThe collection details to apply in PVSchema format. To read from a file path prefix with '@' or to use stdin use '-'.(Optional)
--pvschemaReturn the collection in PVSchema format.(Optional)
--show-builtinsShow the built-in properties in the response.(Optional)
--name
--collection
-c
-n
The collection NAME.Required

Delete collection

Deletes a collection.

pvault collection delete [ --force | -f ] { --name | --collection | -c | -n=NAME }
FlagDescriptionDefaultEnvironment variable
--force
-f
Ignore interactive protection.(Optional)
--name
--collection
-c
-n
The collection NAME.Required

Collection // Property

List collection properties

Lists all the properties of a collection.

pvault collection property list [ --show-builtins ] { --collection | -c=COLLECTION }
FlagDescriptionDefaultEnvironment variable
--show-builtinsShow the built-in properties in the response.(Optional)
--collection
-c
The COLLECTION name.Required$PVAULT_COLLECTION

Get collection property

Gets a property of a collection.

pvault collection property get { --name | -n=value } { --collection | -c=COLLECTION }
FlagDescriptionDefaultEnvironment variable
--name
-n
The property name.Required
--collection
-c
The COLLECTION name.Required$PVAULT_COLLECTION

Add collection property

Adds a property to a collection.

pvault collection property add [ --prop | -p=value ] [ --name | -n=value ] [ --description=value ] [ --pii-type-name=value ] [ --is-unique ] [ --is-index ] [ --is-not-encrypted ] [ --is-nullable ] { --collection | -c=COLLECTION }
FlagDescriptionDefaultEnvironment variable
--prop
-p
The property to add in JSON format. Must be provided if --name isn't provided. See the Add collection property REST API for the specification of the JSON format. To use a file path prefix with '@' or to use stdin use '-'.(Optional)
--name
-n
The property name. Must be unique. Must be provided if --prop isn't provided.(Optional)
--descriptionThe property description.(Optional)
--pii-type-nameThe property data type name. Must be provided if --name is provided.(Optional)
--is-uniqueThe property value is unique on each object.(Optional)
--is-indexThe property is be indexed.(Optional)
--is-not-encryptedThe property is not encrypted.(Optional)
--is-nullableThe property is nullable. When the collection contains objects, only nullable properties can be added to the collection.(Optional)
--collection
-c
The COLLECTION name.Required$PVAULT_COLLECTION

Update collection property

Update a property of a collection. This command may take a long time to complete.

pvault collection property update [ --prop | -p=value ] [ --name | -n=value ] [ --description=value ] [ --is-index ] [ --is-nullable ] [ --is-unique ] { --collection | -c=COLLECTION }
FlagDescriptionDefaultEnvironment variable
--prop
-p
The property to update in JSON format. Must be provided if --name isn't provided. See the REST API Update collection property operation for the specification of the JSON format. To use a file path prefix with '@' or to use stdin use '-'.(Optional)
--name
-n
The property name. Must be unique. Must be provided if --prop isn't provided.(Optional)
--descriptionThe property description.(Optional)
--is-indexThe property is indexed.(Optional)
--is-nullableThe property can have no value.(Optional)
--is-uniqueThe property value is unique across objects.(Optional)
--collection
-c
The COLLECTION name.Required$PVAULT_COLLECTION

Delete collection property

Deletes a property from a collection.

Any values stored against the property in objects are also deleted. This operation is irreversible.

pvault collection property delete { --name | -n=value } { --collection | -c=COLLECTION }
FlagDescriptionDefaultEnvironment variable
--name
-n
The property name.Required
--collection
-c
The COLLECTION name.Required$PVAULT_COLLECTION

Bundle

List bundles

Lists the names of all bundles.

pvault bundle list

Get bundle

Gets a bundle and its code.

pvault bundle get { --name | -n=value } [ --dump-code ]
FlagDescriptionDefaultEnvironment variable
--name
-n
The name of the bundle.Required
--dump-codeDump the bundle code to stdout.(Optional)

Add bundle

Adds a bundle

pvault bundle add { --name | -n=value } [ --description=value ] [ --bundle-code=value ] [ --bundle-template=value ]
FlagDescriptionDefaultEnvironment variable
--name
-n
The name of the bundle.Required
--descriptionThe bundle description(Optional)
--bundle-codeThe JavaScript code. To read from a file path prefix with '@' or to use stdin use '-'.(Optional)
--bundle-templateThe bundle template to use. A template provides an example bundle. Supported values are: sample.(Optional)

Update bundle

Updates a bundle

pvault bundle update { --name | -n=value } [ --description=value ] [ --bundle-code=value ]
FlagDescriptionDefaultEnvironment variable
--name
-n
The name of the bundle.Required
--descriptionThe new bundle description(Optional)
--bundle-codeThe new JavaScript code. To read from a file path prefix with '@' or to use stdin use '-'.(Optional)

Delete bundle

Deletes a bundle. By default, a bundle is not deleted if a data type references it. To delete a referenced bundle, set the --force flag.

pvault bundle delete { --name | -n=value } [ --force ]
FlagDescriptionDefaultEnvironment variable
--name
-n
The name of the bundle.Required
--forceDelete the bundle even if it is referenced by a data type that is in use. A data type that is in use is one that is used by a property in a collection.(Optional)

Datatype

List data types

Lists all data types.

pvault datatype list [ --show-builtins ] [ --bundle=value ]
FlagDescriptionDefaultEnvironment variable
--show-builtinsShow built-in types.(Optional)
--bundleIf provided, return only types that depend on the bundle with the specified name.(Optional)

