CLI reference

Global flags

Flag	Description	Default	Environment variable
`--addr`	[Global] The `URL` of the Piiano Vault implementation.	`http://localhost:8123`	`$PVAULT_ADDR`
`--json` `-j`	[Global] Where JSON is used in the command, return the output in JSON format.	(Optional)
`--compact` `--co`	[Global] When used with the `--json` flag, the JSON output is compact.	(Optional)
`--insecure` `-k`	[Global] Skip TLS certificate verification.	(Optional)
`--reason`	[Global] The `REASON` for accessing Piiano Vault, using one of these codes: `AppFunctionality`, `Analytics`, `Notifications`, `ThirdPartyMarketing`, `Marketing`, `FraudPreventionSecurityAndCompliance`, `AccountManagement`, `DataSubjectRequest`, and `Maintenance`.	`Maintenance`	`$PVAULT_ACCESS_REASON`
`--authtoken`	[Global] The authorization `TOKEN` that is passed in the header of each request.	`pvaultauth`	`$PVAULT_AUTH_TOKEN`
`--delegation`	[Global] The `DELEGATION` passed in the X-Pvault-Delegation header of each request.	(Optional)	`$PVAULT_DELEGATION`
`--request-id`	[Global] The request `ID` passed in the X-Pvault-Request-Id header of each request. If not set, a random UUID is generated.	(Optional)	`$PVAULT_REQUEST_ID`
`--custom-audit`	[Global] A custom `AUDIT` message to be logged in the audit log.	(Optional)
`--log-level`	[Global] The `LOG_LEVEL` of the log recorded by this transaction. The allowed values are `debug`, `info`, `warn`, and `error`.	`info`	`$PVAULT_LOG_LEVEL`
`--verbose` `-v`	[Global] Print debug information.	(Optional)
`--no-color`	[Global] Disable colored output.	(Optional)	`$NO_COLOR`

Collection

List collections

Lists all collections.

The default table output lists the collection names and their corresponding types, creation time, and last modification time. To obtain details of the collection and its properties, use the JSON or PVSchema flags.

pvault collection list [ --show-builtins ] [ --pvschema ]

Flag	Description	Default	Environment variable
`--show-builtins`	Show the built-in properties in the response.	(Optional)
`--pvschema`	Return the collections list in the PVSchema format.	(Optional)

Get collection

Gets a collection and its properties.

The default response to this command is a PVSchema for the collection.

pvault collection get [ --pvschema ] [ --show-builtins ] { --name | --collection | -n | -c=NAME }

Flag	Description	Default
`--pvschema`	Return the collection details in PVSchema format.	(Optional)
`--show-builtins`	Show the built-in properties in the response.	(Optional)
`--name` `--collection` `-n` `-c`	The collection `NAME`.	Required

Add collection

Adds a collection.

The collection can be defined using a specification in JSON or PVSchema format. A template can also be used, with or without test data.

pvault collection add [ --collection-json=value ] [ --collection-pvschema=value ] [ --pvschema ] [ --show-builtins ] [ --wait-for-sync ] [ --collection-template=value ] [ --add-test-data ] [ --name | --collection | -n | -c=NAME ]

Flag	Description	Default
`--collection-json`	The collection details to add in JSON format. To read from a file path prefix with '@' or to use stdin use '-'.	(Optional)
`--collection-pvschema`	The collection details to add in PVSchema format. To read from a file path prefix with '@' or to use stdin use '-'.	(Optional)
`--pvschema`	Return the collection in PVSchema format.	(Optional)
`--show-builtins`	Show the built-in properties in the response.	(Optional)
`--wait-for-sync`	Wait for the cluster workers to be in sync.	(Optional)
`--collection-template`	The collection template to use. This template provides example properties and can be combined with `--add-test-data` to add example data to the collection. Supported values are: `persons` and `credit_cards`.	(Optional)
`--add-test-data`	Add example data to the collection. Can only be used with `--collection-template`.	(Optional)
`--name` `--collection` `-n` `-c`	The collection `NAME`.	(Optional)

Update collection

Updates properties of a collection.

The update includes:

Adding any properties in the request that are not in the collection.
Amending the description, is_index, and is_nullable attributes, where they have changed, for any properties in the request that are in the collection. is_nullable can only be changed from false to true. All other attributes of existing properties are ignored. This command may take a long time to complete.

This command may take a long time to complete.

The default response to this command is a PVSchema for the properties added.

pvault collection update [ --collection-json=value ] [ --collection-pvschema=value ] [ --pvschema ] [ --show-builtins ] [ --wait-for-sync ] { --name | --collection | -n | -c=NAME }

Flag	Description	Default
`--collection-json`	The collection details to update in JSON format. To read from a file path prefix with '@' or to use stdin use '-'.	(Optional)
`--collection-pvschema`	The collection details to update in PVSchema format. To read from a file path prefix with '@' or to use stdin use '-'.	(Optional)
`--pvschema`	Return the collection in PVSchema format.	(Optional)
`--show-builtins`	Show the built-in properties in the response.	(Optional)
`--wait-for-sync`	Wait for the cluster workers to be in sync.	(Optional)
`--name` `--collection` `-n` `-c`	The collection `NAME`.	Required

Apply collection

Updates properties of a collection or creates a new collection if the collection is not found.

The update includes:

Adding any properties in the request that are not in the collection.
Amending the description, is_index, and is_nullable attributes, where they have changed, for any properties in the request that are in the collection. is_nullable can only be changed from false to true. All other attributes of existing properties are ignored. This command may take a long time to complete.

This command may take a long time to complete.

The default response to this command is a PVSchema for the collections and properties added.

pvault collection apply [ --collection-json=value ] [ --collection-pvschema=value ] [ --pvschema ] [ --show-builtins ] [ --wait-for-sync ] { --name | --collection | -n | -c=NAME }

Flag	Description	Default
`--collection-json`	The collection details to apply in JSON format. To read from a file path prefix with '@' or to use stdin use '-'.	(Optional)
`--collection-pvschema`	The collection details to apply in PVSchema format. To read from a file path prefix with '@' or to use stdin use '-'.	(Optional)
`--pvschema`	Return the collection in PVSchema format.	(Optional)
`--show-builtins`	Show the built-in properties in the response.	(Optional)
`--wait-for-sync`	Wait for the cluster workers to be in sync.	(Optional)
`--name` `--collection` `-n` `-c`	The collection `NAME`.	Required

Delete collection

Deletes a collection.

pvault collection delete [ --force | -f ] { --name | --collection | -n | -c=NAME }

Flag	Description	Default	Environment variable
`--force` `-f`	Ignore interactive protection.	(Optional)
`--name` `--collection` `-n` `-c`	The collection `NAME`.	Required

Collection // Property

List collection properties

Lists all the properties of a collection.

pvault collection property list [ --show-builtins ] { --collection | -c=COLLECTION }

Flag	Description	Default	Environment variable
`--show-builtins`	Show the built-in properties in the response.	(Optional)
`--collection` `-c`	The `COLLECTION` name.	Required	`$PVAULT_COLLECTION`

Get collection property

Gets a property of a collection.

