openbao 1.0.2

Secure, typed, async Rust SDK for OpenBao
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383

# OpenBao API Coverage Plan

Checked against official OpenBao `2.5.x` documentation on 2026-05-30.
AppRole administration was refreshed against the same documentation set on
2026-06-01.
RabbitMQ secrets engine coverage was refreshed against official `2.5.x`
documentation on 2026-06-01.
Identity entity, group, and alias coverage was refreshed against official
`2.5.x` documentation on 2026-06-01.
LDAP secrets engine coverage was refreshed against official `2.5.x`
documentation on 2026-06-01.
RADIUS auth coverage was refreshed against official `2.5.x` documentation on
2026-06-02.
LDAP auth coverage was refreshed against official `2.5.x` documentation on
2026-06-02.
Kerberos auth coverage was refreshed against official `2.5.x` documentation on
2026-06-02.
Endpoint-by-endpoint coverage was generated from the official rendered
OpenBao `2.5.x` API documentation on 2026-06-03 and is tracked in
`docs/OPENBAO_2_5_ENDPOINT_MATRIX.md` with the full CSV source in
`docs/openbao-2.5-endpoint-matrix.csv`.

Sources:

- OpenBao HTTP API: https://openbao.org/api-docs/
- Secret engines: https://openbao.org/api-docs/secret/
- Auth methods: https://openbao.org/api-docs/auth/
- System backend: https://openbao.org/api-docs/system/
- KV v2: https://openbao.org/api-docs/secret/kv/kv-v2/
- AppRole: https://openbao.org/api-docs/auth/approle/
- Database secrets engine: https://openbao.org/api-docs/secret/databases/
- JWT/OIDC auth: https://openbao.org/api-docs/auth/jwt/
- Kubernetes auth: https://openbao.org/api-docs/auth/kubernetes/
- TLS certificate auth: https://openbao.org/api-docs/auth/cert/
- Userpass auth: https://openbao.org/api-docs/auth/userpass/
- LDAP auth: https://openbao.org/api-docs/auth/ldap/
- RADIUS auth: https://openbao.org/api-docs/auth/radius/
- Kerberos auth: https://openbao.org/api-docs/auth/kerberos/
- Transit: https://openbao.org/api-docs/secret/transit/
- PKI: https://openbao.org/api-docs/secret/pki/
- SSH: https://openbao.org/api-docs/secret/ssh/
- TOTP: https://openbao.org/api-docs/secret/totp/
- RabbitMQ: https://openbao.org/api-docs/secret/rabbitmq/
- Identity entity: https://openbao.org/api-docs/secret/identity/entity/
- Identity group: https://openbao.org/api-docs/secret/identity/group/
- Identity entity alias: https://openbao.org/api-docs/secret/identity/entity-alias/
- Identity group alias: https://openbao.org/api-docs/secret/identity/group-alias/
- LDAP secrets engine: https://openbao.org/api-docs/secret/ldap/
- System audit config: https://openbao.org/api-docs/system/config-auditing/
- System config state: https://openbao.org/api-docs/system/config-state/
- System internal UI mounts: https://openbao.org/api-docs/next/system/internal-ui-mounts/
- System internal UI namespaces: https://openbao.org/api-docs/system/internal-ui-namespaces/
- System loggers: https://openbao.org/api-docs/system/loggers/
- System version history: https://openbao.org/api-docs/next/system/version-history/
- System namespaces: https://openbao.org/api-docs/system/namespaces/
- System quotas config: https://openbao.org/api-docs/system/quotas-config/
- System rate-limit quotas: https://openbao.org/api-docs/2.4.x/system/rate-limit-quotas/
- System host info: https://openbao.org/api-docs/system/host-info/
- System locked users: https://openbao.org/api-docs/next/system/user-lockout/
- System Raft storage: https://openbao.org/api-docs/system/storage/raft/
- System Raft Autopilot: https://openbao.org/api-docs/system/storage/raftautopilot/
- System metrics: https://openbao.org/api-docs/2.4.x/system/metrics/
- System HA status: https://openbao.org/api-docs/2.3.x/system/ha-status/
- System key status: https://openbao.org/api-docs/system/key-status/
- System CORS config: https://openbao.org/api-docs/system/config-cors/
- System step down: https://openbao.org/api-docs/system/step-down/
- System remount: https://openbao.org/api-docs/system/remount/
- System tools: https://openbao.org/api-docs/next/system/tools/