Get data type

Gets a data type.

pvault datatype get { --name | -n=value }
FlagDescriptionDefaultEnvironment variable
--name
-n
The name of the data type.Required

Add data type

Adds a data type.

pvault datatype add --datatype-json=value
FlagDescriptionDefaultEnvironment variable
--datatype-jsonThe data type details in JSON format. To read from a file path prefix with '@' or to use stdin use '-'.Required

Update data type

Updates a data type.

pvault datatype update { --name | -n=value } --datatype-update-json=value
FlagDescriptionDefaultEnvironment variable
--name
-n
The name of the data type.Required
--datatype-update-jsonThe data type update details in JSON format. To read from a file path prefix with '@' or to use stdin use '-'.Required

Delete data type

Deletes a data type. Referenced bundles are not deleted by this command, use Delete bundle to remove any redundant bundles.

pvault datatype delete { --name | -n=value }
FlagDescriptionDefaultEnvironment variable
--name
-n
The name of the data type.Required

Object

Add object

Adds an object to a collection. To set the object's ID to match that of an item in an external system, include id in the fields flag. The ID must be in UUID format.

pvault object add --fields=value [ --expiration-secs=value ] [ --no-expiration ] [ --import ] [ --export-key=import ] [ --reload-cache ] { --collection | -c=COLLECTION } [ --tenant-id=TENANT_ID ]
FlagDescriptionDefaultEnvironment variable
--fieldsThe object details in JSON format. To use a file path prefix with '@' or to use stdin use '-'.Required
--expiration-secsThe expiration time in seconds for the object. If not set, the default is used.(Optional)
--no-expirationThe object doesn't expire.(Optional)
--importWhether to import the object. import is a process where a read only properties like creation_time and modification_time could be provided. when 'export_key' parameter is provided in the request the property values are expected to be encrypted from an export hence will be decrypted.(Optional)
--export-keyThe key to decrypt property values. Can be provided only when import is true.(Optional)
--reload-cacheForce a cache reload.(Optional)
--collection
-c
The COLLECTION name.Required$PVAULT_COLLECTION
--tenant-idEnforce the TENANT_ID for the request. Accepts multiple inputs.(Optional)$PVAULT_TENANT_ID

Update an object

Updates an object of a collection.

pvault object update { --id | -i=value } --fields=value [ --expiration-secs=value ] [ --no-expiration ] [ --archived ] [ --import ] [ --export-key=import ] [ --reload-cache ] { --collection | -c=COLLECTION } [ --tenant-id=TENANT_ID ]
FlagDescriptionDefaultEnvironment variable
--id
-i
The ID of the object to update.Required
--fieldsThe object details in JSON format. To use a file path prefix with '@' or to use stdin use '-'.Required
--expiration-secsExpiration time in seconds for the object. If not set, the expiration time in seconds is not changed.(Optional)
--no-expirationThe object doesn't expire.(Optional)
--archivedReturn only archived objects.(Optional)
--importWhether to import the object. import is a process where a read only properties like creation_time and modification_time could be provided. when 'export_key' parameter is provided in the request the property values are expected to be encrypted from an export hence will be decrypted.(Optional)
--export-keyThe key to decrypt property values. Can be provided only when import is true.(Optional)
--reload-cacheForce a cache reload.(Optional)
--collection
-c
The COLLECTION name.Required$PVAULT_COLLECTION
--tenant-idEnforce the TENANT_ID for the request. Accepts multiple inputs.(Optional)$PVAULT_TENANT_ID

Get objects

Gets details of objects in a collection.

pvault object get { --id | -i=value } [ --props | -p=value ] [ --all-unsafe | -a ] [ --show-builtins ] [ --archived ] [ --reload-cache ] { --collection | -c=COLLECTION } [ --tenant-id=TENANT_ID ]
FlagDescriptionDefaultEnvironment variable
--id
-i
A comma-delimited list of objects IDs. Accepts multiple inputs.Required
--props
-p
Comma-delimited list of property names and transformations to return. Accepts multiple inputs.(Optional)
--all-unsafe
-a
Return all properties of the object.(Optional)
--show-builtinsShow the built-in properties in the response.(Optional)
--archivedReturn only archived objects.(Optional)
--reload-cacheForce a cache reload.(Optional)
--collection
-c
The COLLECTION name.Required$PVAULT_COLLECTION
--tenant-idEnforce the TENANT_ID for the request. Accepts multiple inputs.(Optional)$PVAULT_TENANT_ID

Search objects

Returns a paginated list of objects in a collection by query.

pvault object query [ --in=value ] [ --match=value ] [ --query-json=value ] [ --props | -p=value ] [ --all-unsafe | -a ] [ --cursor=value ] [ --page-size=0 ] [ --show-builtins ] [ --archived ] [ --reload-cache ] { --collection | -c=COLLECTION } [ --tenant-id=TENANT_ID ]
FlagDescriptionDefaultEnvironment variable
--inEqual sign delimiter for property name and array of possible values in the form of property=value1, value2. Accepts multiple inputs.(Optional)
--matchEqual sign delimiter for property name and searched value in the form of property=value. Accepts multiple inputs.(Optional)
--query-jsonThe query in JSON format. To use a file path prefix with '@' or to use stdin use '-'.(Optional)
--props
-p
Comma-delimited list of property names and transformations to return. Accepts multiple inputs.(Optional)
--all-unsafe
-a
Return all properties for the object.(Optional)
--cursorThe cursor returned by the previous call or an empty string for the first call.(Optional)
--page-sizeThe maximum number of items to be returned in the call.0
--show-builtinsShow the built-in properties in the response.(Optional)
--archivedReturn only archived objects.(Optional)
--reload-cacheForce a cache reload.(Optional)
--collection
-c
The COLLECTION name.Required$PVAULT_COLLECTION
--tenant-idEnforce the TENANT_ID for the request. Accepts multiple inputs.(Optional)$PVAULT_TENANT_ID

