---
layout: "http"
page_title: "HTTP API: /sys/rekey/"
sidebar_current: "docs-http-rotate-rekey"
description: |-
The `/sys/rekey/` endpoints are used to rekey the unseal keys for Vault.
---
# /sys/rekey/init
## GET
- Description
-
Reads the configuration and progress of the current rekey attempt.
- Method
- GET
- URL
- `/sys/rekey/init`
- Parameters
-
None
- Returns
-
If a rekey is started, then "n" is the new shares to generate and "t" is
the threshold required for the new shares. The "progress" is how many unseal
keys have been provided for this rekey, where "required" must be reached to
complete.
```javascript
{
"started": true,
"t": 3,
"n": 5,
"progress": 1,
"required": 3
}
```
## PUT
- Description
-
Initializes a new rekey attempt. Only a single rekey attempt can take place
at a time, and changing the parameters of a rekey requires canceling and starting
a new rekey.
- Method
- PUT
- URL
- `/sys/rekey/init`
- Parameters
-
-
secret_shares
required
The number of shares to split the master key into.
-
secret_threshold
required
The number of shares required to reconstruct the master key.
This must be less than or equal to
secret_shares.
- Returns
- `204` response code.
## DELETE
- Description
-
Cancels any in-progress rekey. This clears the rekey settings as well as any
progress made. This must be called to change the parameters of the rekey.
- Method
- DELETE
- URL
- `/sys/rekey/init`
- Parameters
- None
- Returns
- `204` response code.
# /sys/rekey/update
## PUT
- Description
-
Enter a single master key share to progress the rekey of the Vault.
If the threshold number of master key shares is reached, Vault
will complete the rekey. Otherwise, this API must be called multiple
times until that threshold is met.
- Method
- PUT
- URL
- `/sys/rekey/update`
- Parameters
-
-
key
required
A single master share key.
- Returns
-
A JSON-encoded object indicating completion and if so with the new master keys:
```javascript
{
"complete": true,
"keys": ["one", "two", "three"]
}
```