docs: Migrate link formats (#18696)

* Adding check-legacy-links-format workflow

* Adding test-link-rewrites workflow

* Updating docs-content-check-legacy-links-format hash

* Migrating links to new format

Co-authored-by: Kendall Strautman <kendallstrautman@gmail.com>

.github/workflows/check-legacy-links-format.yml

@@ -0,0 +1,17 @@
+name: Legacy Link Format Checker
+
+on:
+  push:
+    paths:
+      - "website/content/**/*.mdx"
+      - "website/data/*-nav-data.json"
+
+jobs:
+  check-links:
+    uses: hashicorp/dev-portal/.github/workflows/docs-content-check-legacy-links-format.yml@475289345d312552b745224b46895f51cc5fc490
+    with:
+      repo-owner: "hashicorp"
+      repo-name: "vault"
+      commit-sha: ${{ github.sha }}
+      mdx-directory: "website/content"
+      nav-data-directory: "website/data"

.github/workflows/test-link-rewrites.yml

@@ -0,0 +1,16 @@
+name: Test Link Rewrites
+
+on: [deployment_status]
+
+jobs:
+  test-link-rewrites:
+    if: github.event.deployment_status.state == 'success'
+    uses: hashicorp/dev-portal/.github/workflows/docs-content-link-rewrites-e2e.yml@2aceb60125f6c15f4c8dbe2e4d79148047bfa437
+    with:
+      repo-owner: "hashicorp"
+      repo-name: "vault"
+      commit-sha: ${{ github.sha }}
+      main-branch-preview-url: "https://vault-git-main-hashicorp.vercel.app/"
+      # Workflow is only intended to run for one single migration PR
+      # This variable does not need to be updated
+      pr-branch-preview-url: "https://vault-git-docs-ambmigrate-link-formats-hashicorp.vercel.app/"

website/content/api-docs/auth/alicloud.mdx

@@ -8,7 +8,7 @@ description: This is the API documentation for the Vault AliCloud auth method.
 
 This is the API documentation for the Vault AliCloud auth method. For
 general information about the usage and operation of the AliCloud method, please
-see the [Vault AliCloud auth method documentation](/docs/auth/alicloud).
+see the [Vault AliCloud auth method documentation](/vault/docs/auth/alicloud).
 
 This documentation assumes the AliCloud auth method is mounted at the `/auth/alicloud`
 path in Vault. Since it is possible to enable auth methods at any location,

website/content/api-docs/auth/app-id.mdx

@@ -11,7 +11,7 @@ Please use AppRole instead.
 
 This is the API documentation for the Vault App ID auth method. For
 general information about the usage and operation of the App ID method, please
-see the [Vault App ID method documentation](/docs/auth/app-id).
+see the [Vault App ID method documentation](/vault/docs/auth/app-id).
 
 This documentation assumes the App ID method is mounted at the `/auth/app-id`
 path in Vault. Since it is possible to enable auth methods at any location,

website/content/api-docs/auth/approle.mdx

@@ -8,7 +8,7 @@ description: This is the API documentation for the Vault AppRole auth method.
 
 This is the API documentation for the Vault AppRole auth method. For
 general information about the usage and operation of the AppRole method, please
-see the [Vault AppRole method documentation](/docs/auth/approle).
+see the [Vault AppRole method documentation](/vault/docs/auth/approle).
 
 This documentation assumes the AppRole method is mounted at the `/auth/approle`
 path in Vault. Since it is possible to enable auth methods at any location,

website/content/api-docs/auth/aws.mdx

@@ -12,7 +12,7 @@ description: This is the API documentation for the Vault AWS auth method.
 
 This is the API documentation for the Vault AWS auth method. For
 general information about the usage and operation of the AWS method, please
-see the [Vault AWS method documentation](/docs/auth/aws).
+see the [Vault AWS method documentation](/vault/docs/auth/aws).
 
 This documentation assumes the AWS method is mounted at the `/auth/aws`
 path in Vault. Since it is possible to enable auth methods at any location,
@@ -188,7 +188,7 @@ The new access key Vault uses is returned by this operation.
 ## Configure Identity Integration
 
 This configures the way that Vault interacts with the
-[Identity](/docs/secrets/identity) store. The default (as of Vault
+[Identity](/vault/docs/secrets/identity) store. The default (as of Vault
 1.0.3) is `role_id` for both values.
 
 | Method | Path                        |

website/content/api-docs/auth/azure.mdx

@@ -10,7 +10,7 @@ description: |-
 
 This is the API documentation for the Vault Azure auth method
 plugin. To learn more about the usage and operation, see the
-[Vault Azure method documentation](/docs/auth/azure).
+[Vault Azure method documentation](/vault/docs/auth/azure).
 
 This documentation assumes the plugin method is mounted at the
 `/auth/azure` path in Vault. Since it is possible to enable auth methods
@@ -31,7 +31,7 @@ virtual machine.
 - `tenant_id` `(string: <required>)` - The tenant id for the Azure Active Directory organization.
   This value can also be provided with the `AZURE_TENANT_ID` environment variable.
 - `resource` `(string: <required>)` - The resource URL for the application registered in Azure Active Directory.
-  The value is expected to match the audience (`aud` claim) of the [JWT](/api-docs/auth/azure#jwt)
+  The value is expected to match the audience (`aud` claim) of the [JWT](/vault/api-docs/auth/azure#jwt)
   provided to the login API. See the [resource](https://docs.microsoft.com/en-us/azure/active-directory/managed-identities-azure-resources/how-to-use-vm-token#get-a-token-using-http)
   parameter for how the audience is set when requesting a JWT access token from the Azure Instance Metadata Service (IMDS) endpoint.
   This value can also be provided with the `AZURE_AD_RESOURCE` environment variable.

website/content/api-docs/auth/cert.mdx

@@ -12,7 +12,7 @@ description: |-
 
 This is the API documentation for the Vault TLS Certificate authentication
 method. For general information about the usage and operation of the TLS
-Certificate method, please see the [Vault TLS Certificate method documentation](/docs/auth/cert).
+Certificate method, please see the [Vault TLS Certificate method documentation](/vault/docs/auth/cert).
 
 This documentation assumes the TLS Certificate method is mounted at the
 `/auth/cert` path in Vault. Since it is possible to enable auth methods at any

website/content/api-docs/auth/cf.mdx

@@ -10,7 +10,7 @@ description: This is the API documentation for the Vault Cloud Foundry auth meth
 
 This is the API documentation for the Vault CF auth method. For
 general information about the usage and operation of the CF method, please
-see the [Vault CF method documentation](/docs/auth/cf).
+see the [Vault CF method documentation](/vault/docs/auth/cf).
 
 This documentation assumes the CF method is mounted at the `/auth/cf`
 path in Vault. Since it is possible to enable auth methods at any location,
@@ -21,7 +21,7 @@ please update your API calls accordingly.
 Configure the root CA certificate to be used for verifying instance identity
 certificates, and configure access to the CF API. For detailed instructions
 on how to obtain these values, please see the [Vault CF method
-documentation](/docs/auth/cf).
+documentation](/vault/docs/auth/cf).
 
 | Method | Path              |
 | :----- | ----------------- |

website/content/api-docs/auth/gcp.mdx

@@ -10,7 +10,7 @@ description: |-
 
 This is the API documentation for the Vault Google Cloud auth method. To learn
 more about the usage and operation, see the
-[Vault Google Cloud method documentation](/docs/auth/gcp).
+[Vault Google Cloud method documentation](/vault/docs/auth/gcp).
 
 This documentation assumes the plugin method is mounted at the
 `/auth/gcp` path in Vault. Since it is possible to enable auth methods
@@ -31,7 +31,7 @@ to confirm signed JWTs passed in during login.
 
 - `credentials` `(string: "")` - A JSON string containing the contents of a GCP
   service account credentials file. The service account associated with the credentials
-  file must have the following [permissions](/docs/auth/gcp#required-gcp-permissions).
+  file must have the following [permissions](/vault/docs/auth/gcp#required-gcp-permissions).
   If this value is empty, Vault will try to use [Application Default Credentials][gcp-adc]
   from the machine on which the Vault server is running.
 

website/content/api-docs/auth/github.mdx

@@ -8,7 +8,7 @@ description: This is the API documentation for the Vault GitHub auth method.
 
 This is the API documentation for the Vault GitHub auth method. For
 general information about the usage and operation of the GitHub method, please
-see the [Vault GitHub method documentation](/docs/auth/github).
+see the [Vault GitHub method documentation](/vault/docs/auth/github).
 
 This documentation assumes the GitHub method is enabled at the `/auth/github`
 path in Vault. Since it is possible to enable auth methods at any location,

website/content/api-docs/auth/jwt.mdx

@@ -12,7 +12,7 @@ description: |-
 
 This is the API documentation for the Vault JWT/OIDC auth method
 plugin. To learn more about the usage and operation, see the
-[Vault JWT/OIDC method documentation](/docs/auth/jwt).
+[Vault JWT/OIDC method documentation](/vault/docs/auth/jwt).
 
 This documentation assumes the plugin method is mounted at the
 `/auth/jwt` path in Vault. Since it is possible to enable auth methods
@@ -43,7 +43,7 @@ set.
 - `bound_issuer` `(string: <optional>)` - The value against which to match the `iss` claim in a JWT.
 - `jwt_supported_algs` `(comma-separated string, or array of strings: <optional>)` - A list of supported signing algorithms. Defaults to [RS256] for OIDC roles. Defaults to all [available algorithms](https://github.com/hashicorp/cap/blob/main/jwt/algs.go) for JWT roles.
 - `default_role` `(string: <optional>)` - The default role to use if none is provided during login.
-- `provider_config` `(map: <optional>)` - Configuration options for provider-specific handling. Providers with specific handling include: Azure, Google, SecureAuth. The options are described in each provider's section in [OIDC Provider Setup](/docs/auth/jwt/oidc-providers).
+- `provider_config` `(map: <optional>)` - Configuration options for provider-specific handling. Providers with specific handling include: Azure, Google, SecureAuth. The options are described in each provider's section in [OIDC Provider Setup](/vault/docs/auth/jwt/oidc-providers).
 - `namespace_in_state` `(bool: true)` - Pass namespace in the OIDC state parameter instead of as a separate query parameter. With this setting, the allowed redirect URL(s) in Vault and on the provider side should not contain a namespace query parameter. This means only one redirect URL entry needs to be maintained on the provider side for all vault namespaces that will be authenticating against it. Defaults to true for new configs.
 
 ### Sample Payload
@@ -117,7 +117,7 @@ entities attempting to login. At least one of the bound values must be set.
   the user; this will be used as the name for the Identity entity alias created
   due to a successful login. The claim value must be a string.
 - `user_claim_json_pointer` `(bool: false)` - Specifies if the `user_claim` value uses
-  [JSON pointer](/docs/auth/jwt#claim-specifications-and-json-pointer) syntax for
+  [JSON pointer](/vault/docs/auth/jwt#claim-specifications-and-json-pointer) syntax for
   referencing claims. By default, the `user_claim` value will not use JSON pointer.
 - `clock_skew_leeway` `(int or string: <optional>)` - The amount of leeway to add to all claims to
   account for clock skew, in seconds. Defaults to `60` seconds if set to `0` and can be disabled
@@ -135,7 +135,7 @@ entities attempting to login. At least one of the bound values must be set.
   claim matches this value.
 - `bound_claims` `(map: <optional>)` - If set, a map of claims (keys) to match against respective claim values (values).
   The expected value may be a single string or a list of strings. The interpretation of the bound
-  claim values is configured with `bound_claims_type`. Keys support [JSON pointer](/docs/auth/jwt#claim-specifications-and-json-pointer)
+  claim values is configured with `bound_claims_type`. Keys support [JSON pointer](/vault/docs/auth/jwt#claim-specifications-and-json-pointer)
   syntax for referencing claims.
 - `bound_claims_type` `(string: "string")` - Configures the interpretation of the bound_claims values.
   If `"string"` (the default), the values will treated as string literals and must match exactly.
@@ -144,10 +144,10 @@ entities attempting to login. At least one of the bound values must be set.
 - `groups_claim` `(string: <optional>)` - The claim to use to uniquely identify
   the set of groups to which the user belongs; this will be used as the names
   for the Identity group aliases created due to a successful login. The claim
-  value must be a list of strings. Supports [JSON pointer](/docs/auth/jwt#claim-specifications-and-json-pointer)
+  value must be a list of strings. Supports [JSON pointer](/vault/docs/auth/jwt#claim-specifications-and-json-pointer)
   syntax for referencing claims.
 - `claim_mappings` `(map: <optional>)` - If set, a map of claims (keys) to be copied to
-  specified metadata fields (values). Keys support [JSON pointer](/docs/auth/jwt#claim-specifications-and-json-pointer)
+  specified metadata fields (values). Keys support [JSON pointer](/vault/docs/auth/jwt#claim-specifications-and-json-pointer)
   syntax for referencing claims.
 - `oidc_scopes` `(list: <optional>)` - If set, a list of OIDC scopes to be used with an OIDC role.
   The standard scope "openid" is automatically included and need not be specified.
@@ -306,10 +306,10 @@ Obtain an authorization URL from Vault to start an OIDC login flow.
 - `redirect_uri` `(string: <required>)` - Path to the callback to complete the login. This will be
   of the form, "https&#x3A;//.../oidc/callback" where the leading portion is dependent on your Vault
   server location, port, and the mount of the JWT plugin. This must be configured with Vault and the
-  provider. See [Redirect URIs](/docs/auth/jwt#redirect-uris) for more information.
+  provider. See [Redirect URIs](/vault/docs/auth/jwt#redirect-uris) for more information.
 - `client_nonce` `(string: <optional>)` - Optional client-provided nonce that
   must match the `client_nonce` value provided during a subsequent request to the
-  [callback](/api-docs/auth/jwt#oidc-callback) API.
+  [callback](/vault/api-docs/auth/jwt#oidc-callback) API.
 