List all objects

Returns a paginated list of all objects from a collection with all or a subset of object property values.

pvault object list [ --props | -p=value ] [ --all-unsafe | -a ] [ --cursor=value ] [ --page-size=0 ] [ --show-builtins ] [ --archived ] [ --export ] [ --reload-cache ] { --collection | -c=COLLECTION }
FlagDescriptionDefaultEnvironment variable
--props
-p
Comma-delimited list of property names and transformations to return. Accepts multiple inputs.(Optional)
--all-unsafe
-a
Return all properties for the object.(Optional)
--cursorReference to the next page for a subsequent call with the same request parameters. An empty string for the first call.(Optional)
--page-sizeThe maximum number of items to return in the call.0
--show-builtinsShow the built-in properties in the response.(Optional)
--archivedReturn only archived objects.(Optional)
--exportEncrypt the property values for export.(Optional)
--reload-cacheForce a cache reload.(Optional)
--collection
-c
The COLLECTION name.Required$PVAULT_COLLECTION

Counts objects in a collection

Returns a count of active, archived, and all objects in a collection.

pvault object count { --collection | -c=COLLECTION }
FlagDescriptionDefaultEnvironment variable
--collection
-c
The COLLECTION name.Required$PVAULT_COLLECTION

Delete an object

Deletes object from a collection.

pvault object delete { --id | -i=value } [ --archived ] [ --reload-cache ] { --collection | -c=COLLECTION } [ --tenant-id=TENANT_ID ]
FlagDescriptionDefaultEnvironment variable
--id
-i
The ID of the object to delete. Accepts multiple inputs.Required
--archivedDelete archived objects or active objects.(Optional)
--reload-cacheForce a cache reload.(Optional)
--collection
-c
The COLLECTION name.Required$PVAULT_COLLECTION
--tenant-idEnforce the TENANT_ID for the request. Accepts multiple inputs.(Optional)$PVAULT_TENANT_ID

Archive an object

Archives an object by forcing it to expire immediately.

pvault object archive { --id | -i=value } [ --reload-cache ] { --collection | -c=COLLECTION } [ --tenant-id=TENANT_ID ]
FlagDescriptionDefaultEnvironment variable
--id
-i
The ID of the object to archive.Required
--reload-cacheForce a cache reload.(Optional)
--collection
-c
The COLLECTION name.Required$PVAULT_COLLECTION
--tenant-idEnforce the TENANT_ID for the request. Accepts multiple inputs.(Optional)$PVAULT_TENANT_ID

Restore an archived object

Restores an object by changing changing its expiration to a time in the future.

pvault object restore { --id | -i=value } [ --expiration-secs=value ] [ --no-expiration ] [ --reload-cache ] { --collection | -c=COLLECTION } [ --tenant-id=TENANT_ID ]
FlagDescriptionDefaultEnvironment variable
--id
-i
The ID of the object to restore.Required
--expiration-secsThe expiration time in seconds for the object. If not set, the default is used.(Optional)
--no-expirationThe object doesn't expire.(Optional)
--reload-cacheForce a cache reload.(Optional)
--collection
-c
The COLLECTION name.Required$PVAULT_COLLECTION
--tenant-idEnforce the TENANT_ID for the request. Accepts multiple inputs.(Optional)$PVAULT_TENANT_ID

Get a blob

Gets the value of a BLOB property of an object and save it to a file.

pvault object get-blob { --id | -i=value } { --prop | -p=value } --blob-file=value [ --archived ] [ --reload-cache ] { --collection | -c=COLLECTION } [ --tenant-id=TENANT_ID ]
FlagDescriptionDefaultEnvironment variable
--id
-i
The ID of the object to get.Required
--prop
-p
The property name of the blob.Required
--blob-fileThe path to save the blob.Required
--archivedReturn only archived objects.(Optional)
--reload-cacheForce a cache reload.(Optional)
--collection
-c
The COLLECTION name.Required$PVAULT_COLLECTION
--tenant-idEnforce the TENANT_ID for the request. Accepts multiple inputs.(Optional)$PVAULT_TENANT_ID

update a blob

update the value of a BLOB property of an object from a file.

pvault object update-blob { --id | -i=value } { --prop | -p=value } --blob-file=value [ --archived ] [ --reload-cache ] { --collection | -c=COLLECTION } [ --tenant-id=TENANT_ID ]
FlagDescriptionDefaultEnvironment variable
--id
-i
The ID of the object to update.Required
--prop
-p
The property name of the blob.Required
--blob-fileThe path to of the blob to update.Required
--archivedReturn only archived objects.(Optional)
--reload-cacheForce a cache reload.(Optional)
--collection
-c
The COLLECTION name.Required$PVAULT_COLLECTION
--tenant-idEnforce the TENANT_ID for the request. Accepts multiple inputs.(Optional)$PVAULT_TENANT_ID

Token

Tokenize

Creates tokens that reference the values of objects' properties. The returned list of token IDs is in the same order as the object IDs in the request. If any of the object IDs are invalid or not found, no tokens are produced.