pvault collection property get { --name | -n=value } { --collection | -c=COLLECTION }

Flag	Description	Default	Environment variable
`--name` `-n`	The property name.	Required
`--collection` `-c`	The `COLLECTION` name.	Required	`$PVAULT_COLLECTION`

Add collection property

Adds a property to a collection.

pvault collection property add [ --prop | -p=value ] [ --name | -n=value ] [ --description=value ] [ --pii-type-name=value ] [ --is-unique ] [ --is-index ] [ --is-not-encrypted ] [ --is-nullable ] [ --is-substring-index ] [ --wait-for-sync ] { --collection | -c=COLLECTION }

Flag	Description	Default	Environment variable
`--prop` `-p`	The property to add in JSON format. Must be provided if `--name` isn't provided. See the Add collection property REST API for the specification of the JSON format. To use a file path prefix with '@' or to use stdin use '-'.	(Optional)
`--name` `-n`	The property name. Must be unique. Must be provided if `--prop` isn't provided.	(Optional)
`--description`	The property description.	(Optional)
`--pii-type-name`	The property data type name. Must be provided if `--name` is provided.	(Optional)
`--is-unique`	The property value is unique on each object.	(Optional)
`--is-index`	The property is be indexed.	(Optional)
`--is-not-encrypted`	The property is not encrypted.	(Optional)
`--is-nullable`	The property is nullable. When the collection contains objects, only nullable properties can be added to the collection.	(Optional)
`--is-substring-index`	The property is substring indexed.	(Optional)
`--wait-for-sync`	Wait for the cluster workers to be in sync.	(Optional)
`--collection` `-c`	The `COLLECTION` name.	Required	`$PVAULT_COLLECTION`

Update collection property

Update a property of a collection. This command may take a long time to complete.

pvault collection property update [ --prop | -p=value ] [ --name | -n=value ] [ --description=value ] [ --is-index ] [ --is-substring-index ] [ --is-nullable ] [ --is-unique ] { --collection | -c=COLLECTION }

Flag	Description	Default	Environment variable
`--prop` `-p`	The property to update in JSON format. Must be provided if `--name` isn't provided. See the REST API Update collection property operation for the specification of the JSON format. To use a file path prefix with '@' or to use stdin use '-'.	(Optional)
`--name` `-n`	The property name. Must be unique. Must be provided if `--prop` isn't provided.	(Optional)
`--description`	The property description.	(Optional)
`--is-index`	The property is indexed.	(Optional)
`--is-substring-index`	The property is substring indexed.	(Optional)
`--is-nullable`	The property can have no value.	(Optional)
`--is-unique`	The property value is unique across objects.	(Optional)
`--collection` `-c`	The `COLLECTION` name.	Required	`$PVAULT_COLLECTION`

Delete collection property

Deletes a property from a collection.

Any values stored against the property in objects are also deleted. This operation is irreversible.

pvault collection property delete { --name | -n=value } { --collection | -c=COLLECTION }

Flag	Description	Default	Environment variable
`--name` `-n`	The property name.	Required
`--collection` `-c`	The `COLLECTION` name.	Required	`$PVAULT_COLLECTION`

Action

List actions

Lists all actions.

pvault action list

Get action

Gets an action.

pvault action get { --name | -n=value }

Flag	Description	Default	Environment variable
`--name` `-n`	The name of the action.	Required

Add action

Adds a action

pvault action add { --name | -n=value } [ --description=value ] --function=value --role=value [ --wait-for-sync ]

Flag	Description	Default
`--name` `-n`	The name of the action.	Required
`--description`	The action description	(Optional)
`--function`	The function name of the action in the format of `bundle_name.function_name`.	Required
`--role`	The IAM role to assign to the action.	Required
`--wait-for-sync`	Wait for the cluster workers to be in sync.	(Optional)

Delete action

Deletes an action.

pvault action delete { --name | -n=value }

Flag	Description	Default	Environment variable
`--name` `-n`	The name of the action.	Required

Bundle

List bundles

Lists the names of all bundles.

pvault bundle list

Get bundle

Gets a bundle and its code.

pvault bundle get { --name | -n=value } [ --dump-code ]

Flag	Description	Default	Environment variable
`--name` `-n`	The name of the bundle.	Required
`--dump-code`	Dump the bundle code to stdout.	(Optional)

Add bundle

Adds a bundle

pvault bundle add { --name | -n=value } [ --description=value ] [ --bundle-code=value ] [ --bundle-template=value ] [ --wait-for-sync ]

Flag	Description	Default
`--name` `-n`	The name of the bundle.	Required
`--description`	The bundle description	(Optional)
`--bundle-code`	The JavaScript code. To read from a file path prefix with '@' or to use stdin use '-'.	(Optional)
`--bundle-template`	The bundle template to use. A template provides an example bundle. Supported values are: `sample`.	(Optional)
`--wait-for-sync`	Wait for the cluster workers to be in sync.	(Optional)

Update bundle

Updates a bundle

pvault bundle update { --name | -n=value } [ --description=value ] [ --bundle-code=value ]

Flag	Description	Default
`--name` `-n`	The name of the bundle.	Required
`--description`	The new bundle description	(Optional)
`--bundle-code`	The new JavaScript code. To read from a file path prefix with '@' or to use stdin use '-'.	(Optional)

Delete bundle

Deletes a bundle. By default, a bundle is not deleted if a data type references it. To delete a referenced bundle, set the --force flag.

pvault bundle delete { --name | -n=value } [ --force ]

Flag	Description	Default	Environment variable
`--name` `-n`	The name of the bundle.	Required
`--force`	Delete the bundle even if it is referenced by a data type that is in use. A data type that is in use is one that is used by a property in a collection.	(Optional)

Datatype

List data types

Lists all data types.

pvault datatype list [ --show-builtins ] [ --bundle=value ]

Flag	Description	Default	Environment variable
`--show-builtins`	Show built-in types.	(Optional)
`--bundle`	If provided, return only types that depend on the bundle with the specified name.	(Optional)

Get data type

Gets a data type.

pvault datatype get { --name | -n=value }

Flag	Description	Default	Environment variable
`--name` `-n`	The name of the data type.	Required

Add data type

Adds a data type.

pvault datatype add --datatype-json=value [ --wait-for-sync ]

Flag	Description	Default	Environment variable
`--datatype-json`	The data type details in JSON format. See the Add data type REST API operation for details of the structure and content of the JSON specification. To read from a file path prefix with '@' or to use stdin use '-'.	Required
`--wait-for-sync`	Wait for the cluster workers to be in sync.	(Optional)

Update data type

Updates a data type.

pvault datatype update { --name | -n=value } --datatype-json=value [ --wait-for-sync ]

Flag	Description	Default
`--name` `-n`	The name of the data type.	Required
`--datatype-json`	The data type details in JSON format. See the update data type REST API operation for details of the structure and content of the JSON specification. To read from a file path prefix with '@' or to use stdin use '-'.	Required
`--wait-for-sync`	Wait for the cluster workers to be in sync.	(Optional)

Delete data type

Deletes a data type. Referenced bundles are not deleted by this command, use Delete bundle to remove any redundant bundles.