## Endpoint Matrix

The stable `1.0.x` release line uses a mechanical endpoint matrix instead
of only area-level estimates:

- documented endpoint rows extracted from OpenBao `2.5.x`: `643`;
- strict typed coverage: `597/643` (`92.8%`);
- typed plus partial coverage: `598/643` (`93.0%`);
- addressed by typed, partial, raw, external, or rejected policy: `643/643`
  (`100.0%`);
- planned implementation rows before `1.0.0`: `0`;
- open owner-decision rows before `1.0.0`: `0`.

See `docs/OPENBAO_2_5_ENDPOINT_MATRIX.md` for area totals and
`docs/openbao-2.5-endpoint-matrix.csv` for each method/path row.

## Foundation

- Client config and TLS policy.
- Token and bearer authentication header strategies.
- Namespace header support.
- Response wrapping headers.
- Raw JSON request layer.
- Typed custom plugin wrapper pattern documented in
  `docs/CUSTOM_PLUGIN_PATTERN.md`, backed by public `PluginMount`, path
  validation, and bounded string-list helpers. Generic plugin traits remain
  rejected because plugin schemas are deployment-specific.
- Typed error envelope.
- Health and seal status.
- OpenAPI discovery support through `/sys/internal/specs/openapi`.
- Environment-based client construction from common `OPENBAO_*`, `BAO_*`, and
  `VAULT_*` variables is implemented in `0.4.0`.
- Implemented downstream ergonomics from Mjolni/Pawalyze review:
  KV v2 service config loading into typed structs or bounded secret string maps
  with required-key accessors, byte-oriented Transit helpers, JWS-oriented
  Transit sign/verify helpers, ACL policy builders, and idempotent admin
  bootstrap for common service setup.
- Posture helpers:
  best-effort FIPS-oriented reporting is implemented for crate-visible Transit
  and seal-assumption choices. `docs/QUANTUM_READINESS.md` tracks the
  advisory-only quantum-readiness posture without claiming current
  post-quantum safety.
- Shared list ergonomics:
  common string list response structs implement `ListEntries`; secret accessor
  lists remain separate secret-aware types.
- Timestamp ergonomics:
  optional RFC3339 parsing helpers are available behind the `time` feature
  while response structs keep OpenBao's original string fields.

## Auth Methods

The official `2.5.x` API navigation lists:

- AppRole.
- JWT/OIDC.
- Kerberos.
- Kubernetes.
- LDAP.
- RADIUS.
- TLS certificates.
- Tokens.
- Username and password.

Support plan:

- `0.1.0`: AppRole login.
- `0.2.0`: token lifecycle helpers; create, lookup, renew, revoke, and accessor
  flows are implemented.
- `0.4.0`: Kubernetes login/config/role helpers and TLS certificate
  login/config/role/CRL helpers are implemented.
- `0.5.0`: userpass login and user administration are implemented; JWT login
  plus JWT/OIDC config and role administration helpers are implemented.
- `0.8.0`: JWT/OIDC browser flow helpers for authorization URL, callback, and
  direct/device polling are implemented.
- `0.7.0`: AppRole role and SecretID administration is implemented. Admin
  bootstrap orchestration for auth method enablement, AppRole role
  convergence, and explicit SecretID issuance is implemented.
- `0.9.0`: AppRole delegated role-property helpers are implemented for all
  documented OpenBao `2.5.x` per-property paths, including read, write, and
  reset/delete operations.
- `0.8.0`: LDAP login, config, user mapping, group mapping, list, read, and
  delete helpers are implemented. RADIUS login, config, user mapping, user
  deletion, and paginated user listing are implemented. Kerberos SPNEGO login,
  service-account/keytab config, Kerberos LDAP config, and group policy mapping
  helpers are implemented. LDAP and Kerberos LDAP TLS version fields reject
  deprecated TLS 1.0 and TLS 1.1 values.