 ### Sample Payload
 
@@ -360,7 +360,7 @@ against any bound claims, and if valid a Vault token will be returned.
   an ID token.
 - `client_nonce` `(string: <optional>)` - Optional client-provided nonce that must
   match the `client_nonce` value provided during the prior request to the
-  [auth_url](/api-docs/auth/jwt#oidc-authorization-url-request) API.
+  [auth_url](/vault/api-docs/auth/jwt#oidc-authorization-url-request) API.
 
 ### Sample Request
 

website/content/api-docs/auth/kerberos.mdx

@@ -10,7 +10,7 @@ description: This is the API documentation for the Vault Kerberos auth method pl
 
 This is the API documentation for the Vault Kerberos auth method plugin. To
 learn more about the usage and operation, see the
-[Vault Kerberos auth method](/docs/auth/kerberos).
+[Vault Kerberos auth method](/vault/docs/auth/kerberos).
 
 This documentation assumes the Kerberos auth method is mounted at the
 `auth/kerberos` path in Vault. Since it is possible to enable auth methods at

website/content/api-docs/auth/kubernetes.mdx

@@ -10,7 +10,7 @@ description: This is the API documentation for the Vault Kubernetes auth method
 
 This is the API documentation for the Vault Kubernetes auth method plugin. To
 learn more about the usage and operation, see the
-[Vault Kubernetes auth method](/docs/auth/kubernetes).
+[Vault Kubernetes auth method](/vault/docs/auth/kubernetes).
 
 This documentation assumes the Kubernetes method is mounted at the
 `/auth/kubernetes` path in Vault. Since it is possible to enable auth methods at
@@ -50,7 +50,7 @@ access the Kubernetes API.
 - `disable_iss_validation` `(bool: true)` **Deprecated** Disable JWT issuer validation. Allows to skip ISS validation.
 
 - `issuer` `(string: "")` **Deprecated** Optional JWT issuer. If no issuer is specified, then this plugin will use `kubernetes/serviceaccount` as the default issuer.
-See [these instructions](/docs/auth/kubernetes#discovering-the-service-account-issuer) for looking up the issuer for a given Kubernetes cluster.
+See [these instructions](/vault/docs/auth/kubernetes#discovering-the-service-account-issuer) for looking up the issuer for a given Kubernetes cluster.
 
 ### Caveats
 
@@ -138,7 +138,7 @@ entities attempting to login.
   While it is strongly advised that you use `serviceaccount_uid`, you may also use `serviceaccount_name` in cases where
   you want to set the alias ahead of time, and the risks are mitigated or otherwise acceptable given your use case.
   It is very important to limit who is able to delete/create service accounts within a given cluster.
-  See the [Create an Entity Alias](/api-docs/secret/identity/entity-alias#create-an-entity-alias) document
+  See the [Create an Entity Alias](/vault/api-docs/secret/identity/entity-alias#create-an-entity-alias) document
   which further expands on the potential security implications mentioned above.
 
 @include 'tokenfields.mdx'

website/content/api-docs/auth/ldap.mdx

@@ -10,7 +10,7 @@ description: This is the API documentation for the Vault LDAP auth method.
 
 This is the API documentation for the Vault LDAP auth method. For
 general information about the usage and operation of the LDAP method, please
-see the [Vault LDAP method documentation](/docs/auth/ldap).
+see the [Vault LDAP method documentation](/vault/docs/auth/ldap).
 
 This documentation assumes the LDAP method is mounted at the `/auth/ldap`
 path in Vault. Since it is possible to enable auth methods at any location,

website/content/api-docs/auth/oci.mdx

@@ -8,7 +8,7 @@ description: This is the API documentation for the Vault OCI auth method plugin.
 
 This is the API documentation for the Vault OCI auth method plugin. To
 learn more about the usage and operation, see the
-[Vault OCI auth method](/docs/auth/oci).
+[Vault OCI auth method](/vault/docs/auth/oci).
 
 This documentation assumes the OCI method is mounted at the
 `/auth/oci` path in Vault. Since it is possible to enable auth methods at

website/content/api-docs/auth/okta.mdx

@@ -8,7 +8,7 @@ description: This is the API documentation for the Vault Okta auth method.
 
 This is the API documentation for the Vault Okta auth method. For
 general information about the usage and operation of the Okta method, please
-see the [Vault Okta method documentation](/docs/auth/okta).
+see the [Vault Okta method documentation](/vault/docs/auth/okta).
 
 This documentation assumes the Okta method is mounted at the `/auth/okta`
 path in Vault. Since it is possible to enable auth methods at any location,

website/content/api-docs/auth/radius.mdx

@@ -8,7 +8,7 @@ description: This is the API documentation for the Vault RADIUS auth method.
 
 This is the API documentation for the Vault RADIUS auth method. For
 general information about the usage and operation of the RADIUS method, please
-see the [Vault RADIUS method documentation](/docs/auth/radius).
+see the [Vault RADIUS method documentation](/vault/docs/auth/radius).
 
 This documentation assumes the RADIUS method is mounted at the `/auth/radius`
 path in Vault. Since it is possible to enable auth methods at any location,

website/content/api-docs/auth/token.mdx

@@ -8,7 +8,7 @@ description: This is the API documentation for the Vault token auth method.
 
 This is the API documentation for the Vault token auth method. For
 general information about the usage and operation of the token method, please
-see the [Vault Token method documentation](/docs/auth/token).
+see the [Vault Token method documentation](/vault/docs/auth/token).
 
 ## List Accessors
 
@@ -88,7 +88,7 @@ during this call.
 - `lease` `(string: "")` - DEPRECATED; use `ttl` instead
 - `ttl` `(string: "")` - The TTL period of the token, provided as "1h", where
   hour is the largest suffix. If not provided, the token is valid for the
-  [default lease TTL](/docs/configuration), or indefinitely if the
+  [default lease TTL](/vault/docs/configuration), or indefinitely if the
   root policy is used.
 - `type` `(string: "")` - The token type. Can be "batch" or "service". Defaults
   to the type specified by the role configuration named by `role_name`.
@@ -800,7 +800,7 @@ be cached. Listing the `/auth/token/accessors` endpoint is a good way to get
 some sense of the potential impact: tidy does this and more, so if this call creates problems
 for your cluster, it would be wise to give Vault more resources before attempting
 tidy. Note that the request may time out depending on
-[max duration](https://www.vaultproject.io/docs/configuration#default_max_request_duration)
+[max duration](/vault/docs/configuration#default_max_request_duration)
 and your client's timeout configuration, make sure to allow it run to completion
 to properly judge the impact.
 

website/content/api-docs/auth/userpass.mdx

@@ -10,7 +10,7 @@ description: |-
 
 This is the API documentation for the Vault Username & Password auth method. For
 general information about the usage and operation of the Username and Password method, please
-see the [Vault Userpass method documentation](/docs/auth/userpass).
+see the [Vault Userpass method documentation](/vault/docs/auth/userpass).
 
 This documentation assumes the Username & Password method is mounted at the `/auth/userpass`
 path in Vault. Since it is possible to enable auth methods at any location,

website/content/api-docs/index.mdx

@@ -36,7 +36,7 @@ either the `X-Vault-Token` HTTP Header or as `Authorization` HTTP Header using
 the `Bearer <token>` scheme.
 
 Otherwise, a client token can be retrieved using an [authentication
-engine](/docs/auth).
+engine](/vault/docs/auth).
 
 Each auth method has one or more unauthenticated login endpoints. These
 endpoints can be reached without any authentication, and are used for
@@ -54,7 +54,7 @@ in periods. Otherwise, Vault will return a 404 unsupported path error.
 
 ## Namespaces
 
-When using [Namespaces](/docs/enterprise/namespaces) the final path of the API 
+When using [Namespaces](/vault/docs/enterprise/namespaces) the final path of the API 
 request is relative to the `X-Vault-Namespace` header. For instance, if a 
 request URI is `secret/foo` with the `X-Vault-Namespace` header set as `ns1/ns2/`, 
 then the resulting request path to Vault will be `ns1/ns2/secret/foo`.
@@ -89,8 +89,8 @@ Typically the request data, body and response data to and from Vault is in JSON.
 Vault sets the `Content-Type` header appropriately with its response and does 
 not require it from the clients request.
 
-The demonstration below uses the [`KVv1` secrets engine](/api/secret/kv/kv-v1), which is a 
+The demonstration below uses the [`KVv1` secrets engine](/vault/api-docs/secret/kv/kv-v1), which is a 
-simple Key/Value store. Please read [the API documentation of KV secret engines](/api/secret/kv) 
+simple Key/Value store. Please read [the API documentation of KV secret engines](/vault/api-docs/secret/kv) 
 for details of `KVv1` compared to `KVv2` and how they differ in their URI paths 
 as well as the features available in version 2 of the KV secrets engine.
 
@@ -163,7 +163,7 @@ discover whether an operation is actually a create or update operation based on
 the data already stored within Vault. This makes permission management via ACLs
 more flexible.
 