pvault datatype delete { --name | -n=value }

Flag	Description	Default	Environment variable
`--name` `-n`	The name of the data type.	Required

Object

Add object

Adds an object to a collection. To set the object's ID to match that of an item in an external system, include id in the fields flag. The ID must be in UUID format.

pvault object add --fields=value [ --expiration-secs=value ] [ --no-expiration ] [ --import ] [ --export-key=import ] [ --reload-cache ] { --collection | -c=COLLECTION } [ --tenant-id=TENANT_ID ]

Flag	Description	Default	Environment variable
`--fields`	The object details in JSON format. To use a file path prefix with '@' or to use stdin use '-'.	Required
`--expiration-secs`	The expiration time in seconds for the object. If not set, the default is used.	(Optional)
`--no-expiration`	The object doesn't expire.	(Optional)
`--import`	Whether to import the object. import is a process where a read only properties like creation_time and modification_time could be provided. when 'export_key' parameter is provided in the request the property values are expected to be encrypted from an export hence will be decrypted.	(Optional)
`--export-key`	The key to decrypt property values. Can be provided only when `import` is `true`.	(Optional)
`--reload-cache`	Force a cache reload.	(Optional)
`--collection` `-c`	The `COLLECTION` name.	Required	`$PVAULT_COLLECTION`
`--tenant-id`	Enforce the `TENANT_ID` for the request. Accepts multiple inputs.	(Optional)	`$PVAULT_TENANT_ID`

Update an object

Updates an object of a collection.

pvault object update { --id | -i=value } --fields=value [ --expiration-secs=value ] [ --no-expiration ] [ --archived ] [ --import ] [ --export-key=import ] [ --reload-cache ] { --collection | -c=COLLECTION } [ --tenant-id=TENANT_ID ]

Flag	Description	Default	Environment variable
`--id` `-i`	The ID of the object to update.	Required
`--fields`	The object details in JSON format. To use a file path prefix with '@' or to use stdin use '-'.	Required
`--expiration-secs`	Expiration time in seconds for the object. If not set, the expiration time in seconds is not changed.	(Optional)
`--no-expiration`	The object doesn't expire.	(Optional)
`--archived`	Return only archived objects.	(Optional)
`--import`	Whether to import the object. import is a process where a read only properties like creation_time and modification_time could be provided. when 'export_key' parameter is provided in the request the property values are expected to be encrypted from an export hence will be decrypted.	(Optional)
`--export-key`	The key to decrypt property values. Can be provided only when `import` is `true`.	(Optional)
`--reload-cache`	Force a cache reload.	(Optional)
`--collection` `-c`	The `COLLECTION` name.	Required	`$PVAULT_COLLECTION`
`--tenant-id`	Enforce the `TENANT_ID` for the request. Accepts multiple inputs.	(Optional)	`$PVAULT_TENANT_ID`

Get objects

Gets details of objects in a collection.

pvault object get { --id | -i=value } [ --props | -p=value ] [ --all-unsafe | -a ] [ --show-builtins ] [ --archived ] [ --reload-cache ] { --collection | -c=COLLECTION } [ --tenant-id=TENANT_ID ]

Flag	Description	Default	Environment variable
`--id` `-i`	A comma-delimited list of objects IDs. Accepts multiple inputs.	Required
`--props` `-p`	Comma-delimited list of property names and transformations to return. Accepts multiple inputs.	(Optional)
`--all-unsafe` `-a`	Return all properties of the object.	(Optional)
`--show-builtins`	Show the built-in properties in the response.	(Optional)
`--archived`	Return only archived objects.	(Optional)
`--reload-cache`	Force a cache reload.	(Optional)
`--collection` `-c`	The `COLLECTION` name.	Required	`$PVAULT_COLLECTION`
`--tenant-id`	Enforce the `TENANT_ID` for the request. Accepts multiple inputs.	(Optional)	`$PVAULT_TENANT_ID`

Search objects

Returns a paginated list of objects in a collection by query.

pvault object query [ --in=value ] [ --match=value ] [ --like=value ] [ --query-json=value ] [ --props | -p=value ] [ --all-unsafe | -a ] [ --cursor=value ] [ --page-size=0 ] [ --show-builtins ] [ --archived ] [ --reload-cache ] { --collection | -c=COLLECTION } [ --tenant-id=TENANT_ID ]

Flag	Description	Default	Environment variable
`--in`	Equal sign delimiter for property name and array of possible values in the form of property=value1, value2. Accepts multiple inputs.	(Optional)
`--match`	Equal sign delimiter for property name and searched value in the form of property=value. Accepts multiple inputs.	(Optional)
`--like`	Equal sign delimiter for property name and pattern in the form of property=pattern. Accepts multiple inputs.	(Optional)
`--query-json`	The query in JSON format. To use a file path prefix with '@' or to use stdin use '-'.	(Optional)
`--props` `-p`	Comma-delimited list of property names and transformations to return. Accepts multiple inputs.	(Optional)
`--all-unsafe` `-a`	Return all properties for the object.	(Optional)
`--cursor`	The cursor returned by the previous call or an empty string for the first call.	(Optional)
`--page-size`	The maximum number of items to be returned in the call.	`0`
`--show-builtins`	Show the built-in properties in the response.	(Optional)
`--archived`	Return only archived objects.	(Optional)
`--reload-cache`	Force a cache reload.	(Optional)
`--collection` `-c`	The `COLLECTION` name.	Required	`$PVAULT_COLLECTION`
`--tenant-id`	Enforce the `TENANT_ID` for the request. Accepts multiple inputs.	(Optional)	`$PVAULT_TENANT_ID`

List all objects

Returns a paginated list of all objects from a collection with all or a subset of object property values.

pvault object list [ --props | -p=value ] [ --all-unsafe | -a ] [ --cursor=value ] [ --page-size=0 ] [ --show-builtins ] [ --archived ] [ --export ] [ --reload-cache ] { --collection | -c=COLLECTION }

Flag	Description	Default	Environment variable
`--props` `-p`	Comma-delimited list of property names and transformations to return. Accepts multiple inputs.	(Optional)
`--all-unsafe` `-a`	Return all properties for the object.	(Optional)
`--cursor`	Reference to the next page for a subsequent call with the same request parameters. An empty string for the first call.	(Optional)
`--page-size`	The maximum number of items to return in the call.	`0`
`--show-builtins`	Show the built-in properties in the response.	(Optional)
`--archived`	Return only archived objects.	(Optional)
`--export`	Encrypt the property values for export.	(Optional)
`--reload-cache`	Force a cache reload.	(Optional)
`--collection` `-c`	The `COLLECTION` name.	Required	`$PVAULT_COLLECTION`

Counts objects in a collection

Returns a count of active, archived, and all objects in a collection.

pvault object count { --collection | -c=COLLECTION }

Flag	Description	Default	Environment variable
`--collection` `-c`	The `COLLECTION` name.	Required	`$PVAULT_COLLECTION`

Delete an object

Deletes object from a collection.

pvault object delete { --id | -i=value } [ --archived ] [ --reload-cache ] { --collection | -c=COLLECTION } [ --tenant-id=TENANT_ID ]