## Secret Engines

The official `2.5.x` API navigation lists:

- Cubbyhole.
- Databases.
- Identity.
- Key/Value v1 and v2.
- Kubernetes.
- LDAP.
- PKI.
- RabbitMQ.
- SSH.
- TOTP.
- Transit.

Support plan:

- `0.1.0`: KV v2.
- `0.2.0`: KV v1 and expanded KV v2 metadata/version operations; KV v1
  read/write/delete/list and KV v2 patch, config, metadata, undelete, destroy,
  and version reads are implemented.
- `0.4.0`: KV v2 typed data reads and bounded service config maps with
  `SecretString` values are implemented.
- `0.3.0`: Transit key create/read/list/delete, encrypt, decrypt, rewrap,
  data key, random, hash, HMAC, sign, and verify are implemented.
- `0.5.0`: optional `transit-bytes` helpers encode raw request bytes and
  decode base64 Transit response fields using `base64-ng`; typed RSA
  signature options, JWS marshaling helpers, and RSA-PSS salt length helpers
  are implemented for sign/verify.
- `0.8.0`: Transit key config update, key rotation, export, backup, restore,
  trim, and batch encrypt/decrypt/rewrap/sign/verify helpers are implemented.
- `0.11.0`: Transit wrapping-key, import/import-version, BYOK export,
  soft-delete/restore, cache config, global key config, CSR generation, and
  certificate install rows are implemented. `wrapping_key` returns a public
  PEM string. Import requests carry pre-wrapped ciphertext as `SecretString`
  or public-key-only import material and reject empty import material;
  optional derivation context is also secret-aware. BYOK export returns a
  wrapped ciphertext blob as `SecretString`. Raw private key bytes are never
  accepted by these default endpoint wrappers. The optional `transit-import`
  feature prepares OpenBao's
  wrapped-key blob with AES-KWP/RSA-OAEP behind feature-gated `openssl` and
  `aes-kw` dependencies.
- `0.4.0`: PKI URL and CRL config, root/intermediate generation,
  intermediate signing/install, role write/read/list/delete, issue, sign,
  revoke, certificate list/read, issuer/key list/read/delete/update, issuer
  revocation, CA/key import, ACME config/EAB/directory URL helpers, CRL
  rotation, tidy, tidy status, tidy cancel, role merge-patch, default
  issuer/key config, named-issuer issue/sign, root rotate/replace, standalone
  key generation, multi-issuer root/intermediate generation, and
  operator-gated default root deletion with explicit `PkiRootDeletion`
  confirmation, cluster config, auto-tidy config, revoke-with-key,
  sign-verbatim behind operator gates, current-doc field expansion for PKI
  role/generation/CRL/tidy structs, revocation/CRL management, CEL roles,
  named-issuer sign-intermediate, delta CRL rotation, and operator-gated
  sign-self-issued/cross-sign rows are implemented.
  Unauthenticated public CA/certificate/CRL reads and OCSP responder endpoints
  are external protocol/public-distribution
  boundaries. Full ACME
  account/order/authorization/challenge client flows are permanently external:
  use the typed ACME config, EAB, and directory URL helpers to hand off to a
  dedicated ACME client.

