Skip to main content

Set the Admin's API key

Vault always has an admin user account, This admin API key gives a "break the glass" mechanism that enables you to regain control of Vault when all other API keys fail (.e.g when you lose your admin API key).

Unlike other user accounts, the admin user's API key is set using one of these two methods:

  1. The environment variable PVAULT_SERVICE_ADMIN_API_KEY
  2. The API Set Admin API key

The Admin API key can't be authenticated using JWT access tokens.

Set the Admin API key using the environment variable

The environment variable and, therefore, the key have a default value of pvaultauth. It is highly recommended that you change the value of the admin API key to a unique value when deploying Vault to production.

Change the API key by updating the value of the environment variable and restarting Vault.

Note that the admin API key would not be updated during startup if PVAULT_SERVICE_OVERRIDE_ADMIN_API_KEY_ON_RESTART environment variable is set to false. By default it is set to true to allow changes in the environment variable to take effect after restart of the Vault.

Set the Admin API key using the API

You can set a new admin API key using the API call, This API is restricted to the Admin user.

The API key should meet the specified criteria:

  • It must be at least 15 characters long.
  • It must contain a mix of digits, lowercase letters, and uppercase letters.

Vault SaaS

When using the hosted version of Vault, you can change the admin API key under the Settings page in Vault Admin API Key Provider section.

On this page