Flag	Description	Default	Environment variable
`--id` `-i`	The ID of the object to delete. Accepts multiple inputs.	Required
`--archived`	Delete archived objects or active objects.	(Optional)
`--reload-cache`	Force a cache reload.	(Optional)
`--collection` `-c`	The `COLLECTION` name.	Required	`$PVAULT_COLLECTION`
`--tenant-id`	Enforce the `TENANT_ID` for the request. Accepts multiple inputs.	(Optional)	`$PVAULT_TENANT_ID`

Archive an object

Archives an object by forcing it to expire immediately.

pvault object archive { --id | -i=value } [ --reload-cache ] { --collection | -c=COLLECTION } [ --tenant-id=TENANT_ID ]

Flag	Description	Default	Environment variable
`--id` `-i`	The ID of the object to archive.	Required
`--reload-cache`	Force a cache reload.	(Optional)
`--collection` `-c`	The `COLLECTION` name.	Required	`$PVAULT_COLLECTION`
`--tenant-id`	Enforce the `TENANT_ID` for the request. Accepts multiple inputs.	(Optional)	`$PVAULT_TENANT_ID`

Restore an archived object

Restores an object by changing changing its expiration to a time in the future.

pvault object restore { --id | -i=value } [ --expiration-secs=value ] [ --no-expiration ] [ --reload-cache ] { --collection | -c=COLLECTION } [ --tenant-id=TENANT_ID ]

Flag	Description	Default	Environment variable
`--id` `-i`	The ID of the object to restore.	Required
`--expiration-secs`	The expiration time in seconds for the object. If not set, the default is used.	(Optional)
`--no-expiration`	The object doesn't expire.	(Optional)
`--reload-cache`	Force a cache reload.	(Optional)
`--collection` `-c`	The `COLLECTION` name.	Required	`$PVAULT_COLLECTION`
`--tenant-id`	Enforce the `TENANT_ID` for the request. Accepts multiple inputs.	(Optional)	`$PVAULT_TENANT_ID`

Get a blob

Gets the value of a BLOB property of an object and save it to a file.

pvault object get-blob { --id | -i=value } { --prop | -p=value } --blob-file=value [ --archived ] [ --reload-cache ] { --collection | -c=COLLECTION } [ --tenant-id=TENANT_ID ]

Flag	Description	Default	Environment variable
`--id` `-i`	The ID of the object to get.	Required
`--prop` `-p`	The property name of the blob.	Required
`--blob-file`	The path to save the blob.	Required
`--archived`	Return only archived objects.	(Optional)
`--reload-cache`	Force a cache reload.	(Optional)
`--collection` `-c`	The `COLLECTION` name.	Required	`$PVAULT_COLLECTION`
`--tenant-id`	Enforce the `TENANT_ID` for the request. Accepts multiple inputs.	(Optional)	`$PVAULT_TENANT_ID`

update a blob

update the value of a BLOB property of an object from a file.

pvault object update-blob { --id | -i=value } { --prop | -p=value } --blob-file=value [ --archived ] [ --reload-cache ] { --collection | -c=COLLECTION } [ --tenant-id=TENANT_ID ]

Flag	Description	Default	Environment variable
`--id` `-i`	The ID of the object to update.	Required
`--prop` `-p`	The property name of the blob.	Required
`--blob-file`	The path to of the blob to update.	Required
`--archived`	Return only archived objects.	(Optional)
`--reload-cache`	Force a cache reload.	(Optional)
`--collection` `-c`	The `COLLECTION` name.	Required	`$PVAULT_COLLECTION`
`--tenant-id`	Enforce the `TENANT_ID` for the request. Accepts multiple inputs.	(Optional)	`$PVAULT_TENANT_ID`

Token

Tokenize

Creates tokens that reference the values of objects' properties. The returned list of token IDs is in the same order as the object IDs in the request. If any of the object IDs are invalid or not found, no tokens are produced.

pvault token create [ --object-id=value ] [ --object-fields=value ] [ --ciphertext=value ] [ --encryption-scope=default ] [ --props | -p=value ] --type=value [ --store-object ] [ --expiration-secs=value ] [ --no-expiration ] [ --token-id=value ] [ --scope=default ] [ --tag=value ] [ --ensure-unique-tenant-tags=value ] [ --fptemplate=value ] [ --fpprops=value ] [ --transaction-id=value ] [ --reload-cache ] { --collection | -c=COLLECTION } [ --tenant-id=TENANT_ID ]

Flag	Description	Default	Environment variable
`--object-id`	Comma-separated list of object IDs. Cannot be used with `--object-fields` or `--ciphertext`. Accepts multiple inputs.	(Optional)
`--object-fields`	Object fields on JSON format. To use a file path prefix with '@' or to use stdin use '-'. Cannot be used with `--object-id` or `--ciphertext`.	(Optional)
`--ciphertext`	The ciphertext of the encrypted object. Cannot be used with `--object-id` or `--object-fields`.	(Optional)
`--encryption-scope`	The scope used to encrypt the object.	`default`
`--props` `-p`	Comma-separated list of property names. If not specified, all of the non-builtin properties are used. Accepts multiple inputs.	(Optional)
`--type`	The type of the tokens. Options: `pci`, `pci_oneway`, `pointer`, `randomized` or `deterministic`.	Required
`--store-object`	When `object-fields` flag is included, store the property values as an object in the collection. The token is owned by the new object. Default is false.	(Optional)
`--expiration-secs`	The expiration time in seconds for the tokens. If not set, the default is used.	(Optional)
`--no-expiration`	The tokens don't expire.	(Optional)
`--token-id`	User provided ID to set for the token. If not set, a new token ID is generated.	(Optional)
`--scope`	A classification for the tokens.	`default`
`--tag`	Comma-separated list of tags to attach to the tokens. Accepts multiple inputs.	(Optional)
`--ensure-unique-tenant-tags`	Comma-separated list of tags to validate as unique in tenant scope. Must be subset of 'tags'. Accepts multiple inputs.	(Optional)
`--fptemplate`	Format preserve template to use to generate the token IDs.	(Optional)
`--fpprops`	Property names to be used by the format preserve template to generate the token IDs. Accepts multiple inputs.	(Optional)
`--transaction-id`	An ID to attach to the tokens.	(Optional)
`--reload-cache`	Force a cache reload.	(Optional)
`--collection` `-c`	The `COLLECTION` name.	Required	`$PVAULT_COLLECTION`
`--tenant-id`	Enforce the `TENANT_ID` for the request. Accepts multiple inputs.	(Optional)	`$PVAULT_TENANT_ID`

Detokenize

Returns the object property values for tokens. The detokenized tokens are those that match all the criteria in --token-id or -t, --object-id, and --tag.

pvault token detokenize [ --token-id | -t=value ] [ --object-id=value ] [ --tag=value ] [ --archived ] [ --include-metadata ] [ --include-aggregation ] [ --props | -p=value ] [ --reload-cache ] { --collection | -c=COLLECTION } [ --tenant-id=TENANT_ID ]