-A [KVv2 example](api/secret/kv/kv-v2#sample-request-3) for the engine path of `secret` requires that URI is 
+A [KVv2 example](/vault/api-docs/secret/kv/kv-v2#sample-request-3) for the engine path of `secret` requires that URI is 
 appended with ***`data/`***  prior to the secret name (`baz`) such as:
 
 ```shell-session
@@ -204,7 +204,7 @@ methods, etc. then append `?help=1` to any URL. If you have valid permission to
 access the path, then the help text will be returned as a markdown-formatted block 
 in the `help` attribute of the response.
 
-Additionally, with the [OpenAPI generation](/api/system/internal-specs-openapi) in Vault, you will get back a small
+Additionally, with the [OpenAPI generation](/vault/api-docs/system/internal-specs-openapi) in Vault, you will get back a small
 OpenAPI document in the `openapi` attribute. This document is relevant for the 
 path you're looking up and any paths under it - also note paths in the OpenAPI 
 document are relative to the initial path queried.
@@ -297,7 +297,7 @@ warnings are generated during the operation.
 - `412` - Precondition failed.  Returned on Enterprise when a request can't be
   processed yet due to some missing eventually consistent data.  Should be retried,
   perhaps with a little backoff.
-  See [Vault Eventual Consistency](/docs/enterprise/consistency).
+  See [Vault Eventual Consistency](/vault/docs/enterprise/consistency).
 - `429` - Default return code for health status of standby nodes. This will
   likely change in the future.
 - `473` - Default return code for health status of performance standby nodes.
@@ -314,4 +314,4 @@ A maximum request size of 32MB is imposed to prevent a denial of service attack
 with arbitrarily large requests; this can be tuned per `listener` block in
 Vault's server configuration file.
 
-[agent]: /docs/agent#listener-stanza
+[agent]: /vault/docs/agent#listener-stanza

website/content/api-docs/libraries.mdx

@@ -11,7 +11,7 @@ description: >-
 The programming libraries listed on this page can be used to consume the API more conveniently.
 Some are officially maintained while others are provided by the community.
 
-For a step-by-step walkthrough on using these client libraries, see the [developer quickstart](https://www.vaultproject.io/docs/get-started/developer-qs).
+For a step-by-step walkthrough on using these client libraries, see the [developer quickstart](/vault/docs/get-started/developer-qs).
 For copy-pastable code examples, see the [vault-examples](https://github.com/hashicorp/vault-examples) repo.
 
 ## Official

website/content/api-docs/secret/ad.mdx

@@ -10,7 +10,7 @@ description: This is the API documentation for the Vault Active Directory secret
 
 This is the API documentation for the Vault AD secrets engine. For general
 information about the usage and operation of the AD secrets engine, please see
-the [Vault Active Directory documentation](/docs/secrets/ad).
+the [Vault Active Directory documentation](/vault/docs/secrets/ad).
 
 This documentation assumes the AD secrets engine is enabled at the `/ad` path
 in Vault. Since it is possible to enable secrets engines at any location, please
@@ -26,7 +26,7 @@ The `config` endpoint configures the LDAP connection and binding parameters, as
   be rotated the next time it's requested.
 - `max_ttl` `(int: "")` - The maximum password time-to-live in seconds. No role will be allowed to set a
   custom ttl greater than the `max_ttl`.
-- `password_policy` `(string: "")` - Name of the [password policy](/docs/concepts/password-policies) to use to
+- `password_policy` `(string: "")` - Name of the [password policy](/vault/docs/concepts/password-policies) to use to
   generate passwords from. Mutually exclusive with `length` and `formatter`.
 
 **Deprecated parameters**:
@@ -257,10 +257,10 @@ The `library` endpoint configures the sets of service accounts that Vault will o
   service accounts must already exist in Active Directory.
 - `ttl` (duration: "24h", optional): The maximum amount of time a single check-out lasts before Vault
   automatically checks it back in. Defaults to 24 hours. Setting it to zero reflects an unlimited lending period.
-  Uses [duration format strings](/docs/concepts/duration-format).
+  Uses [duration format strings](/vault/docs/concepts/duration-format).
 - `max_ttl` (duration: "24h", optional): The maximum amount of time a check-out last with renewal before Vault
   automatically checks it back in. Defaults to 24 hours. Setting it to zero reflects an unlimited lending period.
-  Uses [duration format strings](/docs/concepts/duration-format).
+  Uses [duration format strings](/vault/docs/concepts/duration-format).
 - `disable_check_in_enforcement` (bool: false, optional): Disable enforcing that service accounts must be
   checked in by the entity or client token that checked them out. Defaults to false.
 
@@ -325,7 +325,7 @@ Returns a `200` if a credential is available, and a `400` if no credential is av
 - `ttl` (duration: "", optional): The maximum amount of time a check-out lasts before Vault
   automatically checks it back in. Setting it to zero reflects an unlimited lending period.
   Defaults to the set's `ttl`. If the requested `ttl` is higher than the set's, the set's will be used.
-  Uses [duration format strings](/docs/concepts/duration-format).
+  Uses [duration format strings](/vault/docs/concepts/duration-format).
 
 | Method | Path                              |
 | :----- | :-------------------------------- |

website/content/api-docs/secret/alicloud.mdx

@@ -8,7 +8,7 @@ description: This is the API documentation for the Vault AliCloud secrets engine
 
 This is the API documentation for the Vault AliCloud secrets engine. For general
 information about the usage and operation of the AliCloud secrets engine, please see
-the [Vault AliCloud documentation](/docs/secrets/alicloud).
+the [Vault AliCloud documentation](/vault/docs/secrets/alicloud).
 
 This documentation assumes the AliCloud secrets engine is enabled at the `/alicloud` path
 in Vault. Since it is possible to enable secrets engines at any location, please
@@ -28,7 +28,7 @@ To use instance metadata, leave the static credential configuration unset.
 At present, this endpoint does not confirm that the provided AliCloud credentials are
 valid AliCloud credentials with proper permissions.
 
-Please see the [Vault AliCloud documentation](/docs/secrets/alicloud) for
+Please see the [Vault AliCloud documentation](/vault/docs/secrets/alicloud) for
 the policies that should be attached to the access key you provide.
 
 | Method | Path               |
@@ -77,7 +77,7 @@ The `role` endpoint configures how Vault will generate credentials for users of
 - `name` (string, required) – Specifies the name of the role to generate credentials against. This is part of the request URL.
 - `remote_policies` (string, optional) - The names and types of a pre-existing policies to be applied to the generate access token. Example: "name:AliyunOSSReadOnlyAccess,type:System".
 - `inline_policies` (string, optional) - The policy document JSON to be generated and attached to the access token.
-- `role_arn` (string, optional) - The ARN of a role that will be assumed to obtain STS credentials. See [Vault AliCloud documentation](/docs/secrets/alicloud) regarding trusted actors.
+- `role_arn` (string, optional) - The ARN of a role that will be assumed to obtain STS credentials. See [Vault AliCloud documentation](/vault/docs/secrets/alicloud) regarding trusted actors.
 - `ttl` (int, optional) - The duration in seconds after which the issued token should expire. Defaults to 0, in which case the value will fallback to the system/mount defaults.
 - `max_ttl` (int, optional) - The maximum allowed lifetime of tokens issued using this role.
 

website/content/api-docs/secret/aws.mdx

@@ -8,7 +8,7 @@ description: This is the API documentation for the Vault AWS secrets engine.
 
 This is the API documentation for the Vault AWS secrets engine. For general
 information about the usage and operation of the AWS secrets engine, please see
-the [Vault AWS documentation](/docs/secrets/aws).
+the [Vault AWS documentation](/vault/docs/secrets/aws).
 
 This documentation assumes the AWS secrets engine is enabled at the `/aws` path
 in Vault. Since it is possible to enable secrets engines at any location, please
@@ -58,7 +58,7 @@ valid AWS credentials with proper permissions.
 
 - `sts_endpoint` `(string: <optional>)` – Specifies a custom HTTP STS endpoint to use.
 
-- `username_template` `(string: <optional>)` - [Template](/docs/concepts/username-templating) describing how
+- `username_template` `(string: <optional>)` - [Template](/vault/docs/concepts/username-templating) describing how
   dynamic usernames are generated. The username template is used to generate both IAM usernames (capped at 64 characters)
   and STS usernames (capped at 32 characters). Longer usernames result in a 500 error.
 

website/content/api-docs/secret/azure.mdx

@@ -29,12 +29,12 @@ service principals. Environment variables will override any parameters set in th
 - `tenant_id` (`string: <required>`) - The tenant id for the Azure Active Directory.
   This value can also be provided with the AZURE_TENANT_ID environment variable.
 - `client_id` (`string:""`) - The OAuth2 client id to connect to Azure. This value can also be provided
-  with the AZURE_CLIENT_ID environment variable. See [authentication](/docs/secrets/azure#authentication) for more details.
+  with the AZURE_CLIENT_ID environment variable. See [authentication](/vault/docs/secrets/azure#authentication) for more details.
 - `client_secret` (`string:""`) - The OAuth2 client secret to connect to Azure. This value can also be
-  provided with the AZURE_CLIENT_SECRET environment variable. See [authentication](/docs/secrets/azure#authentication) for more details.
+  provided with the AZURE_CLIENT_SECRET environment variable. See [authentication](/vault/docs/secrets/azure#authentication) for more details.
 - `environment` (`string:""`) - The Azure environment. This value can also be provided with the AZURE_ENVIRONMENT
   environment variable. If not specified, Vault will use Azure Public Cloud.
-- `password_policy` `(string: "")` - Specifies a [password policy](/docs/concepts/password-policies) to
+- `password_policy` `(string: "")` - Specifies a [password policy](/vault/docs/concepts/password-policies) to
   use when creating dynamic credentials. Defaults to generating an alphanumeric password if not set.
 - `use_microsoft_graph_api` `(bool: true)` - Indicates whether the secrets engine should use the
   [Microsoft Graph API](https://docs.microsoft.com/en-us/graph/use-the-api).
@@ -69,7 +69,7 @@ service principals. Environment variables will override any parameters set in th
 Aside from the permissions listed above, setting this to true should be transparent to users.
 
 - `root_password_ttl` `(string: 182d)` - Specifies how long the root password is valid for in Azure when
-  rotate-root generates a new client secret. Uses [duration format strings](/docs/concepts/duration-format).
+  rotate-root generates a new client secret. Uses [duration format strings](/vault/docs/concepts/duration-format).
 
 ### Sample Payload
 
@@ -360,8 +360,8 @@ $ vault read azure/creds/my-role
 
 ## Revoking/Renewing Secrets
 
-See docs on how to [renew](/api-docs/system/leases#renew-lease) and [revoke](/api-docs/system/leases#revoke-lease) leases.
+See docs on how to [renew](/vault/api-docs/system/leases#renew-lease) and [revoke](/vault/api-docs/system/leases#revoke-lease) leases.
 
-[docs]: /docs/secrets/azure
+[docs]: /vault/docs/secrets/azure
-[roles]: /docs/secrets/azure#roles
+[roles]: /vault/docs/secrets/azure#roles
-[groups]: /docs/secrets/azure#azure-groups
+[groups]: /vault/docs/secrets/azure#azure-groups

website/content/api-docs/secret/cassandra.mdx

@@ -11,12 +11,12 @@ description: This is the API documentation for the Vault Cassandra secrets engin
 ~> **Deprecation Note:** This backend is deprecated in favor of the
 combined databases backend added in v0.7.1. See the API documentation for
 the new implementation of this backend at
-[Cassandra database plugin HTTP API](/api-docs/secret/databases/cassandra).
+[Cassandra database plugin HTTP API](/vault/api-docs/secret/databases/cassandra).
 
 This is the API documentation for the Vault Cassandra secrets engine. For
 general information about the usage and operation of the Cassandra backend,
 please see the
-[Vault Cassandra backend documentation](/docs/secrets/databases/cassandra).
+[Vault Cassandra backend documentation](/vault/docs/secrets/databases/cassandra).
 
 This documentation assumes the Cassandra backend is mounted at the `/cassandra`
 path in Vault. Since it is possible to enable secrets engines at any location,
@@ -56,7 +56,7 @@ Cassandra.
   private key; a certificate, private key, and issuing CA certificate; or just a
   CA certificate. For convenience format is the same as the output of the
   `issue` command from the `pki` backend; see
-  [the pki documentation](/docs/secrets/pki).
+  [the pki documentation](/vault/docs/secrets/pki).
 
 - `protocol_version` `(int: 2)` – Specifies the CQL protocol version to use.
 

website/content/api-docs/secret/consul.mdx

@@ -12,7 +12,7 @@ description: This is the API documentation for the Vault Consul secrets engine.
 
 This is the API documentation for the Vault Consul secrets engine. For general
 information about the usage and operation of the Consul secrets engine, please
-see the [Vault Consul documentation](/docs/secrets/consul).
+see the [Vault Consul documentation](/vault/docs/secrets/consul).
 
 This documentation assumes the Consul secrets engine is enabled at the `/consul`
 path in Vault. Since it is possible to enable secrets engines at any location,
@@ -162,11 +162,11 @@ To create a client token with service identities attached:
 - `token_type` <sup>DEPRECATED (1.11)</sup> `(string: "client")` - Specifies the type of token to create
   when using this role. Valid values are `"client"` or `"management"`. If a `"management"`
   token, the `policy` parameter is not required. Defaults to `"client`". [Deprecated from Consul as of 1.4 and
-  removed as of Consul 1.11.](https://developer.hashicorp.com/consul/api-docs/acl/legacy)
+  removed as of Consul 1.11.](/consul/api-docs/acl/legacy)
 
 - `policy` <sup>DEPRECATED (1.11)</sup> `(string: "")` – Specifies the base64-encoded ACL policy.
   This is required unless the `token_type` is `"management"`. [Deprecated from Consul as of 1.4 and
-  removed as of Consul 1.11.](https://developer.hashicorp.com/consul/api-docs/acl/legacy)
+  removed as of Consul 1.11.](/consul/api-docs/acl/legacy)
 
 - `policies` <sup>DEPRECATED (1.11)</sup> `(list: <policy or policies>)` - Same as `consul_policies`.
   Deprecated in favor of using `consul_policies`.
@@ -179,10 +179,10 @@ To create a client token with service identities attached:
   1.4 and greater.
 
 - `ttl` `(duration: "")` – Specifies the TTL for this role. If not
-  provided, the default Vault TTL is used. Uses [duration format strings](/docs/concepts/duration-format).
+  provided, the default Vault TTL is used. Uses [duration format strings](/vault/docs/concepts/duration-format).
 
 - `max_ttl` `(duration: "")` – Specifies the max TTL for this role. If not
-  provided, the default Vault Max TTL is used. Uses [duration format strings](/docs/concepts/duration-format).
+  provided, the default Vault Max TTL is used. Uses [duration format strings](/vault/docs/concepts/duration-format).
 
 ### Sample Payload
 
@@ -197,12 +197,12 @@ To create a client token with policies defined in Consul:
 ### Parameters for Consul version below 1.4
 
 - `lease` <sup>DEPRECATED (1.11)</sup> `(string: "")` – Specifies the lease for this role.