pvault token create [ --object-id=value ] [ --object-fields=value ] [ --ciphertext=value ] [ --encryption-scope=default ] [ --props | -p=value ] --type=value [ --store-object ] [ --expiration-secs=value ] [ --no-expiration ] [ --token-id=value ] [ --scope=default ] [ --tag=value ] [ --ensure-unique-tenant-tags=value ] [ --fptemplate=value ] [ --fpprops=value ] [ --transaction-id=value ] [ --reload-cache ] { --collection | -c=COLLECTION } [ --tenant-id=TENANT_ID ]
FlagDescriptionDefaultEnvironment variable
--object-idComma-separated list of object IDs. Cannot be used with --object-fields or --ciphertext. Accepts multiple inputs.(Optional)
--object-fieldsObject fields on JSON format. To use a file path prefix with '@' or to use stdin use '-'. Cannot be used with --object-id or --ciphertext.(Optional)
--ciphertextThe ciphertext of the encrypted object. Cannot be used with --object-id or --object-fields.(Optional)
--encryption-scopeThe scope used to encrypt the object.default
--props
-p
Comma-separated list of property names. If not specified, all of the non-builtin properties are used. Accepts multiple inputs.(Optional)
--typeThe type of the tokens. Options: pci, pci_oneway, pointer, randomized or deterministic.Required
--store-objectWhen object-fields flag is included, store the property values as an object in the collection. The token is owned by the new object. Default is false.(Optional)
--expiration-secsThe expiration time in seconds for the tokens. If not set, the default is used.(Optional)
--no-expirationThe tokens don't expire.(Optional)
--token-idUser provided ID to set for the token. If not set, a new token ID is generated.(Optional)
--scopeA classification for the tokens.default
--tagComma-separated list of tags to attach to the tokens. Accepts multiple inputs.(Optional)
--ensure-unique-tenant-tagsComma-separated list of tags to validate as unique in tenant scope. Must be subset of 'tags'. Accepts multiple inputs.(Optional)
--fptemplateFormat preserve template to use to generate the token IDs.(Optional)
--fppropsProperty names to be used by the format preserve template to generate the token IDs. Accepts multiple inputs.(Optional)
--transaction-idAn ID to attach to the tokens.(Optional)
--reload-cacheForce a cache reload.(Optional)
--collection
-c
The COLLECTION name.Required$PVAULT_COLLECTION
--tenant-idEnforce the TENANT_ID for the request. Accepts multiple inputs.(Optional)$PVAULT_TENANT_ID

Detokenize

Returns the object property values for tokens. The detokenized tokens are those that match all the criteria in --token-id or -t, --object-id, and --tag.

pvault token detokenize [ --token-id | -t=value ] [ --object-id=value ] [ --tag=value ] [ --archived ] [ --include-metadata ] [ --props | -p=value ] [ --reload-cache ] { --collection | -c=COLLECTION } [ --tenant-id=TENANT_ID ]
FlagDescriptionDefaultEnvironment variable
--token-id
-t
Comma-separated list of token IDs. Accepts multiple inputs.(Optional)
--object-idComma-separated list of object IDs that own the tokens. Accepts multiple inputs.(Optional)
--tagComma-separated list of tags. Accepts multiple inputs.(Optional)
--archivedDetokenize archived tokens. If not set, detokenizes active tokens.(Optional)
--include-metadataInclude the metadata of the token.(Optional)
--props
-p
Comma-separated list of property names. If not specified, return all properties. Accepts multiple inputs.(Optional)
--reload-cacheForce a cache reload.(Optional)
--collection
-c
The COLLECTION name.Required$PVAULT_COLLECTION
--tenant-idEnforce the TENANT_ID for the request. Accepts multiple inputs.(Optional)$PVAULT_TENANT_ID

Search tokens

Gets tokens with their metadata. The listed tokens are those that match all the criteria in --token-id or -t, --object-id, and --tag.

pvault token info [ --token-id | -t=value ] [ --object-id=value ] [ --tag=value ] [ --archived ] [ --reload-cache ] { --collection | -c=COLLECTION } [ --tenant-id=TENANT_ID ]
FlagDescriptionDefaultEnvironment variable
--token-id
-t
Comma-separated list of token IDs. Accepts multiple inputs.(Optional)
--object-idComma-separated list of object IDs that own the tokens. Accepts multiple inputs.(Optional)
--tagComma-separated list of tags. Accepts multiple inputs.(Optional)
--archivedReturn archived tokens. If not set, returns active tokens.(Optional)
--reload-cacheForce a cache reload.(Optional)
--collection
-c
The COLLECTION name.Required$PVAULT_COLLECTION
--tenant-idEnforce the TENANT_ID for the request. Accepts multiple inputs.(Optional)$PVAULT_TENANT_ID

Update tokens

Updates tags, expiration token metadata, or the token data itself. The tokens updated are those that match all the criteria in --token-id or -t, --object-id, and --tag.