Flag	Description	Default	Environment variable
`--token-id` `-t`	Comma-separated list of token IDs. Accepts multiple inputs.	(Optional)
`--object-id`	Comma-separated list of object IDs that own the tokens. Accepts multiple inputs.	(Optional)
`--tag`	Comma-separated list of tags. Accepts multiple inputs.	(Optional)
`--archived`	Detokenize archived tokens. If not set, detokenizes active tokens.	(Optional)
`--include-metadata`	Include the metadata of the tokens returned by the query.	(Optional)
`--include-aggregation`	Include aggregated data of the query. Only applicable if `include-metadata` is set.	(Optional)
`--props` `-p`	Comma-separated list of property names. If not specified, return all properties. Accepts multiple inputs.	(Optional)
`--reload-cache`	Force a cache reload.	(Optional)
`--collection` `-c`	The `COLLECTION` name.	Required	`$PVAULT_COLLECTION`
`--tenant-id`	Enforce the `TENANT_ID` for the request. Accepts multiple inputs.	(Optional)	`$PVAULT_TENANT_ID`

Search tokens

Gets tokens with their metadata. The listed tokens are those that match all the criteria in --token-id or -t, --object-id, and --tag.

pvault token info [ --token-id | -t=value ] [ --object-id=value ] [ --tag=value ] [ --include-aggregation ] [ --archived ] [ --reload-cache ] { --collection | -c=COLLECTION } [ --tenant-id=TENANT_ID ]

Flag	Description	Default	Environment variable
`--token-id` `-t`	Comma-separated list of token IDs. Accepts multiple inputs.	(Optional)
`--object-id`	Comma-separated list of object IDs that own the tokens. Accepts multiple inputs.	(Optional)
`--tag`	Comma-separated list of tags. Accepts multiple inputs.	(Optional)
`--include-aggregation`	Include aggregated data of the query.	(Optional)
`--archived`	Return archived tokens. If not set, returns active tokens.	(Optional)
`--reload-cache`	Force a cache reload.	(Optional)
`--collection` `-c`	The `COLLECTION` name.	Required	`$PVAULT_COLLECTION`
`--tenant-id`	Enforce the `TENANT_ID` for the request. Accepts multiple inputs.	(Optional)	`$PVAULT_TENANT_ID`

Update tokens

Updates tags, expiration token metadata, or the token data itself. The tokens updated are those that match all the criteria in --token-id or -t, --object-id, and --tag.

pvault token update [ --token-id | -t=value ] [ --object-id=value ] [ --tag=value ] [ --input-object-id=value ] [ --object-fields=value ] [ --ciphertext=value ] [ --encryption-scope=default ] [ --props | -p=value ] [ --new-tags=value ] [ --ensure-unique-tenant-tags=value ] [ --expiration-secs=value ] [ --no-expiration ] [ --archived ] [ --reload-cache ] { --collection | -c=COLLECTION } [ --tenant-id=TENANT_ID ]

Flag	Description	Default	Environment variable
`--token-id` `-t`	Comma-separated list of token IDs. Accepts multiple inputs.	(Optional)
`--object-id`	Comma-separated list of object IDs that own the tokens. Accepts multiple inputs.	(Optional)
`--tag`	Comma-separated list of tags. Accepts multiple inputs.	(Optional)
`--input-object-id`	Input object ID to be used as input for the new update data. Cannot be used with `--object-fields` or `--ciphertext`. Accepts multiple inputs.	(Optional)
`--object-fields`	Object fields on JSON format to be used as input for the new update data. To use a file path prefix with '@' or to use stdin use '-'. Cannot be used with `--input-object-id`, or `--ciphertext`.	(Optional)
`--ciphertext`	The ciphertext of the encrypted object to be used as input for the new update data. Cannot be used with `--input-object-id`, or `--object-fields`.	(Optional)
`--encryption-scope`	The scope used to encrypt the object used in `--ciphertext`.	`default`
`--props` `-p`	Comma-separated list of property names to use out of the input object, when updating the token data. If not specified, all of the non-builtin properties are used. Accepts multiple inputs.	(Optional)
`--new-tags`	Comma-separated list of tags. Accepts multiple inputs.	(Optional)
`--ensure-unique-tenant-tags`	Comma-separated list of tags to validate as unique in tenant scope. Must be subset of 'tags'. Accepts multiple inputs.	(Optional)
`--expiration-secs`	The expiration time in seconds for the tokens. If not set, the expiry dates of the tokens are not changed.	(Optional)
`--no-expiration`	The tokens don't expire.	(Optional)
`--archived`	Update archived tokens. If not set, updates active tokens.	(Optional)
`--reload-cache`	Force a cache reload.	(Optional)
`--collection` `-c`	The `COLLECTION` name.	Required	`$PVAULT_COLLECTION`
`--tenant-id`	Enforce the `TENANT_ID` for the request. Accepts multiple inputs.	(Optional)	`$PVAULT_TENANT_ID`

Rotate tokens

Generates new token IDs for tokens. The tokens rotated are those that match all the criteria in --token-id or -t, --object-id, and --tag.

pvault token rotate { --token-id | -t=value } [ --reload-cache ] { --collection | -c=COLLECTION } [ --tenant-id=TENANT_ID ]

Flag	Description	Default	Environment variable
`--token-id` `-t`	Comma-separated list of token IDs. Accepts multiple inputs.	Required
`--reload-cache`	Force a cache reload.	(Optional)
`--collection` `-c`	The `COLLECTION` name.	Required	`$PVAULT_COLLECTION`
`--tenant-id`	Enforce the `TENANT_ID` for the request. Accepts multiple inputs.	(Optional)	`$PVAULT_TENANT_ID`

Delete tokens

Deletes tokens. The tokens deleted are those that match all the criteria in --token-id or -t, --object-id, --tag, and tenant-id. --tenant-id is matched against the tenant ID of the object owning the token.

pvault token delete [ --token-id | -t=value ] [ --object-id=value ] [ --tag=value ] [ --archived ] [ --reload-cache ] { --collection | -c=COLLECTION } [ --tenant-id=TENANT_ID ]

Flag	Description	Default	Environment variable
`--token-id` `-t`	Comma-separated list of token IDs. Accepts multiple inputs.	(Optional)
`--object-id`	Comma-separated list of object IDs that own the tokens. Accepts multiple inputs.	(Optional)
`--tag`	Comma-separated list of tags. Accepts multiple inputs.	(Optional)
`--archived`	Delete archived tokens. If not set, deletes active tokens.	(Optional)
`--reload-cache`	Force a cache reload.	(Optional)
`--collection` `-c`	The `COLLECTION` name.	Required	`$PVAULT_COLLECTION`
`--tenant-id`	Enforce the `TENANT_ID` for the request. Accepts multiple inputs.	(Optional)	`$PVAULT_TENANT_ID`

Archive tokens

Archives tokens. The tokens archived are those that match all the criteria in --token-id or -t, --object-id, and --tag.

pvault token archive [ --token-id | -t=value ] [ --object-id=value ] [ --tag=value ] { --collection | -c=COLLECTION } [ --tenant-id=TENANT_ID ]