-  Uses [duration format strings](/docs/concepts/duration-format). If not
+  Uses [duration format strings](/vault/docs/concepts/duration-format). If not
   provided, the default Vault lease is used.
 
 - `policy` <sup>DEPRECATED (1.11)</sup> `(string: <policy>)` – Specifies the base64-encoded ACL policy. The
   ACL format can be found in the [Consul ACL
-  documentation](https://developer.hashicorp.com/consul/docs/security/acl/acl-legacy). This is
+  documentation](/consul/docs/security/acl/acl-legacy). This is
   required unless the `token_type` is `"management"`.
 
 ### Sample Payload

website/content/api-docs/secret/cubbyhole.mdx

@@ -9,7 +9,7 @@ description: This is the API documentation for the Vault Cubbyhole secrets engin
 This is the API documentation for the Vault Cubbyhole secrets engine. For
 general information about the usage and operation of the Cubbyhole secrets
 engine, please see the
-[Vault Cubbyhole documentation](/docs/secrets/cubbyhole).
+[Vault Cubbyhole documentation](/vault/docs/secrets/cubbyhole).
 
 This documentation assumes the Cubbyhole secrets engine is enabled at the
 `/cubbyhole` path in Vault. Since it is possible to enable secrets engines at

website/content/api-docs/secret/databases/cassandra.mdx

@@ -17,7 +17,7 @@ configured roles for the Cassandra database.
 ## Configure Connection
 
 In addition to the parameters defined by the [Database
-Secrets Engine](/api-docs/secret/databases#configure-connection), this plugin
+Secrets Engine](/vault/api-docs/secret/databases#configure-connection), this plugin
 has a number of parameters to further configure a connection.
 
 | Method | Path                     |
@@ -55,7 +55,7 @@ has a number of parameters to further configure a connection.
   private key; a certificate, private key, and issuing CA certificate; or just a
   CA certificate. The value in this field must be an encoded JSON object. For convenience format is the
   same as the output of the `issue` command from the `pki` secrets engine; see
-  [the pki documentation](/docs/secrets/pki). Only one of `pem_bundle` or `pem_json` can be specified.
+  [the pki documentation](/vault/docs/secrets/pki). Only one of `pem_bundle` or `pem_json` can be specified.
 
 <details>
 <summary><b><tt>pem_json</tt> example</b></summary>
@@ -97,7 +97,7 @@ vault write database/config/cassandra-example <...other fields> pem_json=@/path/
   definition](https://github.com/gocql/gocql/blob/master/frame.go#L188) for
   valid options.
 
-- `username_template` `(string)` - [Template](/docs/concepts/username-templating) describing how
+- `username_template` `(string)` - [Template](/vault/docs/concepts/username-templating) describing how
   dynamic usernames are generated.
 
 <details>
@@ -173,7 +173,7 @@ $ curl \
 Statements are configured during role creation and are used by the plugin to
 determine what is sent to the database on user creation, renewing, and
 revocation. For more information on configuring roles see the [Role
-API](/api-docs/secret/databases#create-role) in the database secrets engine docs.
+API](/vault/api-docs/secret/databases#create-role) in the database secrets engine docs.
 
 ### Parameters
 

website/content/api-docs/secret/databases/couchbase.mdx

@@ -17,7 +17,7 @@ configured roles for the Couchbase database.
 ## Configure Connection
 
 In addition to the parameters defined by the [Database
-Secrets Engine](/api-docs/secret/databases#configure-connection), this plugin
+Secrets Engine](/vault/api-docs/secret/databases#configure-connection), this plugin
 has a number of parameters to further configure a connection.
 
 | Method | Path                     |
@@ -47,7 +47,7 @@ has a number of parameters to further configure a connection.
 - `bucket_name` `(string: "")` - Required for Couchbase versions prior to 6.5.0. This
   is only used to verify vault's connection to the server.
 
-- `username_template` `(string)` - [Template](/docs/concepts/username-templating) describing how
+- `username_template` `(string)` - [Template](/vault/docs/concepts/username-templating) describing how
   dynamic usernames are generated.
 
 <details>
@@ -102,7 +102,7 @@ $ curl \
 Statements are configured during role creation and are used by the plugin to
 determine what is sent to the database on user creation, renewing, and
 revocation. For more information on configuring roles see the [Role
-API](/api-docs/secret/databases#create-role) in the database secrets engine docs.
+API](/vault/api-docs/secret/databases#create-role) in the database secrets engine docs.
 
 ### Parameters
 

website/content/api-docs/secret/databases/elasticdb.mdx

@@ -17,7 +17,7 @@ configured roles for Elasticsearch.
 ## Configure Connection
 
 In addition to the parameters defined by the [Database
-Backend](/api-docs/secret/databases#configure-connection), this plugin
+Backend](/vault/api-docs/secret/databases#configure-connection), this plugin
 has a number of parameters to further configure a connection.
 
 | Method | Path                     |
@@ -35,7 +35,7 @@ has a number of parameters to further configure a connection.
 - `client_key` `(string: "")` - The path to the key for the Elasticsearch client to use for communication.
 - `tls_server_name` `(string: "")` - This, if set, is used to set the SNI host when connecting via TLS.
 - `insecure` `(bool: false)` - Not recommended. Default to `false`. Can be set to `true` to disable certificate verification.
-- `username_template` `(string)` - [Template](/docs/concepts/username-templating) describing how dynamic usernames are generated.
+- `username_template` `(string)` - [Template](/vault/docs/concepts/username-templating) describing how dynamic usernames are generated.
 - `use_old_xpack` `(bool: false)` - Can be set to `true` to use the `/_xpack/security` base API path when managing Elasticsearch. May be required for Elasticsearch server versions prior to 6.
 
 ### Sample Payload
@@ -68,7 +68,7 @@ $ curl \
 Statements are configured during role creation and are used by the plugin to
 determine what is sent to the database on user creation, renewing, and
 revocation. For more information on configuring roles see the [Role
-API](/api-docs/secret/databases#create-role) in the database secrets engine docs.
+API](/vault/api-docs/secret/databases#create-role) in the database secrets engine docs.
 
 ### Parameters
 

website/content/api-docs/secret/databases/hanadb.mdx

@@ -15,7 +15,7 @@ configured roles for the HANA database.
 ## Configure Connection
 
 In addition to the parameters defined by the [database
-secrets engine](/api-docs/secret/databases#configure-connection), this plugin
+secrets engine](/vault/api-docs/secret/databases#configure-connection), this plugin
 has a number of parameters to further configure a connection.
 
 | Method | Path                     | Produces |
@@ -44,10 +44,10 @@ has a number of parameters to further configure a connection.
 
 - `password` `(string: "")` - The root credential password used in the connection URL.
 
-- `username_template` `(string)` - [Template](/docs/concepts/username-templating) describing how dynamic usernames are generated.
+- `username_template` `(string)` - [Template](/vault/docs/concepts/username-templating) describing how dynamic usernames are generated.
 
 - `disable_escaping` `(boolean: false)` - Turns off the escaping of special characters inside of the username
-  and password fields. See the [databases secrets engine docs](/docs/secrets/databases#disable-character-escaping)
+  and password fields. See the [databases secrets engine docs](/vault/docs/secrets/databases#disable-character-escaping)
   for more information. Defaults to `false`.
 
 ### Sample Payload
@@ -79,7 +79,7 @@ $ curl \
 Statements are configured during role creation and are used by the plugin to
 determine what is sent to the database on user creation, renewing, and
 revocation. For more information on configuring roles see the [Role
-API](/api-docs/secret/databases#create-role) in the database secrets engine docs.
+API](/vault/api-docs/secret/databases#create-role) in the database secrets engine docs.
 
 ### Parameters
 

website/content/api-docs/secret/databases/index.mdx

@@ -9,7 +9,7 @@ description: Top page for database secrets engine information
 This is the API documentation for the Vault Database secrets engine. For
 general information about the usage and operation of the database secrets engine,
 please see the
-[Vault database secrets engine documentation](/docs/secrets/databases).
+[Vault database secrets engine documentation](/vault/docs/secrets/databases).
 
 This documentation assumes the database secrets engine is enabled at the
 `/database` path in Vault. Since it is possible to enable secrets engines at any
@@ -51,7 +51,7 @@ list of additional parameters.
   information on support and formatting for this parameter.
 
 - `password_policy` `(string: "")` - The name of the
-  [password policy](/docs/concepts/password-policies) to use when generating passwords
+  [password policy](/vault/docs/concepts/password-policies) to use when generating passwords
   for this database. If not specified, this will use a default policy defined as:
   20 characters with at least 1 uppercase, 1 lowercase, 1 number, and 1 dash character.
 
@@ -90,7 +90,7 @@ are supported and any additional details about them.
 - `disable_escaping` `(boolean: false)` - Determines whether special characters in the
   username and password fields will be escaped. Useful for alternate connection string
   formats like ADO. More information regarding this parameter can be found on the
-  [databases secrets engine docs.](/docs/secrets/databases#disable-character-escaping)
+  [databases secrets engine docs.](/vault/docs/secrets/databases#disable-character-escaping)
   Defaults to `false`.
 
 ### Sample Payload
@@ -301,7 +301,7 @@ This endpoint creates or updates a role definition.
 
 - `max_ttl` `(string/int: 0)` - Specifies the maximum TTL for the leases
   associated with this role. Accepts time suffixed strings (`1h`) or an integer
-  number of seconds. Defaults to `sys/mounts`'s default TTL time; this value is allowed to be less than the mount max TTL (or, if not set, the system max TTL), but it is not allowed to be longer. See also [The TTL General Case](/docs/concepts/tokens#the-general-case).
+  number of seconds. Defaults to `sys/mounts`'s default TTL time; this value is allowed to be less than the mount max TTL (or, if not set, the system max TTL), but it is not allowed to be longer. See also [The TTL General Case](/vault/docs/concepts/tokens#the-general-case).
 
 - `creation_statements` `(list: <required>)` – Specifies the database
   statements executed to create and configure a user. See the plugin's API page

website/content/api-docs/secret/databases/influxdb.mdx

@@ -17,7 +17,7 @@ configured roles for the Influxdb database.
 ## Configure Connection
 
 In addition to the parameters defined by the [Database
-Secrets Engine](/api-docs/secret/databases#configure-connection), this plugin
+Secrets Engine](/vault/api-docs/secret/databases#configure-connection), this plugin
 has a number of parameters to further configure a connection.
 
 | Method | Path                     |
@@ -52,11 +52,11 @@ has a number of parameters to further configure a connection.
   private key; a certificate, private key, and issuing CA certificate; or just a
   CA certificate. For convenience format is the same as the output of the
   `issue` command from the `pki` secrets engine; see
-  [the pki documentation](/docs/secrets/pki).
+  [the pki documentation](/vault/docs/secrets/pki).
 
 - `connect_timeout` `(string: "5s")` – Specifies the connection timeout to use.
 
-- `username_template` `(string)` - [Template](/docs/concepts/username-templating) describing how
+- `username_template` `(string)` - [Template](/vault/docs/concepts/username-templating) describing how
 dynamic usernames are generated.
 
 TLS works as follows:
@@ -107,7 +107,7 @@ $ curl \
 Statements are configured during role creation and are used by the plugin to
 determine what is sent to the database on user creation, renewing, and
 revocation. For more information on configuring roles see the [Role
-API](/api-docs/secret/databases#create-role) in the database secrets engine docs.
+API](/vault/api-docs/secret/databases#create-role) in the database secrets engine docs.
 
 ### Parameters
 

website/content/api-docs/secret/databases/mongodb.mdx

@@ -17,7 +17,7 @@ configured roles for the MongoDB database.
 ## Configure Connection
 
 In addition to the parameters defined by the [Database
-Backend](/api-docs/secret/databases#configure-connection), this plugin
+Backend](/vault/api-docs/secret/databases#configure-connection), this plugin
 has a number of parameters to further configure a connection.
 
 | Method | Path                     |
@@ -47,7 +47,7 @@ has a number of parameters to further configure a connection.
 - `tls_ca` `(string: "")` - x509 CA file for validating the certificate presented by the
   MongoDB server. Must be PEM encoded.
 
-- `username_template` `(string)` - [Template](/docs/concepts/username-templating) describing how
+- `username_template` `(string)` - [Template](/vault/docs/concepts/username-templating) describing how
   dynamic usernames are generated.
 
 <details>
@@ -103,7 +103,7 @@ $ curl \
 Statements are configured during role creation and are used by the plugin to
 determine what is sent to the database on user creation, renewing, and
 revocation. For more information on configuring roles see the [Role
-API](/api-docs/secret/databases#create-role) in the database secrets engine docs.
+API](/vault/api-docs/secret/databases#create-role) in the database secrets engine docs.
 
 ### Parameters
 

website/content/api-docs/secret/databases/mongodbatlas.mdx

@@ -14,7 +14,7 @@ configured roles.
 ## Configure Connection
 
 In addition to the parameters defined by the [Database
-Backend](/api-docs/secret/databases#configure-connection), this plugin
+Backend](/vault/api-docs/secret/databases#configure-connection), this plugin
 has a number of parameters to further configure a connection.
 
 | Method | Path                     |
@@ -26,7 +26,7 @@ has a number of parameters to further configure a connection.
 - `public_key` `(string: <required>)` – The Public Programmatic API Key used to authenticate with the MongoDB Atlas API.
 - `private_key` `(string: <required>)` - The Private Programmatic API Key used to connect with MongoDB Atlas API.
 - `project_id` `(string: <required>)` - The [Project ID](https://docs.atlas.mongodb.com/api/#project-id) the Database User should be created within.
-- `username_template` `(string)` - [Template](/docs/concepts/username-templating) describing how
+- `username_template` `(string)` - [Template](/vault/docs/concepts/username-templating) describing how
   dynamic usernames are generated.
 
 
@@ -56,7 +56,7 @@ $ curl \
 
 Statements are configured during Vault role creation and are used by the plugin to
 determine what is sent to MongoDB Atlas upon user creation, renewal, and
-revocation. For more information on configuring roles see the [Role API](/api-docs/secret/databases#create-role)
+revocation. For more information on configuring roles see the [Role API](/vault/api-docs/secret/databases#create-role)
 in the Database Secrets Engine docs.
 
 ### Parameters
@@ -82,7 +82,7 @@ list the plugin does not support that statement type.
 - `max_ttl` `(string/int): 0` - Specifies the maximum TTL for the leases associated with this role. Accepts time
   suffixed strings (`1h`) or an integer number of seconds. Defaults to `sys/mounts` default TTL time; this value
   is allowed to be less than the mount max TTL (or, if not set, the system max TTL),
-  but it is not allowed to be longer. See also [The TTL General Case](/docs/concepts/tokens#the-general-case).