pvault token update [ --token-id | -t=value ] [ --object-id=value ] [ --tag=value ] [ --input-object-id=value ] [ --object-fields=value ] [ --ciphertext=value ] [ --encryption-scope=default ] [ --new-tags=value ] [ --ensure-unique-tenant-tags=value ] [ --expiration-secs=value ] [ --no-expiration ] [ --archived ] [ --reload-cache ] { --collection | -c=COLLECTION } [ --tenant-id=TENANT_ID ]
FlagDescriptionDefaultEnvironment variable
--token-id
-t
Comma-separated list of token IDs. Accepts multiple inputs.(Optional)
--object-idComma-separated list of object IDs that own the tokens. Accepts multiple inputs.(Optional)
--tagComma-separated list of tags. Accepts multiple inputs.(Optional)
--input-object-idInput ID. Cannot be used with --object-fields or --ciphertext. Accepts multiple inputs.(Optional)
--object-fieldsObject fields on JSON format. To use a file path prefix with '@' or to use stdin use '-'. Cannot be used with --input-object-id or --ciphertext.(Optional)
--ciphertextThe ciphertext of the encrypted object. Cannot be used with --input-object-id or --object-fields.(Optional)
--encryption-scopeThe scope used to encrypt the object.default
--new-tagsComma-separated list of tags. Accepts multiple inputs.(Optional)
--ensure-unique-tenant-tagsComma-separated list of tags to validate as unique in tenant scope. Must be subset of 'tags'. Accepts multiple inputs.(Optional)
--expiration-secsThe expiration time in seconds for the tokens. If not set, the expiry dates of the tokens are not changed.(Optional)
--no-expirationThe tokens don't expire.(Optional)
--archivedUpdate archived tokens. If not set, updates active tokens.(Optional)
--reload-cacheForce a cache reload.(Optional)
--collection
-c
The COLLECTION name.Required$PVAULT_COLLECTION
--tenant-idEnforce the TENANT_ID for the request. Accepts multiple inputs.(Optional)$PVAULT_TENANT_ID

Rotate tokens

Generates new token IDs for tokens. The tokens rotated are those that match all the criteria in --token-id or -t, --object-id, and --tag.

pvault token rotate { --token-id | -t=value } [ --reload-cache ] { --collection | -c=COLLECTION } [ --tenant-id=TENANT_ID ]
FlagDescriptionDefaultEnvironment variable
--token-id
-t
Comma-separated list of token IDs. Accepts multiple inputs.Required
--reload-cacheForce a cache reload.(Optional)
--collection
-c
The COLLECTION name.Required$PVAULT_COLLECTION
--tenant-idEnforce the TENANT_ID for the request. Accepts multiple inputs.(Optional)$PVAULT_TENANT_ID

Delete tokens

Deletes tokens. The tokens deleted are those that match all the criteria in --token-id or -t, --object-id, --tag, and tenant-id. --tenant-id is matched against the tenant ID of the object owning the token.

pvault token delete [ --token-id | -t=value ] [ --object-id=value ] [ --tag=value ] [ --archived ] [ --reload-cache ] { --collection | -c=COLLECTION } [ --tenant-id=TENANT_ID ]
FlagDescriptionDefaultEnvironment variable
--token-id
-t
Comma-separated list of token IDs. Accepts multiple inputs.(Optional)
--object-idComma-separated list of object IDs that own the tokens. Accepts multiple inputs.(Optional)
--tagComma-separated list of tags. Accepts multiple inputs.(Optional)
--archivedDelete archived tokens. If not set, deletes active tokens.(Optional)
--reload-cacheForce a cache reload.(Optional)
--collection
-c
The COLLECTION name.Required$PVAULT_COLLECTION
--tenant-idEnforce the TENANT_ID for the request. Accepts multiple inputs.(Optional)$PVAULT_TENANT_ID

Archive tokens

Archives tokens. The tokens archived are those that match all the criteria in --token-id or -t, --object-id, and --tag.

pvault token archive [ --token-id | -t=value ] [ --object-id=value ] [ --tag=value ] { --collection | -c=COLLECTION } [ --tenant-id=TENANT_ID ]
FlagDescriptionDefaultEnvironment variable
--token-id
-t
Comma-separated list of token IDs. Accepts multiple inputs.(Optional)
--object-idComma-separated list of object IDs that own the tokens. Accepts multiple inputs.(Optional)
--tagComma-separated list of tags. Accepts multiple inputs.(Optional)
--collection
-c
The COLLECTION name.Required$PVAULT_COLLECTION
--tenant-idEnforce the TENANT_ID for the request. Accepts multiple inputs.(Optional)$PVAULT_TENANT_ID

Restore tokens

Restores tokens. The tokens restored are those that match the --token-id or -t options.

pvault token restore [ --token-id | -t=value ] [ --expiration-secs=value ] [ --no-expiration ] { --collection | -c=COLLECTION } [ --tenant-id=TENANT_ID ]
FlagDescriptionDefaultEnvironment variable
--token-id
-t
Comma-separated list of token IDs. Accepts multiple inputs.(Optional)
--expiration-secsThe new expiration time in seconds for the token(s).(Optional)
--no-expirationThe token doesn't expire.(Optional)
--collection
-c
The COLLECTION name.Required$PVAULT_COLLECTION
--tenant-idEnforce the TENANT_ID for the request. Accepts multiple inputs.(Optional)$PVAULT_TENANT_ID

Get by transaction ID

Gets the token IDs for a transaction ID, an arbitrary identifier provided during tokenization.

pvault token get-by-transaction-id { --id | -i=TRANSACTION ID } { --collection | -c=COLLECTION } [ --tenant-id=TENANT_ID ]
FlagDescriptionDefaultEnvironment variable
--id
-i
The TRANSACTION ID to return token IDs for.Required
--collection
-c
The COLLECTION name.Required$PVAULT_COLLECTION
--tenant-idEnforce the TENANT_ID for the request. Accepts multiple inputs.(Optional)$PVAULT_TENANT_ID

Counts the tokens in a collection

Returns a count of active, archived, and all tokens in a collection.

pvault token count { --collection | -c=COLLECTION }
FlagDescriptionDefaultEnvironment variable
--collection
-c
The COLLECTION name.Required$PVAULT_COLLECTION