Flag	Description	Default	Environment variable
`--token-id` `-t`	Comma-separated list of token IDs. Accepts multiple inputs.	(Optional)
`--object-id`	Comma-separated list of object IDs that own the tokens. Accepts multiple inputs.	(Optional)
`--tag`	Comma-separated list of tags. Accepts multiple inputs.	(Optional)
`--collection` `-c`	The `COLLECTION` name.	Required	`$PVAULT_COLLECTION`
`--tenant-id`	Enforce the `TENANT_ID` for the request. Accepts multiple inputs.	(Optional)	`$PVAULT_TENANT_ID`

Restore tokens

Restores tokens. The tokens restored are those that match the --token-id or -t options.

pvault token restore [ --token-id | -t=value ] [ --expiration-secs=value ] [ --no-expiration ] { --collection | -c=COLLECTION } [ --tenant-id=TENANT_ID ]

Flag	Description	Default	Environment variable
`--token-id` `-t`	Comma-separated list of token IDs. Accepts multiple inputs.	(Optional)
`--expiration-secs`	The new expiration time in seconds for the token(s).	(Optional)
`--no-expiration`	The token doesn't expire.	(Optional)
`--collection` `-c`	The `COLLECTION` name.	Required	`$PVAULT_COLLECTION`
`--tenant-id`	Enforce the `TENANT_ID` for the request. Accepts multiple inputs.	(Optional)	`$PVAULT_TENANT_ID`

Get by transaction ID

Gets the token IDs for a transaction ID, an arbitrary identifier provided during tokenization.

pvault token get-by-transaction-id { --id | -i=TRANSACTION ID } { --collection | -c=COLLECTION } [ --tenant-id=TENANT_ID ]

Flag	Description	Default	Environment variable
`--id` `-i`	The `TRANSACTION ID` to return token IDs for.	Required
`--collection` `-c`	The `COLLECTION` name.	Required	`$PVAULT_COLLECTION`
`--tenant-id`	Enforce the `TENANT_ID` for the request. Accepts multiple inputs.	(Optional)	`$PVAULT_TENANT_ID`

Counts the tokens in a collection

Returns a count of active, archived, and all tokens in a collection.

pvault token count { --collection | -c=COLLECTION }

Flag	Description	Default	Environment variable
`--collection` `-c`	The `COLLECTION` name.	Required	`$PVAULT_COLLECTION`

Crypto

Encrypt fields from objects or input fields

Encrypt fields from objects or input fields.

pvault crypto encrypt [ --object-id=value ] [ --object-fields=value ] [ --ciphertext=value ] [ --encryption-scope=default ] [ --type=value ] [ --scope=default ] [ --props | -p=value ] [ --expiration-secs=value ] [ --no-expiration ] [ --tag=value ] [ --reload-cache ] { --collection | -c=COLLECTION }

Flag	Description	Default	Environment variable
`--object-id`	Comma-separated list of object IDs. Cannot be used with `--object-fields` or `--ciphertext`. Accepts multiple inputs.	(Optional)
`--object-fields`	Object fields on JSON format. To use a file path prefix with '@' or to use stdin use '-'. Cannot be used with `--object-id` or `--ciphertext`.	(Optional)
`--ciphertext`	The ciphertext of the encrypted object. Cannot be used with `--object-id` or `--object-fields`.	(Optional)
`--encryption-scope`	The scope used to encrypt the object.	`default`
`--type`	The type of the encryption. Options: `randomized` or `deterministic`.	(Optional)
`--scope`	A classification for the encryption.	`default`
`--props` `-p`	Comma-separated list of property names. If not specified, all of the non-builtin properties are used. Accepts multiple inputs.	(Optional)
`--expiration-secs`	The expiration time in seconds for the encrypted objects. If not set, the default is used.	(Optional)
`--no-expiration`	The encrypted objects don't expire.	(Optional)
`--tag`	Comma-separated list of tags to attach to the encrypted object metadata. Accepts multiple inputs.	(Optional)
`--reload-cache`	Force a cache reload.	(Optional)
`--collection` `-c`	The `COLLECTION` name.	Required	`$PVAULT_COLLECTION`

Decrypt fields blob

Returns the object property values for encrypted objects.

pvault crypto decrypt --ciphertext=value [ --encryption-scope=default ] [ --archived ] [ --include-metadata ] [ --props | -p=value ] [ --reload-cache ] { --collection | -c=COLLECTION }

Flag	Description	Default	Environment variable
`--ciphertext`	The ciphertext of encrypted object to decrypt.	Required
`--encryption-scope`	The scope used to encrypt the object.	`default`
`--archived`	Decrypt only archived encrypted objects. If not set, decrypt active encrypted objects.	(Optional)
`--include-metadata`	Show encrypted object metadata.	(Optional)
`--props` `-p`	Comma-separated list of property names. If not specified, return all properties. Accepts multiple inputs.	(Optional)
`--reload-cache`	Force a cache reload.	(Optional)
`--collection` `-c`	The `COLLECTION` name.	Required	`$PVAULT_COLLECTION`

Update encrypted fields blob

Update encrypted fields blob.

pvault crypto update --ciphertext=value [ --encryption-scope=default ] --fields=value [ --type=value ] [ --props | -p=value ] [ --expiration-secs=value ] [ --no-expiration ] [ --archived ] [ --reload-cache ] { --collection | -c=COLLECTION }

Flag	Description	Default	Environment variable
`--ciphertext`	The ciphertext of encrypted object to update.	Required
`--encryption-scope`	The scope used to encrypt the object.	`default`
`--fields`	Fields details to update in JSON format. To use a file path prefix with '@' or to use stdin use '-'.	Required
`--type`	The type of the encryption. Options: `randomized` or `deterministic`.	(Optional)
`--props` `-p`	Comma-separated list of property names. If not specified, all of the non-builtin properties are used. Accepts multiple inputs.	(Optional)
`--expiration-secs`	The expiration time in seconds for the encrypted object. If not set, the expiry date of the encrypted object is not changed.	(Optional)
`--no-expiration`	The encrypted object don't expire.	(Optional)
`--archived`	Update only archived encrypted objects If not set, update active encrypted objects.	(Optional)
`--reload-cache`	Force a cache reload.	(Optional)
`--collection` `-c`	The `COLLECTION` name.	Required	`$PVAULT_COLLECTION`

Encrypt an input field for a property of type BLOB

ncrypt an input field for a property of type BLOB.

pvault crypto encrypt-blob --blob=value { --output | -o=value } { --prop | -p=value } [ --type=value ] [ --scope=default ] [ --expiration-secs=value ] [ --no-expiration ] [ --tag=value ] [ --reload-cache ] { --collection | -c=COLLECTION }

Flag	Description	Default	Environment variable
`--blob`	Raw content to encrypt. To use a file path prefix with '@' or to use stdin use '-'.	Required
`--output` `-o`	File path to store the encrypted ciphertext. To use stdout use '-'.	Required
`--prop` `-p`	The property name of the encrypted object. Must be of type BLOB.	Required
`--type`	The type of the encryption. Options: `randomized` or `deterministic`.	(Optional)
`--scope`	A classification for the encryption.	`default`
`--expiration-secs`	The expiration time in seconds for the encrypted objects. If not set, the default is used.	(Optional)
`--no-expiration`	The encrypted objects don't expire.	(Optional)
`--tag`	Comma-separated list of tags to attach to the encrypted object metadata. Accepts multiple inputs.	(Optional)
`--reload-cache`	Force a cache reload.	(Optional)
`--collection` `-c`	The `COLLECTION` name.	Required	`$PVAULT_COLLECTION`