+  but it is not allowed to be longer. See also [The TTL General Case](/vault/docs/concepts/tokens#the-general-case).
 
 ### Sample Creation Statement
 

website/content/api-docs/secret/databases/mssql.mdx

@@ -15,7 +15,7 @@ configured roles for the MSSQL database.
 ## Configure Connection
 
 In addition to the parameters defined by the [Database
-Backend](/api-docs/secret/databases#configure-connection), this plugin
+Backend](/vault/api-docs/secret/databases#configure-connection), this plugin
 has a number of parameters to further configure a connection.
 
 | Method | Path                     |
@@ -44,7 +44,7 @@ has a number of parameters to further configure a connection.
 
 - `password` `(string: "")` - The root credential password used in the connection URL.
 
-- `username_template` `(string)` - [Template](/docs/concepts/username-templating) describing how
+- `username_template` `(string)` - [Template](/vault/docs/concepts/username-templating) describing how
   dynamic usernames are generated.
 
 - `contained_db` `(bool: false)` - If set, specifies that the connection being configured is to a
@@ -52,7 +52,7 @@ has a number of parameters to further configure a connection.
   like AzureSQL.
 
 - `disable_escaping` `(boolean: false)` - Turns off the escaping of special characters inside of the username
-  and password fields. See the [databases secrets engine docs](/docs/secrets/databases#disable-character-escaping)
+  and password fields. See the [databases secrets engine docs](/vault/docs/secrets/databases#disable-character-escaping)
   for more information. Defaults to `false`.
 
 <details>
@@ -109,7 +109,7 @@ $ curl \
 Statements are configured during role creation and are used by the plugin to
 determine what is sent to the database on user creation, renewing, and
 revocation. For more information on configuring roles see the [Role
-API](/api-docs/secret/databases#create-role) in the database secrets engine docs.
+API](/vault/api-docs/secret/databases#create-role) in the database secrets engine docs.
 
 ### Parameters
 

website/content/api-docs/secret/databases/mysql-maria.mdx

@@ -17,7 +17,7 @@ configured roles for the MySQL database.
 ## Configure Connection
 
 In addition to the parameters defined by the [Database
-Backend](/api-docs/secret/databases#configure-connection), this plugin
+Backend](/vault/api-docs/secret/databases#configure-connection), this plugin
 has a number of parameters to further configure a connection.
 
 | Method | Path                     |
@@ -58,11 +58,11 @@ has a number of parameters to further configure a connection.
 - `tls_skip_verify` `(boolean: false)` - When set to true, disables the server certificate verification. 
   Setting this to true is not recommended for production.
 
-- `username_template` `(string)` - [Template](/docs/concepts/username-templating) describing how
+- `username_template` `(string)` - [Template](/vault/docs/concepts/username-templating) describing how
   dynamic usernames are generated.
 
 - `disable_escaping` `(boolean: false)` - Turns off the escaping of special characters inside of the username
-  and password fields. See the [databases secrets engine docs](/docs/secrets/databases#disable-character-escaping)
+  and password fields. See the [databases secrets engine docs](/vault/docs/secrets/databases#disable-character-escaping)
   for more information. Defaults to `false`.
 
 **Default Username Templates:**
@@ -150,7 +150,7 @@ $ curl \
 Statements are configured during role creation and are used by the plugin to
 determine what is sent to the database on user creation, renewing, and
 revocation. For more information on configuring roles see the [Role
-API](/api-docs/secret/databases#create-role) in the database secrets engine docs.
+API](/vault/api-docs/secret/databases#create-role) in the database secrets engine docs.
 
 ### Parameters
 

website/content/api-docs/secret/databases/oracle.mdx

@@ -15,7 +15,7 @@ configured roles for the Oracle database.
 ## Configure Connection
 
 In addition to the parameters defined by the [Database
-Backend](/api-docs/secret/databases#configure-connection), this plugin
+Backend](/vault/api-docs/secret/databases#configure-connection), this plugin
 has a number of parameters to further configure a connection.
 
 | Method | Path                     |
@@ -41,11 +41,11 @@ has a number of parameters to further configure a connection.
 
 - `password` `(string: "")` - The root credential password used in the connection URL.
 
-- `username_template` `(string)` - [Template](/docs/concepts/username-templating) describing how
+- `username_template` `(string)` - [Template](/vault/docs/concepts/username-templating) describing how
   dynamic usernames are generated.
 
 - `disable_escaping` `(boolean: false)` - Turns off the escaping of special characters inside of the username
-  and password fields. See the [databases secrets engine docs](/docs/secrets/databases#disable-character-escaping)
+  and password fields. See the [databases secrets engine docs](/vault/docs/secrets/databases#disable-character-escaping)
   for more information. Defaults to `false`.
 
 <details>
@@ -102,7 +102,7 @@ $ curl \
 Statements are configured during role creation and are used by the plugin to
 determine what is sent to the database on user creation, renewing, and
 revocation. For more information on configuring roles see the [Role
-API](/api-docs/secret/databases#create-role) in the database secrets engine docs.
+API](/vault/api-docs/secret/databases#create-role) in the database secrets engine docs.
 
 ### Parameters
 

website/content/api-docs/secret/databases/postgresql.mdx

@@ -15,7 +15,7 @@ configured roles for the PostgreSQL database.
 ## Configure Connection
 
 In addition to the parameters defined by the [Database
-Backend](/api-docs/secret/databases#configure-connection), this plugin
+Backend](/vault/api-docs/secret/databases#configure-connection), this plugin
 has a number of parameters to further configure a connection.
 
 | Method | Path                     |
@@ -48,11 +48,11 @@ has a number of parameters to further configure a connection.
 
 - `password` `(string: "")` - The root credential password used in the connection URL.
 
-- `username_template` `(string)` - [Template](/docs/concepts/username-templating) describing how
+- `username_template` `(string)` - [Template](/vault/docs/concepts/username-templating) describing how
   dynamic usernames are generated.
 
 - `disable_escaping` `(boolean: false)` - Turns off the escaping of special characters inside of the username
-  and password fields. See the [databases secrets engine docs](/docs/secrets/databases#disable-character-escaping)
+  and password fields. See the [databases secrets engine docs](/vault/docs/secrets/databases#disable-character-escaping)
   for more information. Defaults to `false`.
 
 <details>
@@ -147,7 +147,7 @@ for more information. Below are two small examples.
 Statements are configured during role creation and are used by the plugin to
 determine what is sent to the database on user creation, renewing, and
 revocation. For more information on configuring roles see the [Role
-API](/api-docs/secret/databases#create-role) in the database secrets engine docs.
+API](/vault/api-docs/secret/databases#create-role) in the database secrets engine docs.
 
 ### Parameters
 

website/content/api-docs/secret/databases/redis.mdx

@@ -15,7 +15,7 @@ configured roles for the Redis database.
 ## Configure Connection
 
 In addition to the parameters defined by the [Database
-Secrets Engine](/api-docs/secret/databases#configure-connection), this plugin
+Secrets Engine](/vault/api-docs/secret/databases#configure-connection), this plugin
 has a number of parameters to further configure a connection.
 
 | Method | Path                     |
@@ -64,7 +64,7 @@ $ curl \
 Statements are configured during role creation and are used by the plugin to
 determine what is sent to the database on user creation, renewing, and
 revocation. For more information on configuring roles see the [Role
-API](/api-docs/secret/databases#create-role) in the database secrets engine docs.
+API](/vault/api-docs/secret/databases#create-role) in the database secrets engine docs.
 
 ### Parameters
 

website/content/api-docs/secret/databases/rediselasticache.mdx

@@ -14,7 +14,7 @@ configured roles for the Redis ElastiCache database.
 ## Configure Connection
 
 In addition to the parameters defined by the [Database
-Secrets Engine](/api-docs/secret/databases#configure-connection), this plugin
+Secrets Engine](/vault/api-docs/secret/databases#configure-connection), this plugin
 has a number of parameters to further configure a connection.
 
 | Method | Path                     |

website/content/api-docs/secret/databases/redshift.mdx

@@ -15,7 +15,7 @@ configured roles for the Redshift database.
 ## Configure Connection
 
 In addition to the parameters defined by the [Database
-Backend](/api-docs/secret/databases#configure-connection), this plugin
+Backend](/vault/api-docs/secret/databases#configure-connection), this plugin
 has a number of parameters to further configure a connection.
 
 | Method | Path                     |
@@ -44,10 +44,10 @@ has a number of parameters to further configure a connection.
 
 - `password` `(string: "")` - The root credential password used in the connection URL.
 
-- `username_template` `(string)` - [Template](/docs/concepts/username-templating) describing how dynamic usernames are generated.
+- `username_template` `(string)` - [Template](/vault/docs/concepts/username-templating) describing how dynamic usernames are generated.
 
 - `disable_escaping` `(boolean: false)` - Turns off the escaping of special characters inside of the username
-  and password fields. See the [databases secrets engine docs](/docs/secrets/databases#disable-character-escaping)
+  and password fields. See the [databases secrets engine docs](/vault/docs/secrets/databases#disable-character-escaping)
   for more information. Defaults to `false`.
 
 ### Sample Payload
@@ -79,7 +79,7 @@ $ curl \
 Statements are configured during role creation and are used by the plugin to
 determine what is sent to the database on user creation, renewing, and
 revocation. For more information on configuring roles see the [Role
-API](/api-docs/secret/databases#create-role) in the database secrets engine docs.
+API](/vault/api-docs/secret/databases#create-role) in the database secrets engine docs.
 
 ### Parameters
 

website/content/api-docs/secret/databases/snowflake.mdx

@@ -15,7 +15,7 @@ configured roles for the Snowflake database.
 ## Configure Connection
 
 In addition to the parameters defined by the [Database
-Backend](/api-docs/secret/databases#configure-connection), this plugin
+Backend](/vault/api-docs/secret/databases#configure-connection), this plugin
 has a number of parameters to further configure a connection.
 
 | Method | Path                     |
@@ -44,10 +44,10 @@ has a number of parameters to further configure a connection.
 
 - `password` `(string: "")` - The root credential password used in the connection URL.
 
-- `username_template` `(string)` - [Template](/docs/concepts/username-templating) describing how dynamic usernames are generated.
+- `username_template` `(string)` - [Template](/vault/docs/concepts/username-templating) describing how dynamic usernames are generated.
 
 - `disable_escaping` `(boolean: false)` - Turns off the escaping of special characters inside of the username
-  and password fields. See the [databases secrets engine docs](/docs/secrets/databases#disable-character-escaping)
+  and password fields. See the [databases secrets engine docs](/vault/docs/secrets/databases#disable-character-escaping)
   for more information. Defaults to `false`.
 
 ### Sample Payload
@@ -79,7 +79,7 @@ $ curl \
 Statements are configured during role creation and are used by the plugin to
 determine what is sent to the database on user creation, renewing, and
 revocation. For more information on configuring roles see the [Role
-API](/api-docs/secret/databases#create-role) in the database secrets engine docs.
+API](/vault/api-docs/secret/databases#create-role) in the database secrets engine docs.
 
 ### Parameters
 
@@ -93,7 +93,7 @@ list the plugin does not support that statement type.
   array. The `{{name}}` and `{{expiration}}` values will be substituted.
 
   The following values will be substituted depending on the
-  [credential_type](/api-docs/secret/databases#credential_type) of the role:
+  [credential_type](/vault/api-docs/secret/databases#credential_type) of the role:
 
   - `{{password}}` is substituted for the `password` credential type
   - `{{public_key}}` is substituted for the `rsa_private_key` credential type
@@ -125,7 +125,7 @@ list the plugin does not support that statement type.
   array. The `{{name}}` value will be substituted.
 
   The following values will be substituted depending on the
-  [credential_type](/api-docs/secret/databases#credential_type) of the role:
+  [credential_type](/vault/api-docs/secret/databases#credential_type) of the role:
 
   - `{{password}}` is substituted for the `password` credential type
   - `{{public_key}}` is substituted for the `rsa_private_key` credential type

website/content/api-docs/secret/gcp.mdx

@@ -8,7 +8,7 @@ description: This is the API documentation for the Vault Google Cloud secrets en
 
 This is the API documentation for the Vault Google Cloud Platform (GCP)
 secrets engine. For general information about the usage and operation of
-the GCP secrets engine, please see [these docs](/docs/secrets/gcp).
+the GCP secrets engine, please see [these docs](/vault/docs/secrets/gcp).
 
 This documentation assumes the GCP secrets engine is enabled at the `/gcp` path
 in Vault. Since it is possible to mount secrets engines at any path, please
@@ -25,15 +25,15 @@ This endpoint configures shared information for the secrets engine.
 ### Parameters
 
 - `credentials` (`string:""`) - JSON credentials (either file contents or '@path/to/file')
-  See docs for [alternative ways](/docs/secrets/gcp#setup)
+  See docs for [alternative ways](/vault/docs/secrets/gcp#setup)
   to pass in to this parameter, as well as the
-  [required permissions](/docs/secrets/gcp#required-permissions).
+  [required permissions](/vault/docs/secrets/gcp#required-permissions).
 
 - `ttl` (`int: 0 || string:"0s"`) – Specifies default config TTL for long-lived credentials
-  (i.e. service account keys). Uses [duration format strings](/docs/concepts/duration-format).
+  (i.e. service account keys). Uses [duration format strings](/vault/docs/concepts/duration-format).
 
 - `max_ttl` (`int: 0 || string:"0s"`)– Specifies the maximum config TTL for long-lived credentials
-  (i.e. service account keys). Uses [duration format strings](/docs/concepts/duration-format).\*\*
+  (i.e. service account keys). Uses [duration format strings](/vault/docs/concepts/duration-format).\*\*
 
 ### Sample Payload
 
@@ -115,7 +115,7 @@ $ curl \
 | :----- | :------------------- |
 | `POST` | `/gcp/roleset/:name` |
 
-This method allows you to create a roleset or update an existing roleset. See [docs](/docs/secrets/gcp#bindings) for the GCP secrets backend
+This method allows you to create a roleset or update an existing roleset. See [docs](/vault/docs/secrets/gcp#bindings) for the GCP secrets backend
 to learn more about what happens when you create or update a roleset.
 
 **If you update a roleset's bindings, this will effectively revoke any secrets
@@ -145,7 +145,7 @@ generated under this roleset.**
 
 #### Sample Bindings:
 
-See [bindings format docs](/docs/secrets/gcp#bindings) for more information.
+See [bindings format docs](/vault/docs/secrets/gcp#bindings) for more information.
 
