--- layout: api page_title: SCEP - Auth Methods - HTTP API description: |- This is the API documentation for the Vault SCEP authentication method. --- > [!IMPORTANT] > **Documentation Update:** Product documentation, which were located in this repository under `/website`, are now located in [`hashicorp/web-unified-docs`](https://github.com/hashicorp/web-unified-docs), colocated with all other product documentation. Contributions to this content should be done in the `web-unified-docs` repo, and not this one. Changes made to `/website` content in this repo will not be reflected on the developer.hashicorp.com website. # SCEP auth method (API) Use the SCEP authentication plugin API to interact with a mounted plugin instance. For general information about the usage and operation of the SCEP method, refer to the [Vault SCEP method documentation](/vault/docs/auth/scep). ## Create SCEP role Creates or updates a named SCEP role. | Method | Path | |:-------|:------------------------| | `POST` | `/auth/{mount_path}/role/:name` | ### Parameters - `name` `(string: )` - The name of the SCEP role. - `display_name` `(string: "")` - The `display_name` value for tokens issued when authenticating against the role. Defaults to `name`. - `auth_type` `(enum: )` - Required authentication type for the SCEP role. Must be one of: `static-challenge`, `intune`. - `challenge` `(string: "")` - The authentication challenge to use when `auth_type` is `static-challenge`. @include 'tokenfields.mdx' ### Sample payload ```json { "auth_type": "static-challenge", "challenge": "super-secret-challenge", "display_name": "test", "token_policies": ["access-scep"], "token_type": "batch" } ``` ### Sample request ```shell-session $ curl \ --header "X-Vault-Token: ..." \ --request POST \ --data @payload.json http://127.0.0.1:8200/v1/auth/scep/role/static-challenge-1 ``` ### Sample response ```json { "request_id": "c22d68ec-ac3d-ea24-d5d0-efe07dcc0ef6", "lease_id": "", "renewable": false, "lease_duration": 0, "data": { "auth_type": "static-challenge", "display_name": "test", "name": "static-challenge-1", "token_bound_cidrs": [], "token_explicit_max_ttl": 0, "token_max_ttl": 0, "token_no_default_policy": false, "token_num_uses": 0, "token_period": 0, "token_policies": [ "access-scep" ], "token_ttl": 0, "token_type": "batch" }, "wrap_info": null, "warnings": null, "auth": null, "mount_type": "scep" } ``` ## Read SCEP role Get information associated with the named role. | Method | Path | |:-------|:------------------------| | `GET` | `/auth/{mount_path}/role/:name` | ### Parameters - `name` `(string: )` - The name of the SCEP role. ### Sample request ```shell-session $ curl \ --header "X-Vault-Token: ..." \ http://127.0.0.1:8200/v1/auth/scep/role/static-challenge-1 ``` ### Sample response ```json { "request_id": "07c9bfcc-ee30-6ba9-fce8-07bae5033989", "lease_id": "", "renewable": false, "lease_duration": 0, "data": { "auth_type": "static-challenge", "display_name": "static-challenge-1", "name": "static-challenge-1", "token_bound_cidrs": [], "token_explicit_max_ttl": 0, "token_max_ttl": 0, "token_no_default_policy": false, "token_num_uses": 0, "token_period": 0, "token_policies": [ "access-scep" ], "token_ttl": 0, "token_type": "batch" }, "wrap_info": null, "warnings": null, "auth": null, "mount_type": "scep" } ``` ## List SCEP roles List all currently configured SCEP role names. | Method | Path | | :----- | :----------------- | | `LIST` | `/auth/{mount_path}/role` | ### Sample request ```shell-session $ curl \ --header "X-Vault-Token: ..." \ --request LIST \ http://127.0.0.1:8200/v1/auth/scep/role ``` ### Sample response ```json { "auth": null, "warnings": null, "wrap_info": null, "data": { "keys": ["static-challenge-1", "intune-1"] }, "lease_duration": 0, "renewable": false, "lease_id": "" } ``` ## Delete SCEP role Delete the named role. | Method | Path | |:---------|:------------------------| | `DELETE` | `/auth/{mount_path}/role/:name` | ### Parameters - `name` `(string: )` - The name of the SCEP role. ### Sample request ```shell-session $ curl \ --header "X-Vault-Token: ..." \ --request DELETE \ http://127.0.0.1:8200/v1/auth/scep/role/static-challenge-1 ``` ## Login SCEP authentication endpoint for delegated authentication from a PKI mount. | Method | Path | |:-------|:-------------------| | `POST` | `/auth/{mount_path}/login` | ### Parameters - `name` `(string: "")` - The SCEP role associated with the PKI mount. Leaving `name` unset tells Vault to try all SCEP roles and return the first one that matches.