Decrypt a ciphertext of a single blob

Returns the plaintext of a single an encrypted blob ciphertext, in raw format.

pvault crypto decrypt-blob --ciphertext=value { --output | -o=value } { --prop | -p=value } [ --archived ] [ --scope=default ] [ --reload-cache ] { --collection | -c=COLLECTION }

Flag	Description	Default	Environment variable
`--ciphertext`	The ciphertext of encrypted blob property to decrypt. To use a file path prefix with '@' or to use stdin use '-'.	Required
`--output` `-o`	File path to store the decrypted blob. To use stdout use '-'.	Required
`--prop` `-p`	The property name of the encrypted object. Must be of type BLOB.	Required
`--archived`	Decrypt only archived encrypted objects. If not set, decrypt active encrypted objects.	(Optional)
`--scope`	A classification for the encryption.	`default`
`--reload-cache`	Force a cache reload.	(Optional)
`--collection` `-c`	The `COLLECTION` name.	Required	`$PVAULT_COLLECTION`

Hash object

Returns a deterministic hash based on the collection name, object ID, property values, and scope. This command is similar to using the "deterministic" token type in the "Tokenize" command. The hash value is identical to the token ID that is provided for the same combination of collection, object, property values, and scope. However, unlike the token, this hash is not stored in Vault's storage and, as such, cannot be detokenized, searched, or invalidated.

pvault crypto hash [ --object-id=value ] [ --object-fields=value ] [ --ciphertext=value ] [ --encryption-scope=default ] [ --props | -p=value ] [ --scope=default ] [ --fptemplate=value ] [ --fpprops=value ] [ --reload-cache ] { --collection | -c=COLLECTION }

Flag	Description	Default	Environment variable
`--object-id`	Comma-separated list of object IDs. Cannot be used with `--object-fields` or `--ciphertext`. Accepts multiple inputs.	(Optional)
`--object-fields`	Object fields on JSON format. To use a file path prefix with '@' or to use stdin use '-'. Cannot be used with `--object-id` or `--ciphertext`.	(Optional)
`--ciphertext`	The ciphertext of the encrypted object. Cannot be used with `--object-id` or `--object-fields`.	(Optional)
`--encryption-scope`	The scope used to encrypt the object.	`default`
`--props` `-p`	Comma-separated list of property names. Accepts multiple inputs.	(Optional)
`--scope`	A classification for the token.	`default`
`--fptemplate`	Format preserve template to use to generate the token IDs.	(Optional)
`--fpprops`	Property names to be used by the format preserve template to generate the token IDs. Accepts multiple inputs.	(Optional)
`--reload-cache`	Force a cache reload.	(Optional)
`--collection` `-c`	The `COLLECTION` name.	Required	`$PVAULT_COLLECTION`

Identity And Access Management

Get IAM configuration

Gets IAM configuration in TOML format.

pvault iam get

Set IAM configuration

Sets the IAM configuration.

pvault iam apply --conf=value

Flag	Description	Default	Environment variable
`--conf`	The configuration to apply in TOML format. To use a file path prefix with '@' or to use stdin use '-'.	Required

Regenerate user API key

Regenerates a user's API key. The user's current key is invalidated. The Admin user's API key cannot be regenerated and must be set using the PVAULT_SERVICE_ADMIN_API_KEY environment variable.

pvault iam regen-api-key { --name | -n=value }

Flag	Description	Default	Environment variable
`--name` `-n`	Username of the user to regenerate the API key for.	Required

Update user API key expiration

Updates a user's API key expiration.

pvault iam update-api-key-expiration { --name | -n=value } --expiration-days=value

Flag	Description	Default	Environment variable
`--name` `-n`	Name of the user to update the API key expiration for.	Required
`--expiration-days`	New expiration in days (from now) for the API key.	Required

Get the user's details

Get the user's details.

pvault iam get-user { --name | -n=value }

Flag	Description	Default	Environment variable
`--name` `-n`	user name.	Required

Get user capabilities and policies

Gets the capabilities and policies for a user.

pvault iam user-view { --name | -n=value }

Flag	Description	Default	Environment variable
`--name` `-n`	user name.	Required

Get resource access details

Gets details of the users and associated reasons that can access a resource for an operation.

pvault iam resource-view --resource=value --operation=value

Flag	Description	Default	Environment variable
`--resource`	resource.	Required
`--operation`	operation.	Required

Dynamic Configuration

Get configuration variable

Get the value of a dynamic configuration variable.

pvault confvar get { --name | -n=value }

Flag	Description	Default	Environment variable
`--name` `-n`	Name of the configuration variable. Supported names: `log_level`	Required

Set configuration variable

Set the value of a dynamic configuration variable. This command is unavailable in the hosted version of Vault.

pvault confvar set { --name | -n=value } --value=value

Flag	Description	Default	Environment variable
`--name` `-n`	Name of the configuration variable. Supported names: `log_level`	Required
`--value`	Value of the configuration variable. Supported values for `log_level` are: `debug`, `info`, `warn`, `error`.

Supported values for trace_sql are: true, false | Required | |

Clear configuration variable

Clear the value of a dynamic configuration variable. This command is unavailable in the hosted version of Vault.

pvault confvar clear { --name | -n=value }

Flag	Description	Default	Environment variable
`--name` `-n`	Name of the configuration variable. Supported names: `log_level`	Required

Clear all configuration variables

Clear the values of all dynamic configuration variables. This command is unavailable in the hosted version of Vault.

pvault confvar clear-all

Status

Get system status.

pvault status

System

Get cluster information on cache generations

pvault system cluster-info

Get vault info, including backing store

pvault system info

Admin

Set Admin API key

Set the api key for the Admin user of Vault.

pvault admin set-admin-api-key --key=KEY

Flag	Description	Default	Environment variable
`--key`	The api `KEY`.	Required

Rotate encryption keys

Key rotation not managed in the hosted version of Vault.

pvault admin rotate-keys

Get system configuration

pvault admin get-configuration

Get KMS status

pvault admin kms-status

Get license details

pvault admin get-license

Set license

In the hosted version of Vault, Piiano manages and sets the license key.

pvault admin set-license --key=value

Flag	Description	Default	Environment variable
`--key`	The license key.	Required

Delete objects and tokens

Deletes objects and tokens that have been in the archived state for longer than the retention period and token transaction IDs with no associated tokens. By default, this command deletes objects, tokens, and dangling token transaction IDs.

pvault admin gc [ --objects-only ] [ --tokens-only ] [ --transaction-ids-only ] [ --dry-run ] [ --force | -f ] [ --quiet ] [ --reload-cache ]