 ```hcl
 resource "//cloudresourcemanager.googleapis.com/projects/mygcpproject" {
@@ -307,7 +307,7 @@ $ curl \
 | :----- | :-------------------------- |
 | `POST` | `/gcp/static-account/:name` |
 
-This method allows you to create a static account or update an existing static account. See [docs](/docs/secrets/gcp#bindings) for the GCP secrets backend
+This method allows you to create a static account or update an existing static account. See [docs](/vault/docs/secrets/gcp#bindings) for the GCP secrets backend
 to learn more about what happens when you create or update a static account.
 
 **If you update a static account's bindings, this will effectively revoke any secrets
@@ -337,7 +337,7 @@ generated under this static account.**
 
 #### Sample Bindings:
 
-See [bindings format docs](/docs/secrets/gcp#bindings) for more information.
+See [bindings format docs](/vault/docs/secrets/gcp#bindings) for more information.
 
 ```hcl
 resource "//cloudresourcemanager.googleapis.com/projects/mygcpproject" {
@@ -493,7 +493,7 @@ impersonated account.
 - `token_scopes` (`array: []`): List of OAuth scopes to assign to access tokens
   generated under this impersonation account.
 - `ttl` (`duration: ""`): Lifetime of the token generated. Defaults to 1 hour and
-  is limited to a maximum of 12 hours. Uses [duration format strings](/docs/concepts/duration-format).
+  is limited to a maximum of 12 hours. Uses [duration format strings](/vault/docs/concepts/duration-format).
 
 ### Sample Payload
 
@@ -693,7 +693,7 @@ or the system default if config was not defined.
   `enum(`[`ServiceAccountKeyAlgorithm`](https://cloud.google.com/iam/reference/rest/v1/projects.serviceAccounts.keys#ServiceAccountKeyAlgorithm)`)`
 - `key_type` (`string:"TYPE_GOOGLE_CREDENTIALS_FILE`): Private key type to generate. Defaults to JSON credentials file.
   Accepted values are `enum(`[`ServiceAccountPrivateKeyType`](https://cloud.google.com/iam/reference/rest/v1/projects.serviceAccounts.keys#ServiceAccountPrivateKeyType)`)`
-- `ttl` (`string: ""`): Specifies the Time To Live value provided using a [duration format string](/docs/concepts/duration-format). If not set, uses the system default value.
+- `ttl` (`string: ""`): Specifies the Time To Live value provided using a [duration format string](/vault/docs/concepts/duration-format). If not set, uses the system default value.
 
 ### Sample Payload
 
@@ -742,5 +742,5 @@ $ curl \
 
 ## Revoking/Renewing Secrets
 
-See docs on how to [renew](/api-docs/system/leases#renew-lease) and [revoke](/api-docs/system/leases#revoke-lease) leases.
+See docs on how to [renew](/vault/api-docs/system/leases#renew-lease) and [revoke](/vault/api-docs/system/leases#revoke-lease) leases.
 Note this only applies to service account keys.

website/content/api-docs/secret/gcpkms.mdx

@@ -9,7 +9,7 @@ description: This is the API documentation for the Vault Google Cloud KMS secret
 This is the API documentation for the Vault Google Cloud KMS secrets engine. For
 general information about the usage and operation of the Google Cloud KMS
 secrets engine, please see the
-[Google Cloud KMS documentation](/docs/secrets/gcpkms).
+[Google Cloud KMS documentation](/vault/docs/secrets/gcpkms).
 
 This documentation assumes the Google Cloud KMS secrets engine is enabled at the
 `/gcpkms` path in Vault. Since it is possible to enable secrets engines at any

website/content/api-docs/secret/identity/entity.mdx

@@ -398,7 +398,7 @@ $ curl \
 This endpoint merges many entities into one entity. Additionally, all groups associated with `from_entity_ids` are merged with those of `to_entity_id`.
 Note that if these entities contain aliases sharing the same mount accessor, the merge will fail unless `conflicting_alias_ids_to_keep` is present, and
 entities must be merged one at a time. This is because each entity can only have one alias with each mount accessor - for more
-information, see the [identity concepts page](/docs/concepts/identity).
+information, see the [identity concepts page](/vault/docs/concepts/identity).
 
 | Method | Path                     |
 | :----- | :----------------------- |

website/content/api-docs/secret/identity/index.mdx

@@ -8,15 +8,15 @@ description: This is the API documentation for the Vault Identity secrets engine
 
 This is the API documentation for the Vault Identity secrets engine. For general
 information about the usage and operation of the Identity secrets engine, please
-see the [Vault Identity documentation](/docs/secrets/identity).
+see the [Vault Identity documentation](/vault/docs/secrets/identity).
 
 ## API Sections
 
-- [Entity](/api-docs/secret/identity/entity)
+- [Entity](/vault/api-docs/secret/identity/entity)
-- [Entity Alias](/api-docs/secret/identity/entity-alias)
+- [Entity Alias](/vault/api-docs/secret/identity/entity-alias)
-- [Group](/api-docs/secret/identity/group)
+- [Group](/vault/api-docs/secret/identity/group)
-- [Group Alias](/api-docs/secret/identity/group-alias)
+- [Group Alias](/vault/api-docs/secret/identity/group-alias)
-- [Identity Tokens](/api-docs/secret/identity/tokens)
+- [Identity Tokens](/vault/api-docs/secret/identity/tokens)
-- [Lookup](/api-docs/secret/identity/lookup)
+- [Lookup](/vault/api-docs/secret/identity/lookup)
-- [OIDC Provider](/api-docs/secret/identity/oidc-provider)
+- [OIDC Provider](/vault/api-docs/secret/identity/oidc-provider)
-- [MFA](/api-docs/secret/identity/mfa)
+- [MFA](/vault/api-docs/secret/identity/mfa)

website/content/api-docs/secret/identity/mfa/duo.mdx

@@ -103,7 +103,7 @@ $ curl \
 ## Delete Duo MFA Method
 
 This endpoint deletes a Duo MFA method. MFA methods can only be deleted if they're not currently in use
-by a [login enforcement](/api-docs/secret/identity/mfa/login-enforcement).
+by a [login enforcement](/vault/api-docs/secret/identity/mfa/login-enforcement).
 
 | Method   | Path                           |
 | :------- | :----------------------------- |

website/content/api-docs/secret/identity/mfa/index.mdx

@@ -9,18 +9,18 @@ description: >-
 
 ## Supported MFA types.
 
-- [TOTP](/api-docs/secret/identity/mfa/totp)
+- [TOTP](/vault/api-docs/secret/identity/mfa/totp)
 
-- [Okta](/api-docs/secret/identity/mfa/okta)
+- [Okta](/vault/api-docs/secret/identity/mfa/okta)
 
-- [Duo](/api-docs/secret/identity/mfa/duo)
+- [Duo](/vault/api-docs/secret/identity/mfa/duo)
 
-- [PingID](/api-docs/secret/identity/mfa/pingid)
+- [PingID](/vault/api-docs/secret/identity/mfa/pingid)
 
 ## Other
 
-- [Login Enforcement](/api-docs/secret/identity/mfa/login-enforcement)
+- [Login Enforcement](/vault/api-docs/secret/identity/mfa/login-enforcement)
-- [MFA Validate](/api-docs/system/mfa/validate)
+- [MFA Validate](/vault/api-docs/system/mfa/validate)
 
 While the above endpoints are available in both the open source and Enterprise versions of Vault,
 they are namespace aware. MFA methods and login enforcements created in one namespace are separate from other

website/content/api-docs/secret/identity/mfa/okta.mdx

@@ -96,7 +96,7 @@ $ curl \
 ## Delete Okta MFA Method
 
 This endpoint deletes a Okta MFA method. The MFA methods can only be deleted if they're not currently in use
-by a [login enforcement](/api-docs/secret/identity/mfa/login-enforcement).
+by a [login enforcement](/vault/api-docs/secret/identity/mfa/login-enforcement).
 
 | Method   | Path                            |
 | :------- | :------------------------------ |

website/content/api-docs/secret/identity/mfa/pingid.mdx

@@ -90,7 +90,7 @@ $ curl \
 ## Delete PingID MFA Method
 
 This endpoint deletes a PingID MFA method. MFA methods can only be deleted if they're not currently in use
-by a [login enforcement](/api-docs/secret/identity/mfa/login-enforcement).
+by a [login enforcement](/vault/api-docs/secret/identity/mfa/login-enforcement).
 
 | Method   | Path                              |
 | :------- | :-------------------------------- |

website/content/api-docs/secret/identity/mfa/totp.mdx

@@ -104,7 +104,7 @@ $ curl \
 ## Delete TOTP MFA Method
 
 This endpoint deletes a TOTP MFA method.  MFA methods can only be deleted if they're not currently in use
-by a [login enforcement](/api-docs/secret/identity/mfa/login-enforcement).
+by a [login enforcement](/vault/api-docs/secret/identity/mfa/login-enforcement).
 
 | Method   | Path                            |
 | :------- | :------------------------------ |

website/content/api-docs/secret/identity/oidc-provider.mdx

@@ -87,7 +87,7 @@ This endpoint returns a list of all OIDC providers.
 ### Query Parameters
 
 - `allowed_client_id` `(string: <optional>)` – Filters the list of OIDC providers to those
-  that allow the given client ID in their set of [allowed_client_ids](/api-docs/secret/identity/oidc-provider#allowed_client_ids).
+  that allow the given client ID in their set of [allowed_client_ids](/vault/api-docs/secret/identity/oidc-provider#allowed_client_ids).
 
 ### Sample Request
 
@@ -152,7 +152,7 @@ This endpoint creates or updates a scope.
 
 - `name` `(string: <required>)` – The name of the scope. This parameter is specified as part of the URL. The `openid` scope name is reserved.
 
-- `template` `(string: <optional>)` - The [JSON template](/docs/concepts/oidc-provider#scopes)
+- `template` `(string: <optional>)` - The [JSON template](/vault/docs/concepts/oidc-provider#scopes)
   string for the scope. This may be provided as escaped JSON or base64 encoded JSON.
 
 - `description` `(string: <optional>)` – A description of the scope.
@@ -269,9 +269,9 @@ This endpoint creates or updates a client.
 
 - `name` `(string: <required>)` – The name of the client. This parameter is specified as part of the URL.
 
-- `key` `(string: "default")` – A reference to a [named key](/api-docs/secret/identity/tokens#create-a-named-key)
+- `key` `(string: "default")` – A reference to a [named key](/vault/api-docs/secret/identity/tokens#create-a-named-key)
   resource. This key will be used to sign ID tokens for the client. This cannot be modified
-  after creation. If not supplied, defaults to the built-in [default key](/docs/concepts/oidc-provider#keys).
+  after creation. If not supplied, defaults to the built-in [default key](/vault/docs/concepts/oidc-provider#keys).
 
 - `redirect_uris` `([]string: <optional>)` - Redirection URI values used by the client. One of these values
   must exactly match the `redirect_uri` parameter value used in each [authentication request](https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest).
@@ -280,7 +280,7 @@ This endpoint creates or updates a client.
   the client. Client assignments limit the Vault entities and groups that are allowed to
   authenticate through the client. By default, no Vault entities are allowed. To allow all
   Vault entities to authenticate through the client, supply the built-in
-  [allow_all](/docs/concepts/oidc-provider#assignments) assignment.
+  [allow_all](/vault/docs/concepts/oidc-provider#assignments) assignment.
 
 - `client_type` `(string: "confidential")` – The [client type](https://datatracker.ietf.org/doc/html/rfc6749#section-2.1)
   based on its ability to maintain confidentiality of credentials. This cannot be modified
@@ -300,11 +300,11 @@ This endpoint creates or updates a client.
       for the authorization code flow
 
 - `id_token_ttl` `(int or duration: "24h")` – The time-to-live for ID tokens obtained by the client.
-  Accepts [duration format strings](/docs/concepts/duration-format). The value should be less than the `verification_ttl`
+  Accepts [duration format strings](/vault/docs/concepts/duration-format). The value should be less than the `verification_ttl`
   on the key.
 
 - `access_token_ttl` `(int or duration: "24h")` – The time-to-live for access tokens obtained by the client.
-  Accepts [duration format strings](/docs/concepts/duration-format).
+  Accepts [duration format strings](/vault/docs/concepts/duration-format).
 
 ### Sample Payload
 
@@ -440,9 +440,9 @@ This endpoint creates or updates an assignment.
 
 - `name` `(string: <required>)` – The name of the assignment. This parameter is specified as part of the URL.
 
-- `entity_ids` `([]string: <optional>)` - A list of Vault [entity](https://www.vaultproject.io/docs/secrets/identity#entities-and-aliases) IDs.