OCSP and public CA/CRL/certificate distribution endpoints are intentionally
left to OCSP/TLS clients, CRL checkers, or external HTTP tooling. They do not
need OpenBao token handling and should not force binary protocol dependencies
into this SDK.
- `0.5.0`: database connection config/list/read/delete/reset, root rotation,
  dynamic role list/write/read/delete, dynamic credentials, static role
  list/write/read/delete, static credentials, and static role rotation are
  implemented.
- `0.6.0`: TOTP key create/read/list/delete, code generation, and code
  validation are implemented. SSH role management, zero-address roles, IP role
  lookup, OTP credential issue, default issuer config, issuer
  list/submit/read/update/delete, authenticated CA public-key metadata, CA
  sign/issue, and OTP verification are implemented. Raw unauthenticated
  text/plain SSH public-key reads are intentionally not typed.
- `0.7.0`: Cubbyhole read/write/delete/list is implemented. Kubernetes secrets
  engine config, roles, role listing, deletion, and credential generation are
  implemented. RabbitMQ connection config, lease config, role
  write/read/list/delete, and generated credential helpers are implemented.
  Identity entity, group, entity-alias, and group-alias lifecycle helpers are
  implemented. Entity/group lookup and entity merge helpers are implemented in
  `0.8.0`. Identity OIDC token backend config, signing key CRUD/rotate, role
  CRUD/list, signed token generation, token introspection, discovery metadata,
  and default JWKS reads are implemented in `0.10.0`. Identity OIDC provider,
  scope, client, assignment, named-provider discovery, and named-provider JWKS
  helpers are implemented in `0.10.0`. MFA method management, MFA TOTP
  generation/admin actions, and MFA login enforcement helpers are implemented
  in `0.10.0`;
  named-provider OIDC browser protocol flows remain external. LDAP config,
  root rotation, static roles/credentials, dynamic roles/credentials, and
  library check-out/check-in helpers are implemented.

## System Backend

The official `2.5.x` system backend includes many endpoints under `/sys`,
including audit, auth mounts, capabilities, config, health, init, leader,
leases, loggers, metrics, mounts, namespaces, plugins, policies, quotas, raw,
rekey, remount, rotate, seal, storage, tools, unseal, locked users, version
history, and response wrapping.

Support plan:

- `0.1.0`: health and seal status.
- `0.2.0`: mounts, auth mounts, response wrapping, policies, and capabilities.
- `0.3.0`: audit device list/enable/disable/hash, exact lease
  lookup/renew/revoke, plugin catalog list/type-list/register/read/delete,
  mounted plugin backend reload, init status, and loopback-only dev bootstrap
  are implemented.
- `0.8.0`: token role write/read/list/delete, token tidy, and revoke-orphan are
  implemented.
- `0.9.0`: token create-orphan and accessor renewal helpers are implemented,
  completing the typed token endpoint matrix except for the documented
  lookup-self GET/POST compatibility partial.
- `0.10.0`: `sys/mfa/validate` is implemented as the typed second step for
  MFA-enforced login flows, with passcodes, returned client tokens, and
  accessors handled as secret material.
- `0.8.0`: capability responses now include typed borrowed views and common
  access-check helpers while preserving the raw string lists.
- `0.6.0`: idempotent admin bootstrap builder is implemented for KV v2 mounts,
  Transit mounts, Transit keys, ACL policies, KV v2 string secret values, and
  explicit scoped service-token issuance.
- `0.7.0`: admin bootstrap now supports auth method enablement, AppRole role
  convergence, and explicit AppRole SecretID issuance.
- `0.8.0`: admin bootstrap read-only preview is implemented for existing
  bootstrap operations, including explicit `WouldIssue` reporting for
  credential issuance steps.
- `0.6.0`: production init, unseal, seal, legacy rekey, OpenBao key-share
  rotation, and keyring rotation are implemented only behind explicit
  `operator-ops` plus `operator-ops-acknowledged` feature gates.
- `0.8.0`: leader status, HA status, key status, OpenAPI discovery, internal
  UI namespace/mount discovery, JSON metrics, host diagnostics, sanitized
  config state, audited request-header configuration, CORS configuration,
  runtime logger read/set/reset, installed version history, namespace
  management, rate-limit quota management, remount/mount-migration
  start/status, operator-gated active-node step-down, system random/hash tools,
  Prometheus metrics text output, and locked-user list/filter/unlock helpers are
  implemented. Integrated Storage Raft join/configuration/peer
  mutation/bootstrap helpers, capped snapshot download/restore helpers, and
  Autopilot JSON helpers are implemented; Raft join inputs require HTTPS leader
  addresses and HTTPS auto-join schemes. Raw storage read/write/list/delete
  helpers and pprof diagnostic byte helpers are implemented behind explicit
  operator-operation feature gates. Lease prefix revoke, force prefix revoke,
  lease count, lease tidy, and `RenewalHint` timing helpers are implemented.
  CORS wildcard origins are rejected locally. Password policies, resultant ACL,
  operator-gated generate-root/recovery-token, decode-token, legacy
  recovery-key rekey, and typed operator-gated in-flight request inspection are
  implemented in `0.14.0`. System config UI, streaming monitor, internal router
  inspection, internal counters, and internal request inspection are rejected
  for stable scope.