Flag	Description	Default
`--objects-only`	Delete archived objects only.	(Optional)
`--tokens-only`	Delete archived tokens only.	(Optional)
`--transaction-ids-only`	Delete token transaction IDs with no associated tokens only.	(Optional)
`--dry-run`	Return a count of items eligible for deletion, without deleting them.	(Optional)
`--force` `-f`	Ignore interactive protection.	(Optional)
`--quiet`	Suppress the printing of output. Can only be included when the `--force` flag is set.	(Optional)
`--reload-cache`	Force a cache reload.	(Optional)

Version

Get the version of the Vault.

pvault version

Selftest

Run a performance suite

Run a performance benchmarking suite using a separate database collection. The given parameters control how the benchmarking suite is performed.

pvault selftest bench [ --par=1 ] [ --rate=0 ] [ --scale=1000 ] [ --duration=0 ] [ --middle-stage-duration=0 ] [ --read=0 ] [ --update=0 ] [ --token=0 ] [ --replace=0 ] [ --query=0 ] [ --sleep=0 ] [ --persisted=value ] [ --skip-recreate ] [ --html-output=value ] [ --term-output ] [ --columns=9 ]

Flag	Description	Default
`--par`	Goroutine parallelism - how many requests to perform in parallel	`1`
`--rate`	Optimistic target RPS. 0 to set no limit and request as fast as possible.	`0`
`--scale`	Scale multiple - control the total amount of work and dataset size	`1000`
`--duration`	Minimum duration in minutes in which to repeated run the benchmark, 0 - for a single execution	`0`
`--middle-stage-duration`	Number of seconds for the middle stage where random operations are done (0 = no middle stage)	`0`
`--read`	Weight reads in the middle stage	`0`
`--update`	Weight updates in the middle stage	`0`
`--token`	Weight tokens in the middle stage	`0`
`--replace`	Weight replace in the middle stage	`0`
`--query`	Weight query in the middle stage	`0`
`--sleep`	Duration of seconds to sleep between executions	`0`
`--persisted`	Provide a shadow database to the bench. By providing this file, the final 'Delete' stage is replaced the save of the UUIDs of the created objects. If the file already exist, the initial 'Add' stage is replaced with the loading of the UUIDs from the file.	(Optional)
`--skip-recreate`	Skip recreation of the test collection and assume it already exists.	(Optional)
`--html-output`	Issue an HTML report to this path	(Optional)
`--term-output`	Show term graphics depicting operations	(Optional)
`--columns`	Control the number of properties in the schema	`9`

Quick validation for a working Vault

pvault selftest basic [ --fail-on-warnings | -w ] [ --collection | -c=COLLECTION ]

Flag	Description	Default	Environment variable
`--fail-on-warnings` `-w`	Fail on check warnings	(Optional)
`--collection` `-c`	The `COLLECTION` name.	(Optional)	`$PVAULT_COLLECTION`

Completions

Generate auto-completion script for bash

Generates a bash completion script for pvault-cli commands and flags. The script is output on stdout, enabling you to redirect it to a file that can be sourced by your terminal session or by your bash profile. Works only with the CLI binary.

pvault completions bash

Generate auto-completion script for zsh

Generates a zsh completion script for pvault-cli commands and flags. The script is output on stdout, enabling you to redirect it to a file that can be sourced in your terminal session or by your zsh profile. Works only with the CLI binary.

pvault completions zsh

Export

Export Vault data

Exports Vault data for one or more collections to a zip file. By default, the export includes collection objects, collection schemas, the IAM configuration file, custom data type specifications, and custom data type bundles. You can include archived objects in the export. If you're using the hosted version of Vault and need to export data, contact Piiano.

pvault export [ --collections=value ] [ --include-archived ] [ --no-data ] [ --no-iam ] [ --no-collection-schemas ] [ --no-bundles ] [ --no-data-types ] [ --data-only ] [ --include-deterministic-tokens ] [ --output-dir | -d=. ] [ --no-progress ]

Flag	Description	Default
`--collections`	Comma-separated list of the collections to export. If not specified, all collections are exported. Accepts multiple inputs.	(Optional)
`--include-archived`	Include archived objects in the export.	(Optional)
`--no-data`	Exclude collection objects from the export.	(Optional)
`--no-iam`	Exclude IAM data from the export.	(Optional)
`--no-collection-schemas`	Exclude collection schemas from the export.	(Optional)
`--no-bundles`	Exclude bundles from the export.	(Optional)
`--no-data-types`	Exclude data types from the export.	(Optional)
`--data-only`	Export collection objects only. This flag is a shortcut for --no-iam, --no-collection-schemas, --no-bundles, and --no-data-types.	(Optional)
`--include-deterministic-tokens`	Whether to include deterministic tokens in the export. If not specified, defaults to false.	(Optional)
`--output-dir` `-d`	The directory to write the exported zip file to. If not specified, defaults to the current directory.	`.`
`--no-progress`	Hide the progress display.	(Optional)

Import

Imports Vault data

Imports Vault data from a zip file. If you're using the hosted version of Vault and need to import exported data, contact Piiano.

pvault import --zip-file=value [ --no-progress ] [ --no-data ] [ --data-only ] [ --override-duplicates ] [ --skip-duplicates ] [ --max-skip-duplicates=0 ] [ --force ]

Flag	Description	Default
`--zip-file`	The zip file to import.	Required
`--no-progress`	Hide the progress display.	(Optional)
`--no-data`	Exclude collection objects from the import.	(Optional)
`--data-only`	Import collection objects only.	(Optional)
`--override-duplicates`	Override duplicate objects.	(Optional)
`--skip-duplicates`	Skip duplicate objects.	(Optional)
`--max-skip-duplicates`	Maximum number of duplicate objects to skip.	`0`
`--force`	Force import to a vault with different version from the vault which used for export.	(Optional)

Global flags​

Collection​

List collections​

Get collection​

Add collection​

Update collection​

Apply collection​

Delete collection​

Collection // Property​

List collection properties​

Get collection property​

Add collection property​

Update collection property​

Delete collection property​

Action​

List actions​

Get action​

Add action​

Delete action​

Bundle​

List bundles​

Get bundle​

Add bundle​

Update bundle​

Delete bundle​

Datatype​

List data types​

Get data type​

Add data type​

Update data type​

Delete data type​

Object​

Add object​

Update an object​

Get objects​

Search objects​

List all objects​

Counts objects in a collection​

Delete an object​

Archive an object​

Restore an archived object​

Get a blob​

update a blob​

Token​

Tokenize​

Detokenize​

Search tokens​

Update tokens​

Rotate tokens​

Delete tokens​

Archive tokens​

Restore tokens​

Get by transaction ID​

Counts the tokens in a collection​

Crypto​

Encrypt fields from objects or input fields​

Decrypt fields blob​

Update encrypted fields blob​

Encrypt an input field for a property of type BLOB​

Decrypt a ciphertext of a single blob​

Hash object​

Identity And Access Management​

Get IAM configuration​

Set IAM configuration​

Regenerate user API key​

Update user API key expiration​

Get the user's details​

Get user capabilities and policies​

Get resource access details​

Dynamic Configuration​

Get configuration variable​

Set configuration variable​

Clear configuration variable​

Clear all configuration variables​

Status​

System​

Get cluster information on cache generations​

Get vault info, including backing store​

Admin​

Set Admin API key​