+- `entity_ids` `([]string: <optional>)` - A list of Vault [entity](/vault/docs/secrets/identity#entities-and-aliases) IDs.
 
-- `group_ids` `([]string: <optional>)` – A list of Vault [group](https://www.vaultproject.io/docs/secrets/identity#identity-groups) IDs.
+- `group_ids` `([]string: <optional>)` – A list of Vault [group](/vault/docs/secrets/identity#identity-groups) IDs.
 
 ### Sample Payload
 

website/content/api-docs/secret/identity/tokens.mdx

@@ -86,9 +86,9 @@ This endpoint creates or updates a named key which is used by a role to sign tok
 
 - `name` `(string)` – Name of the named key.
 
-- `rotation_period` `(int or time string: "24h")` - How often to generate a new signing key. Uses [duration format strings](/docs/concepts/duration-format).
+- `rotation_period` `(int or time string: "24h")` - How often to generate a new signing key. Uses [duration format strings](/vault/docs/concepts/duration-format).
 
-- `verification_ttl` `(int or time string: "24h")` - Controls how long the public portion of a signing key will be available for verification after being rotated. Uses [duration format strings](/docs/concepts/duration-format).
+- `verification_ttl` `(int or time string: "24h")` - Controls how long the public portion of a signing key will be available for verification after being rotated. Uses [duration format strings](/vault/docs/concepts/duration-format).
 
 - `allowed_client_ids` `(list: [])` - Array of role client ids allowed to use this key for signing. If empty, no roles are allowed. If "\*", all roles are allowed.
 
@@ -244,7 +244,7 @@ Create or update a role. ID tokens are generated against a role and signed again
 
 - `client_id` `(string: <optional>)` - Optional client ID. A random ID will be generated if left unset.
 
-- `ttl` `(int or time string: "24h")` - TTL of the tokens generated against the role. Uses [duration format strings](/docs/concepts/duration-format).
+- `ttl` `(int or time string: "24h")` - TTL of the tokens generated against the role. Uses [duration format strings](/vault/docs/concepts/duration-format).
 
 ### Sample Payload
 

website/content/api-docs/secret/key-management/gcpkms.mdx

@@ -38,7 +38,7 @@ the given parameter values.
 
 - `credentials` `(map<string|string>: nil)` – The credentials to use for authentication with GCP
   Cloud KMS. Supplying values for this parameter is optional, as credentials may also be specified
-  as environment variables. See the [authentication](/docs/secrets/key-management/gcpkms#authentication)
+  as environment variables. See the [authentication](/vault/docs/secrets/key-management/gcpkms#authentication)
   section for details on precedence.
 
   - `service_account_file` `(string: <required>)` - The path to a Google service account key file. The

website/content/api-docs/secret/key-management/index.mdx

@@ -8,7 +8,7 @@ description: The API documentation for the Key Management secrets engine.
 
 This is the API documentation for the Key Management secrets engine. For general
 information about the usage and operation of the secrets engine, please see the
-[Key Management secrets engine documentation](/docs/secrets/key-management).
+[Key Management secrets engine documentation](/vault/docs/secrets/key-management).
 
 This documentation assumes the Key Management secrets engine is enabled at the
 `/keymgmt` path in Vault. Since it is possible to enable secrets engines at any
@@ -265,7 +265,7 @@ the given parameter values.
 
 - `provider` `(string: <required>)` – Specifies the name of a KMS provider that's external to
   Vault. Cannot be changed after creation. For more information about each provider, refer to
-  the [KMS Providers](/docs/secrets/key-management#kms-providers) section. The following values
+  the [KMS Providers](/vault/docs/secrets/key-management#kms-providers) section. The following values
   are supported:
 
   - `azurekeyvault`

website/content/api-docs/secret/kmip.mdx

@@ -10,7 +10,7 @@ description: This is the API documentation for the Vault KMIP secrets engine.
 
 This is the API documentation for the Vault KMIP secrets engine. For general
 information about the usage and operation of
-the KMIP secrets engine, please see [these docs](/docs/secrets/kmip).
+the KMIP secrets engine, please see [these docs](/vault/docs/secrets/kmip).
 
 This documentation assumes the KMIP secrets engine is enabled at the `/kmip` path
 in Vault. Since it is possible to mount secrets engines at any path, please

website/content/api-docs/secret/kubernetes.mdx

@@ -10,7 +10,7 @@ description: This is the API documentation for the Vault Kubernetes secrets engi
 
 This is the API documentation for the Vault Kubernetes secrets engine. To
 learn more about the usage and operation, see the
-[Kubernetes secrets engine documentation](/docs/secrets/kubernetes).
+[Kubernetes secrets engine documentation](/vault/docs/secrets/kubernetes).
 
 This documentation assumes the Kubernetes secrets engine is mounted at the
 `/kubernetes` path in Vault. Since it is possible to enable secrets engines at
@@ -136,15 +136,15 @@ Only one of `service_account_name`, `kubernetes_role_name` or
   namespaces in which credentials can be generated. Accepts either a JSON or YAML object. The value
   should be of type
   [LabelSelector](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.24/#labelselector-v1-meta)
-  as illustrated in [Sample Payload 4](/api-docs/secret/kubernetes#sample-payload-4) and
+  as illustrated in [Sample Payload 4](/vault/api-docs/secret/kubernetes#sample-payload-4) and
-  [Sample Payload 5](/api-docs/secret/kubernetes#sample-payload-5) below.
+  [Sample Payload 5](/vault/api-docs/secret/kubernetes#sample-payload-5) below.
   If set with `allowed_kubernetes_namespaces`, the conditions are `OR`ed.
 - `token_max_ttl` `(string: "")` - The maximum TTL for generated Kubernetes
   tokens, specified in seconds or as a Go duration format string, e.g. `"1h"`.
-  If not set or set to 0, the [system default](/docs/configuration#max_lease_ttl) will be used.
+  If not set or set to 0, the [system default](/vault/docs/configuration#max_lease_ttl) will be used.
 - `token_default_ttl` `(string: "")` - The default TTL for generated Kubernetes
   tokens, specified in seconds or as a Go duration format string, e.g. `"1h"`.
-  If not set or set to 0, the [system default](/docs/configuration#default_lease_ttl) will be used.
+  If not set or set to 0, the [system default](/vault/docs/configuration#default_lease_ttl) will be used.
 - `service_account_name` `(string: "")` - The pre-existing service account to
   generate tokens for. Mutually exclusive with all role parameters. If set, only
   a Kubernetes token will be created when credentials are requested. See the
@@ -164,10 +164,10 @@ Only one of `service_account_name`, `kubernetes_role_name` or
   [PolicyRule](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.23/#policyrule-v1-rbac-authorization-k8s-io)
   objects, as illustrated in the
   [Kubernetes RBAC documentation](https://kubernetes.io/docs/reference/access-authn-authz/rbac/)
-  and [Sample Payload 3](/api-docs/secret/kubernetes#sample-payload-3) below.
+  and [Sample Payload 3](/vault/api-docs/secret/kubernetes#sample-payload-3) below.
 - `name_template` `(string: "")` - The name template to use when generating
   service accounts, roles and role bindings. If unset, a default template is
-  used. See [username templating](https://www.vaultproject.io/docs/concepts/username-templating)
+  used. See [username templating](/vault/docs/concepts/username-templating)
   for details on how to write a custom template.
 - `extra_annotations` `(map<string|string>: nil)` - Additional annotations to
   apply to all generated Kubernetes objects. See the

website/content/api-docs/secret/kv/index.mdx

@@ -8,8 +8,8 @@ description: This is the API documentation for the Vault KV secrets engine.
 
 This backend can be run in one of two versions. Each of which have a distinct API.
 Choose the version below you are running. For more information on the KV secrets
-engine see the [Vault kv documentation](/docs/secrets/kv).
+engine see the [Vault kv documentation](/vault/docs/secrets/kv).
 
-- [KV Version 1 API](/api-docs/secret/kv/kv-v1)
+- [KV Version 1 API](/vault/api-docs/secret/kv/kv-v1)
 
-- [KV Version 2 API](/api-docs/secret/kv/kv-v2)
+- [KV Version 2 API](/vault/api-docs/secret/kv/kv-v2)

website/content/api-docs/secret/kv/kv-v1.mdx

@@ -8,7 +8,7 @@ description: This is the API documentation for the Vault KV secrets engine.
 
 This is the API documentation for the Vault KV secrets engine. For general
 information about the usage and operation of the kv secrets engine, please
-see the [Vault kv documentation](/docs/secrets/kv).
+see the [Vault kv documentation](/vault/docs/secrets/kv).
 
 ~> Note: This documentation assumes the kv secrets engine is enabled at the
 `/secret` path in Vault. Since it is possible to enable secrets engines at any
@@ -53,7 +53,7 @@ $ curl \
 _Note_: the `lease_duration` field, which will be populated if a "ttl" field
 was included in the data, is advisory. No lease is created. This is a way for
 writers to indicate how often a given value should be re-read by the client.
-See the [Vault KV secrets engine documentation](/docs/secrets/kv)
+See the [Vault KV secrets engine documentation](/vault/docs/secrets/kv)
 for more details.
 
 ## List Secrets
@@ -120,7 +120,7 @@ policy granting the `update` capability.
   be held at the given location. Multiple key/value pairs can be specified, and
   all will be returned on a read operation. A key called `ttl` will trigger
   some special behavior. See the [Vault KV secrets engine
-  documentation](/docs/secrets/kv) for details.
+  documentation](/vault/docs/secrets/kv) for details.
 
 ### Sample Payload
 

website/content/api-docs/secret/kv/kv-v2.mdx

@@ -9,7 +9,7 @@ description: This is the API documentation for the Vault KV secrets engine.
 This is the API documentation for the Vault KV secrets engine while running in
 versioned mode. For general information about the usage and operation of the kv
 secrets engine, please see the [Vault kv
-documentation](/docs/secrets/kv).
+documentation](/vault/docs/secrets/kv).
 
 ~> Note: This documentation assumes the kv secrets engine is enabled at the
 `/secret` path in Vault and that versioning has been enabled. Since it is
@@ -38,7 +38,7 @@ key-value store.
 
 - `delete_version_after` `(string:"0s")` – If set, specifies the length
   of time before a version is deleted.
-  Accepts [duration format strings](/docs/concepts/duration-format).
+  Accepts [duration format strings](/vault/docs/concepts/duration-format).
 
 ### Sample Payload
 
@@ -95,7 +95,7 @@ This endpoint retrieves the secret at the specified location. The metadata
 fields `created_time`, `deletion_time`, `destroyed`, and `version` are version
 specific. The `custom_metadata` field is part of the secret's key metadata and
 is included in the response whether or not the calling token has `read` access to
-the associated [metadata endpoint](/api-docs/secret/kv/kv-v2#read-secret-metadata).
+the associated [metadata endpoint](/vault/api-docs/secret/kv/kv-v2#read-secret-metadata).
 
 | Method | Path                                         |
 | :----- | :------------------------------------------- |
@@ -654,7 +654,7 @@ not create a new version.
   written to this key. If not set, the backend's `delete_version_after` will be
   used. If the value is greater than the backend's `delete_version_after`, the
   backend's `delete_version_after` will be used. Accepts [duration format
-  strings](/docs/concepts/duration-format).
+  strings](/vault/docs/concepts/duration-format).
 
 - `custom_metadata` `(map<string|string>: nil)` - A map of arbitrary string to string valued user-provided metadata meant
   to describe the secret.

website/content/api-docs/secret/ldap.mdx

@@ -10,7 +10,7 @@ description: This is the API documentation for the Vault LDAP secrets engine.
 
 This is the API documentation for the Vault LDAP secrets engine. For general
 information about the usage and operation of the LDAP secrets engine,
-please see the [LDAP secrets engine docs](/docs/secrets/ldap).
+please see the [LDAP secrets engine docs](/vault/docs/secrets/ldap).
 
 This documentation assumes the LDAP secrets engine is enabled at the `/ldap` path