Crypto

Encrypt fields from objects or input fields

Encrypt fields from objects or input fields.

pvault crypto encrypt [ --object-id=value ] [ --object-fields=value ] [ --ciphertext=value ] [ --encryption-scope=default ] [ --type=value ] [ --scope=default ] [ --props | -p=value ] [ --expiration-secs=value ] [ --no-expiration ] [ --tag=value ] [ --reload-cache ] { --collection | -c=COLLECTION }
FlagDescriptionDefaultEnvironment variable
--object-idComma-separated list of object IDs. Cannot be used with --object-fields or --ciphertext. Accepts multiple inputs.(Optional)
--object-fieldsObject fields on JSON format. To use a file path prefix with '@' or to use stdin use '-'. Cannot be used with --object-id or --ciphertext.(Optional)
--ciphertextThe ciphertext of the encrypted object. Cannot be used with --object-id or --object-fields.(Optional)
--encryption-scopeThe scope used to encrypt the object.default
--typeThe type of the encryption. Options: randomized or deterministic.(Optional)
--scopeA classification for the encryption.default
--props
-p
Comma-separated list of property names. If not specified, all of the non-builtin properties are used. Accepts multiple inputs.(Optional)
--expiration-secsThe expiration time in seconds for the encrypted objects. If not set, the default is used.(Optional)
--no-expirationThe encrypted objects don't expire.(Optional)
--tagComma-separated list of tags to attach to the encrypted object metadata. Accepts multiple inputs.(Optional)
--reload-cacheForce a cache reload.(Optional)
--collection
-c
The COLLECTION name.Required$PVAULT_COLLECTION

Decrypt fields blob

Returns the object property values for encrypted objects.

pvault crypto decrypt --ciphertext=value [ --encryption-scope=default ] [ --archived ] [ --include-metadata ] [ --props | -p=value ] [ --reload-cache ] { --collection | -c=COLLECTION }
FlagDescriptionDefaultEnvironment variable
--ciphertextThe ciphertext of encrypted object to decrypt.Required
--encryption-scopeThe scope used to encrypt the object.default
--archivedDecrypt only archived encrypted objects. If not set, decrypt active encrypted objects.(Optional)
--include-metadataShow encrypted object metadata.(Optional)
--props
-p
Comma-separated list of property names. If not specified, return all properties. Accepts multiple inputs.(Optional)
--reload-cacheForce a cache reload.(Optional)
--collection
-c
The COLLECTION name.Required$PVAULT_COLLECTION

Update encrypted fields blob

Update encrypted fields blob.

pvault crypto update --ciphertext=value [ --encryption-scope=default ] --fields=value [ --type=value ] [ --props | -p=value ] [ --expiration-secs=value ] [ --no-expiration ] [ --archived ] [ --reload-cache ] { --collection | -c=COLLECTION }
FlagDescriptionDefaultEnvironment variable
--ciphertextThe ciphertext of encrypted object to update.Required
--encryption-scopeThe scope used to encrypt the object.default
--fieldsFields details to update in JSON format. To use a file path prefix with '@' or to use stdin use '-'.Required
--typeThe type of the encryption. Options: randomized or deterministic.(Optional)
--props
-p
Comma-separated list of property names. If not specified, all of the non-builtin properties are used. Accepts multiple inputs.(Optional)
--expiration-secsThe expiration time in seconds for the encrypted object. If not set, the expiry date of the encrypted object is not changed.(Optional)
--no-expirationThe encrypted object don't expire.(Optional)
--archivedUpdate only archived encrypted objects If not set, update active encrypted objects.(Optional)
--reload-cacheForce a cache reload.(Optional)
--collection
-c
The COLLECTION name.Required$PVAULT_COLLECTION

Encrypt an input field for a property of type BLOB

ncrypt an input field for a property of type BLOB.

pvault crypto encrypt-blob --blob=value { --output | -o=value } { --prop | -p=value } [ --type=value ] [ --scope=default ] [ --expiration-secs=value ] [ --no-expiration ] [ --tag=value ] [ --reload-cache ] { --collection | -c=COLLECTION }
FlagDescriptionDefaultEnvironment variable
--blobRaw content to encrypt. To use a file path prefix with '@' or to use stdin use '-'.Required
--output
-o
File path to store the encrypted ciphertext. To use stdout use '-'.Required
--prop
-p
The property name of the encrypted object. Must be of type BLOB.Required
--typeThe type of the encryption. Options: randomized or deterministic.(Optional)
--scopeA classification for the encryption.default
--expiration-secsThe expiration time in seconds for the encrypted objects. If not set, the default is used.(Optional)
--no-expirationThe encrypted objects don't expire.(Optional)
--tagComma-separated list of tags to attach to the encrypted object metadata. Accepts multiple inputs.(Optional)
--reload-cacheForce a cache reload.(Optional)
--collection
-c
The COLLECTION name.Required$PVAULT_COLLECTION

Decrypt a ciphertext of a single blob

Returns the plaintext of a single an encrypted blob ciphertext, in raw format.

pvault crypto decrypt-blob --ciphertext=value { --output | -o=value } { --prop | -p=value } [ --archived ] [ --scope=default ] [ --reload-cache ] { --collection | -c=COLLECTION }
FlagDescriptionDefaultEnvironment variable
--ciphertextThe ciphertext of encrypted blob property to decrypt. To use a file path prefix with '@' or to use stdin use '-'.Required
--output
-o
File path to store the decrypted blob. To use stdout use '-'.Required
--prop
-p
The property name of the encrypted object. Must be of type BLOB.Required
--archivedDecrypt only archived encrypted objects. If not set, decrypt active encrypted objects.(Optional)
--scopeA classification for the encryption.default
--reload-cacheForce a cache reload.(Optional)
--collection
-c
The COLLECTION name.Required$PVAULT_COLLECTION