## Ergonomics And Capability Roadmap

Started in `0.9.0`:

- API stability audit checklist in `docs/API_STABILITY_AUDIT.md`.
- Migration guide from earlier `openbao` releases, `vaultrs`, and bespoke
  `reqwest` wrappers in `docs/MIGRATION_GUIDE.md`.

Implemented in `0.8.0`:

- `Error::is_rate_limited`, `Error::is_temporary`, and
  `Error::is_permission_denied` helpers.
- Runtime-neutral `Sys::wait_ready_with_delay` for startup and integration
  tests.
- Runtime-neutral `Sys::wait_until_unsealed_with_delay` plus
  `tokio-helpers`-gated `Sys::wait_until_unsealed` for bounded startup and
  recovery polling.
- `Client::wrapping`, `WrappingContext`, and `WrappedResponse<T>` for typed
  response-wrapped JSON requests and typed unwrap of the original response
  shape.
- ACL policy-builder wrapping TTL constraints and helper variants for policies
  that require response wrapping.
- Selective AdminBootstrap convergence for PKI, database, and SSH mounts,
  database dynamic/static roles, and SSH roles.
- KV v2 historical reads were already covered by `read_version` and
  `read_data_version`.

Finalization work completed before `1.0.0`:

- explicit opt-in retry policy with exponential backoff and bounded jitter is
  implemented through `RetryPolicy`, `RetryableMethod`, and
  `Client::request_json_with_retry`;
- shared non-secret paginated-list abstraction is implemented in `0.9.0`
  through `ListPageOptions`;
- admin bootstrap convergence for PKI roles and Identity entities/groups is
  implemented in `0.9.0`;
- representative serde response fixtures are added in `0.9.0`;
- fuzz target scaffolding for path validation, error decoding, and response
  envelopes is added in `0.9.0`;
- reject background token auto-renewal, background lease tracking, and
  `LeaseHandle` wrappers for stable scope; use `RenewalHint` for caller-owned
  renewal timing;
- keep the optional `tracing` feature as the stable observability boundary,
  reject OpenTelemetry SDK dependencies and custom request hooks for stable
  scope, defer W3C `traceparent` propagation, add non-default `http2` support
  without a runtime transport knob, and reject HTTP/3 for stable scope.
- reject ongoing request-level seal back-pressure as application
  retry-middleware policy.
- reject per-engine wrapped response method duplication; callers use
  `Client::wrapping` for generic typed JSON response wrapping.
- reject PKI CA setup, database connection config, SSH CA setup, and KV v1
  convergence in the bootstrap layer.
- reject ACL parameter-constraint generation because safe output requires a
  full HCL value serializer.
- reject leaf certificate and SPKI pinning for stable scope; use root-only
  trust with an internal OpenBao CA or self-signed OpenBao certificate instead.
- use `0.10.0` through `0.14.0` for Identity/auth, Transit, PKI, and System
  endpoint-family completion;
- used `0.15.0` as the endpoint-closure release where no matrix row could
  remain `decision`.

## OpenBao-Specific Notes

The official `2.5.x` HTTP API documentation states:

- all API routes are prefixed with `/v1`;
- TLS with certificate verification is expected;
- tokens are documented through `X-Vault-Token` or `Authorization: Bearer`;
- `X-Vault-Request: true` is used by the official SDK/CLI behavior;
- path parameters must not end in periods;
- applications should accept both `200` and `204` where applicable;
- KV v2 patch operations use `application/merge-patch+json`;
- errors commonly use `{"errors": [...]}` for status codes `>= 400`.

The crate follows those documented behaviors by default.