Reference

Capability token data model

Field definitions for capability tokens issued by the Vault.

Related spec: rfc-0001-core

Informative description of token structure. Consult the spec for normative validation rules.

capability-token = {
  version: tstr .default "1",
  resource: tstr,
  scope: [+ tstr],
  exp: uint,
  nonce: bstr,
  signature: bstr
}

Field notes

  • resource: SHOULD be a URI pointing to the protected asset.
  • scope: MUST list at least one capability verb. Supported values are read, write, and admin.
  • exp: MUST encode a UNIX timestamp in seconds.
  • nonce: SHOULD be generated with at least 128 bits of entropy.

For the authoritative rules see RFC-0001 §3.