Hash object

Returns a deterministic hash based on the collection name, object ID, property values, and scope. This command is similar to using the "deterministic" token type in the "Tokenize" command. The hash value is identical to the token ID that is provided for the same combination of collection, object, property values, and scope. However, unlike the token, this hash is not stored in Vault's storage and, as such, cannot be detokenized, searched, or invalidated.

pvault crypto hash [ --object-id=value ] [ --object-fields=value ] [ --ciphertext=value ] [ --encryption-scope=default ] [ --props | -p=value ] [ --scope=default ] [ --fptemplate=value ] [ --fpprops=value ] [ --reload-cache ] { --collection | -c=COLLECTION }
FlagDescriptionDefaultEnvironment variable
--object-idComma-separated list of object IDs. Cannot be used with --object-fields or --ciphertext. Accepts multiple inputs.(Optional)
--object-fieldsObject fields on JSON format. To use a file path prefix with '@' or to use stdin use '-'. Cannot be used with --object-id or --ciphertext.(Optional)
--ciphertextThe ciphertext of the encrypted object. Cannot be used with --object-id or --object-fields.(Optional)
--encryption-scopeThe scope used to encrypt the object.default
--props
-p
Comma-separated list of property names. Accepts multiple inputs.(Optional)
--scopeA classification for the token.default
--fptemplateFormat preserve template to use to generate the token IDs.(Optional)
--fppropsProperty names to be used by the format preserve template to generate the token IDs. Accepts multiple inputs.(Optional)
--reload-cacheForce a cache reload.(Optional)
--collection
-c
The COLLECTION name.Required$PVAULT_COLLECTION

Identity And Access Management

Get IAM configuration

Gets IAM configuration in TOML format.

pvault iam get

Set IAM configuration

Sets the IAM configuration.

pvault iam apply --conf=value
FlagDescriptionDefaultEnvironment variable
--confThe configuration to apply in TOML format. To use a file path prefix with '@' or to use stdin use '-'.Required

Regenerate user API key

Regenerates a user's API key. The user's current key is invalidated. The Admin user's API key cannot be regenerated and must be set using the PVAULT_SERVICE_ADMIN_API_KEY environment variable.

pvault iam regen-api-key { --name | -n=value }
FlagDescriptionDefaultEnvironment variable
--name
-n
Username of the user to regenerate the API key for.Required

Update user API key expiration

Updates a user's API key expiration.

pvault iam update-api-key-expiration { --name | -n=value } --expiration-days=value
FlagDescriptionDefaultEnvironment variable
--name
-n
Name of the user to update the API key expiration for.Required
--expiration-daysNew expiration in days (from now) for the API key.Required

Get the user's details

Get the user's details.

pvault iam get-user { --name | -n=value }
FlagDescriptionDefaultEnvironment variable
--name
-n
user name.Required

Get user capabilities and policies

Gets the capabilities and policies for a user.

pvault iam user-view { --name | -n=value }
FlagDescriptionDefaultEnvironment variable
--name
-n
user name.Required

Get resource access details

Gets details of the users and associated reasons that can access a resource for an operation.

pvault iam resource-view --resource=value --operation=value
FlagDescriptionDefaultEnvironment variable
--resourceresource.Required
--operationoperation.Required

Dynamic Configuration

Get configuration variable

Get the value of a dynamic configuration variable.

pvault confvar get { --name | -n=value }
FlagDescriptionDefaultEnvironment variable
--name
-n
Name of the configuration variable. Supported names: log_levelRequired

Set configuration variable

Set the value of a dynamic configuration variable. This command is unavailable in the hosted version of Vault.

pvault confvar set { --name | -n=value } --value=value
FlagDescriptionDefaultEnvironment variable
--name
-n
Name of the configuration variable. Supported names: log_levelRequired
--valueValue of the configuration variable. Supported values for log_level are: debug, info, warn, error.

Supported values for trace_sql are: true, false | Required | |

Clear configuration variable

Clear the value of a dynamic configuration variable. This command is unavailable in the hosted version of Vault.

pvault confvar clear { --name | -n=value }
FlagDescriptionDefaultEnvironment variable
--name
-n
Name of the configuration variable. Supported names: log_levelRequired

Clear all configuration variables

Clear the values of all dynamic configuration variables. This command is unavailable in the hosted version of Vault.

pvault confvar clear-all

Status

Get system status.

pvault status

System

Get cluster information on cache generations

pvault system cluster-info

Get vault info, including backing store

pvault system info

Admin

Set Admin API key

Set the api key for the Admin user of Vault.

pvault admin set-admin-api-key --key=KEY
FlagDescriptionDefaultEnvironment variable
--keyThe api KEY.Required

Rotate encryption keys

Key rotation not managed in the hosted version of Vault.

pvault admin rotate-keys

Get system configuration

pvault admin get-configuration

Get KMS status

pvault admin kms-status

Get license details

pvault admin get-license

Set license

In the hosted version of Vault, Piiano manages and sets the license key.

pvault admin set-license --key=value
FlagDescriptionDefaultEnvironment variable
--keyThe license key.Required

Delete objects and tokens

Deletes objects and tokens that have been in the archived state for longer than the retention period and token transaction IDs with no associated tokens. By default, this command deletes objects, tokens, and dangling token transaction IDs.

