| --- |
| layout: api |
| page_title: /sys/init - HTTP API |
| description: The `/sys/init` endpoint is used to initialize a new Vault. |
| --- |
| |
| # `/sys/init` |
| |
| @include 'alerts/restricted-root.mdx' |
| |
| The `/sys/init` endpoint is used to initialize a new Vault. |
| |
| ## Read initialization status |
| |
| This endpoint returns the initialization status of Vault. |
| |
| | Method | Path | |
| | :----- | :---------- | |
| | `GET` | `/sys/init` | |
| |
| ### Sample request |
| |
| ```shell-session |
| $ curl \ |
| http://127.0.0.1:8200/v1/sys/init |
| ``` |
| |
| ### Sample response |
| |
| ```json |
| { |
| "initialized": true |
| } |
| ``` |
| |
| ## Start initialization |
| |
| This endpoint initializes a new Vault. The Vault must not have been previously |
| initialized. The recovery options, as well as the stored shares option, are only |
| available when using [Auto Unseal](/vault/docs/concepts/seal#auto-unseal). |
| |
| | Method | Path | |
| | :----- | :---------- | |
| | `POST` | `/sys/init` | |
| |
| ### Parameters |
| |
| - `pgp_keys` `(array<string>: nil)` – Specifies an array of PGP public keys used |
| to encrypt the output unseal keys. Ordering is preserved. The keys must be |
| base64-encoded from their original binary representation. The size of this |
| array must be the same as `secret_shares`. |
| |
| - `root_token_pgp_key` `(string: "")` – Specifies a PGP public key used to |
| encrypt the initial root token. The key must be base64-encoded from its |
| original binary representation. |
| |
| - `secret_shares` `(int: <required>)` – Specifies the number of shares to |
| split the root key into. |
| |
| - `secret_threshold` `(int: <required>)` – Specifies the number of shares |
| required to reconstruct the root key. This must be less than or equal |
| `secret_shares`. |
| |
| Additionally, the following options are only supported using Auto Unseal: |
| |
| - `stored_shares` `(int: <required>)` – Specifies the number of shares that |
| should be encrypted by the HSM and stored for auto-unsealing. Currently must |
| be the same as `secret_shares`. |
| |
| - `recovery_shares` `(int: 0)` – Specifies the number of shares to |
| split the recovery key into. This is only available when using Auto Unseal. |
| |
| - `recovery_threshold` `(int: 0)` – Specifies the number of shares |
| required to reconstruct the recovery key. This must be less than or equal to |
| `recovery_shares`. This is only available when using Auto Unseal. |
| |
| - `recovery_pgp_keys` `(array<string>: nil)` – Specifies an array of PGP public |
| keys used to encrypt the output recovery keys. Ordering is preserved. The keys |
| must be base64-encoded from their original binary representation. The size of |
| this array must be the same as `recovery_shares`. This is only available when using Auto Unseal. |
| |
| ### Sample payload |
| |
| ```json |
| { |
| "secret_shares": 10, |
| "secret_threshold": 5 |
| } |
| ``` |
| |
| ### Sample request |
| |
| ```shell-session |
| $ curl \ |
| --request POST \ |
| --data @payload.json \ |
| http://127.0.0.1:8200/v1/sys/init |
| ``` |
| |
| ### Sample response |
| |
| A JSON-encoded object including the (possibly encrypted, if `pgp_keys` was |
| provided) root keys, base 64 encoded root keys and initial root token: |
| |
| ```json |
| { |
| "keys": ["one", "two", "three"], |
| "keys_base64": ["cR9No5cBC", "F3VLrkOo", "zIDSZNGv"], |
| "root_token": "foo" |
| } |
| ``` |
| |
| -> **Warning:** Please be reminded that recovery keys are used as an |
| authentication flow for rekeying and regeneration of root credentials and cannot |
| be used to unseal Vault in the case of the unavailability of the seal mechanism. |
| Refer to the full warning in the documentation for |
| [Auto Unseal](/vault/docs/concepts/seal#auto-unseal). |
| |