pvault admin gc [ --objects-only ] [ --tokens-only ] [ --transaction-ids-only ] [ --dry-run ] [ --force | -f ] [ --quiet ] [ --reload-cache ]
FlagDescriptionDefaultEnvironment variable
--objects-onlyDelete archived objects only.(Optional)
--tokens-onlyDelete archived tokens only.(Optional)
--transaction-ids-onlyDelete token transaction IDs with no associated tokens only.(Optional)
--dry-runReturn a count of items eligible for deletion, without deleting them.(Optional)
--force
-f
Ignore interactive protection.(Optional)
--quietSuppress the printing of output. Can only be included when the --force flag is set.(Optional)
--reload-cacheForce a cache reload.(Optional)

Version

Get the version of the Vault.

pvault version

Selftest

Run a performance suite

Run a performance benchmarking suite using a separate database collection. The given parameters control how the benchmarking suite is performed.

pvault selftest bench [ --par=1 ] [ --rate=0 ] [ --scale=1000 ] [ --duration=0 ] [ --middle-stage-duration=0 ] [ --read=0 ] [ --update=0 ] [ --token=0 ] [ --replace=0 ] [ --query=0 ] [ --sleep=0 ] [ --persisted=value ] [ --skip-recreate ] [ --html-output=value ] [ --term-output ] [ --columns=9 ]
FlagDescriptionDefaultEnvironment variable
--parGoroutine parallelism - how many requests to perform in parallel1
--rateOptimistic target RPS. 0 to set no limit and request as fast as possible.0
--scaleScale multiple - control the total amount of work and dataset size1000
--durationMinimum duration in minutes in which to repeated run the benchmark, 0 - for a single execution0
--middle-stage-durationNumber of seconds for the middle stage where random operations are done (0 = no middle stage)0
--readWeight reads in the middle stage0
--updateWeight updates in the middle stage0
--tokenWeight tokens in the middle stage0
--replaceWeight replace in the middle stage0
--queryWeight query in the middle stage0
--sleepDuration of seconds to sleep between executions0
--persistedProvide a shadow database to the bench. By providing this file, the final 'Delete' stage is replaced the save of the UUIDs of the created objects. If the file already exist, the initial 'Add' stage is replaced with the loading of the UUIDs from the file.(Optional)
--skip-recreateSkip recreation of the test collection and assume it already exists.(Optional)
--html-outputIssue an HTML report to this path(Optional)
--term-outputShow term graphics depicting operations(Optional)
--columnsControl the number of properties in the schema9

Quick validation for a working Vault

pvault selftest basic [ --fail-on-warnings | -w ] [ --collection | -c=COLLECTION ]
FlagDescriptionDefaultEnvironment variable
--fail-on-warnings
-w
Fail on check warnings(Optional)
--collection
-c
The COLLECTION name.(Optional)$PVAULT_COLLECTION

Completions

Generate auto-completion script for bash

Generates a bash completion script for pvault-cli commands and flags. The script is output on stdout, enabling you to redirect it to a file that can be sourced by your terminal session or by your bash profile. Works only with the CLI binary.

pvault completions bash

Generate auto-completion script for zsh

Generates a zsh completion script for pvault-cli commands and flags. The script is output on stdout, enabling you to redirect it to a file that can be sourced in your terminal session or by your zsh profile. Works only with the CLI binary.

pvault completions zsh

Export

Export Vault data

Exports Vault data for one or more collections to a zip file. By default, the export includes collection objects, collection schemas, the IAM configuration file, custom data type specifications, and custom data type bundles. You can include archived objects in the export. If you're using the hosted version of Vault and need to export data, contact Piiano.

pvault export [ --collections=value ] [ --include-archived ] [ --no-data ] [ --no-iam ] [ --no-collection-schemas ] [ --no-bundles ] [ --no-data-types ] [ --data-only ] [ --output-dir | -d=. ] [ --no-progress ]
FlagDescriptionDefaultEnvironment variable
--collectionsComma-separated list of the collections to export. If not specified, all collections are exported. Accepts multiple inputs.(Optional)
--include-archivedInclude archived objects in the export.(Optional)
--no-dataExclude collection objects from the export.(Optional)
--no-iamExclude IAM data from the export.(Optional)
--no-collection-schemasExclude collection schemas from the export.(Optional)
--no-bundlesExclude bundles from the export.(Optional)
--no-data-typesExclude data types from the export.(Optional)
--data-onlyExport collection objects only. This flag is a shortcut for --no-iam, --no-collection-schemas, --no-bundles, and --no-data-types.(Optional)
--output-dir
-d
The directory to write the exported zip file to. If not specified, defaults to the current directory..
--no-progressHide the progress display.(Optional)

Import

Imports Vault data

Imports Vault data from a zip file. If you're using the hosted version of Vault and need to import exported data, contact Piiano.

pvault import --zip-file=value [ --no-progress ] [ --no-data ] [ --data-only ] [ --override-duplicates ] [ --skip-duplicates ] [ --max-skip-duplicates=0 ]
FlagDescriptionDefaultEnvironment variable
--zip-fileThe zip file to import.Required
--no-progressHide the progress display.(Optional)
--no-dataExclude collection objects from the import.(Optional)
--data-onlyImport collection objects only.(Optional)
--override-duplicatesOverride duplicate objects.(Optional)
--skip-duplicatesSkip duplicate objects.(Optional)
--max-skip-duplicatesMaximum number of duplicate objects to skip.0

On this page