 in Vault. Since it is possible to mount secrets engines at any path, please
@@ -38,15 +38,15 @@ to search and change entry passwords in LDAP.
   `ldaps://ldap.myorg.com:636`. This can also be a comma-delineated list of URLs, e.g.
   `ldaps://ldap.myorg.com, ldaps://ldap.myorg.com:636`, in which case the servers will be tried in-order if
   there are errors during the connection process.`.
-- `password_policy` `(string: <optional>)` - The name of the [password policy](/docs/concepts/password-policies)
+- `password_policy` `(string: <optional>)` - The name of the [password policy](/vault/docs/concepts/password-policies)
   to use to generate passwords. Note that this accepts the name of the policy, not the policy itself.
 - `schema` `(string: "openldap")` - The LDAP schema to use when storing entry passwords.
   Valid schemas include `openldap`, `ad`, and `racf`.
 - `userdn` `(string: <optional>)` - The base DN under which to perform user search in
-  [library management](/api-docs/secret/ldap#library-management) and [static roles](/api-docs/secret/ldap#static-roles).
+  [library management](/vault/api-docs/secret/ldap#library-management) and [static roles](/vault/api-docs/secret/ldap#static-roles).
   For example, `ou=Users,dc=hashicorp,dc=com`.
 - `userattr` `(string: <optional>)` – The attribute field name used to perform user search
-  in [library management](/api-docs/secret/ldap#library-management) and [static roles](/api-docs/secret/ldap#static-roles).
+  in [library management](/vault/api-docs/secret/ldap#library-management) and [static roles](/vault/api-docs/secret/ldap#static-roles).
   Defaults to `cn` for the `openldap` schema, `userPrincipalName` for the `ad` schema, and
   `racfid` for the `racf` schema.
 - `upndomain` (string: `optional`) - The domain (userPrincipalDomain) used to construct a UPN
@@ -78,11 +78,11 @@ configuration if both are specified.
   prior to the introduction of password policies).
 - If `length` is set, the same algorithm is used, but with the length specified instead of the default length.
 - If `password_policy` is set, the password will be generated from the associated
-  [password policy](/docs/concepts/password-policies). The policy is not exercised prior to saving the configuration.
+  [password policy](/vault/docs/concepts/password-policies). The policy is not exercised prior to saving the configuration.
   The policy will need to exist prior to passwords needing to be generated by this engine, but does not need to exist
   prior to saving the configuration.
 
-See [LDAP secrets engine docs](/docs/secrets/ldap) for additional information.
+See [LDAP secrets engine docs](/vault/docs/secrets/ldap) for additional information.
 
 ### Sample Payload
 
@@ -164,9 +164,9 @@ The `static-role` endpoint configures Vault to manage the passwords of existing
 ### Parameters
 
 - `username` `(string: <required>)` - The username of the existing LDAP entry to manage
-  password rotation for. LDAP search for the username will be rooted at the [userdn](/api-docs/secret/ldap#userdn)
+  password rotation for. LDAP search for the username will be rooted at the [userdn](/vault/api-docs/secret/ldap#userdn)
   configuration value. The attribute to use when searching for the user can be configured
-  with the [userattr](/api-docs/secret/ldap#userattr) configuration value. This is useful
+  with the [userattr](/vault/api-docs/secret/ldap#userattr) configuration value. This is useful
   when `dn` isn't used for login purposes (such as SSH). Cannot be modified after creation.<br />
   **Example:** `"bob"`
 - `dn` `(string: <optional>)` - Distinguished name (DN) of the existing LDAP entry to manage
@@ -174,7 +174,7 @@ The `static-role` endpoint configures Vault to manage the passwords of existing
   search performed during password rotation. Cannot be modified after creation.<br />
   **Example:** `cn=bob,ou=Users,dc=hashicorp,dc=com`
 - `rotation_period` `(string: <required>)` - How often Vault should rotate the password of the user entry. Accepts
-  [duration format strings](/docs/concepts/duration-format). The minimum rotation period is 5 seconds.<br />
+  [duration format strings](/vault/docs/concepts/duration-format). The minimum rotation period is 5 seconds.<br />
   **Example:** `"3600", "5s", "1h"`
 
 ### Sample Payload
@@ -338,14 +338,14 @@ v_{{.DisplayName}}_{{.RoleName}}_{{random 10}}_{{unix_time}}
 </details>
 
 - `default_ttl` `(string/int)` - Specifies the TTL for the leases associated with this role. Accepts
-  [duration format strings](/docs/concepts/duration-format). Defaults to system/engine default TTL time.
+  [duration format strings](/vault/docs/concepts/duration-format). Defaults to system/engine default TTL time.
 - `max_ttl` `(string/int)` - Specifies the maximum TTL for the leases associated with this role. Accepts
-  [duration format strings](/docs/concepts/duration-format). Defaults to system/mount default TTL time;
+  [duration format strings](/vault/docs/concepts/duration-format). Defaults to system/mount default TTL time;
   this value is allowed to be less than the mount max TTL (or, if not set, the system max TTL),
   but it is not allowed to be longer.
 
 The `creation_ldif`, `deletion_ldif`, `rollback_ldif`, and `username_template` fields are all templated fields. See
-[Username Templating](/docs/concepts/username-templating) for details on how to use templating. Also see
+[Username Templating](/vault/docs/concepts/username-templating) for details on how to use templating. Also see
 [Templates](#templates) for specifics on what data is available for each template.
 
 #### Sample Payload
@@ -443,7 +443,7 @@ The following parameters are available within the LDIF templates:
 **Default pattern:** `v_<display name>_<role name>_<10 random chars>_<unix timestamp>`
 
 `.Password` - The generated password (optionally from
-[password policies](https://www.vaultproject.io/docs/concepts/password-policies))
+[password policies](/vault/docs/concepts/password-policies))
 
 `.RoleName` - The name of the role that credentials are being generated for.
 
@@ -568,10 +568,10 @@ When adding a service account to the library, Vault verifies it already exists i
   service accounts must already exist in the LDAP directory.
 - `ttl` `(duration: "24h", optional)` - The maximum amount of time a single check-out lasts before Vault
   automatically checks it back in. Defaults to 24 hours. Setting it to zero reflects an unlimited lending period.
-  Uses [duration format strings](/docs/concepts/duration-format).
+  Uses [duration format strings](/vault/docs/concepts/duration-format).
 - `max_ttl` `(duration: "24h", optional)` - The maximum amount of time a check-out last with renewal before Vault
   automatically checks it back in. Defaults to 24 hours. Setting it to zero reflects an unlimited lending period.
-  Uses [duration format strings](/docs/concepts/duration-format).
+  Uses [duration format strings](/vault/docs/concepts/duration-format).
 - `disable_check_in_enforcement` `(bool: false, optional)` - Disable enforcing that service accounts must be
   checked in by the entity or client token that checked them out. Defaults to false.
 
@@ -672,7 +672,7 @@ Returns a `200` if a credential is available, and a `400` if no credential is av
 - `ttl` `(duration: "", optional)` - The maximum amount of time a check-out lasts before Vault
   automatically checks it back in. Setting it to zero reflects an unlimited lending period.
   Defaults to the set's `ttl`. If the requested `ttl` is higher than the set's, the set's will be used.
-  Uses [duration format strings](/docs/concepts/duration-format).
+  Uses [duration format strings](/vault/docs/concepts/duration-format).
 
 ### Sample POST Request
 

website/content/api-docs/secret/nomad.mdx

@@ -10,7 +10,7 @@ description: This is the API documentation for the Vault Nomad secrets engine.
 
 This is the API documentation for the Vault Nomad secrets engine. For general
 information about the usage and operation of the Nomad secrets engine, please see the
-[Vault Nomad secrets engine documentation](/docs/secrets/nomad).
+[Vault Nomad secrets engine documentation](/vault/docs/secrets/nomad).
 
 This documentation assumes the Nomad secrets engine is mounted at the `/nomad` path
 in Vault. Since it is possible to mount secrets engines at any location, please
@@ -107,9 +107,9 @@ This endpoint configures the lease settings for generated tokens.
 
 ### Parameters
 
-- `ttl` `(string: "")` – Specifies the ttl for the lease. Uses [duration format strings](/docs/concepts/duration-format).
+- `ttl` `(string: "")` – Specifies the ttl for the lease. Uses [duration format strings](/vault/docs/concepts/duration-format).
 
-- `max_ttl` `(string: "")` – Specifies the max ttl for the lease. Uses [duration format strings](/docs/concepts/duration-format).
+- `max_ttl` `(string: "")` – Specifies the max ttl for the lease. Uses [duration format strings](/vault/docs/concepts/duration-format).
 
 ### Sample Payload
 
@@ -188,7 +188,7 @@ updated attributes.
 
 - `policies` `(string: "")` – Comma separated list of Nomad policies the token is going to be created against. These need to be created beforehand in Nomad.
 
-- `global` `(bool: "false")` – Specifies if the token should be global, as defined in the [Nomad Documentation](https://learn.hashicorp.com/collections/nomad/access-control#acl-tokens).
+- `global` `(bool: "false")` – Specifies if the token should be global, as defined in the [Nomad Documentation](/nomad/tutorials/access-control#acl-tokens).
 
 - `type` `(string: "client")` - Specifies the type of token to create when
   using this role. Valid values are `"client"` or `"management"`.

website/content/api-docs/secret/pki.mdx

@@ -10,7 +10,7 @@ description: This is the API documentation for the Vault PKI secrets engine.
 
 This is the API documentation for the Vault PKI secrets engine. For general
 information about the usage and operation of the PKI secrets engine, please see
-the [PKI documentation](/docs/secrets/pki).
+the [PKI documentation](/vault/docs/secrets/pki).
 
 This documentation assumes the PKI secrets engine is enabled at the `/pki` path
 in Vault. Since it is possible to enable secrets engines at any location, please
@@ -583,7 +583,7 @@ when signing an externally-owned intermediate.
 - `not_before_duration` `(duration: "30s")` - Specifies the duration by which to
   backdate the NotBefore property. This value has no impact in the validity period
   of the requested certificate, specified in the `ttl` field.
-  Uses [duration format strings](/docs/concepts/duration-format).
+  Uses [duration format strings](/vault/docs/concepts/duration-format).
 
 - `not_after` `(string)` - Set the Not After field of the certificate with
   specified date value. The value format should be given in UTC format
@@ -1662,7 +1662,7 @@ use the values set via `config/urls`.
 - `not_before_duration` `(duration: "30s")` - Specifies the duration by which to
   backdate the NotBefore property. This value has no impact in the validity period
   of the requested certificate, specified in the `ttl` field.
-  Uses [duration format strings](/docs/concepts/duration-format).
+  Uses [duration format strings](/vault/docs/concepts/duration-format).
 
 - `not_after` `(string)` - Set the Not After field of the certificate with
   specified date value. The value format should be given in UTC format
@@ -1728,7 +1728,7 @@ key. If using Vault as a root (and, like many other CAs), the various parameters
 on the final signed certificate are set at signing time and _may or may not honor
 the parameters set here_ (and transmitted in the returned CSR).
 
-Note that this API supports [Managed Keys](/docs/enterprise/managed-keys);
+Note that this API supports [Managed Keys](/vault/docs/enterprise/managed-keys);
 additional details are available [below in a dedicated section](#managed-keys).
 
 The parameters below are mostly meant as a helper function; not all possible
@@ -1952,7 +1952,7 @@ imported entries present in the same bundle).
    issues; this may impact long-term use of these issuers, but some issuers or
    keys may still be imported as a result of this process.
 
-~> Warning: See the [note](/docs/secrets/pki/considerations#issuer-subjects-and-crls)
+~> Warning: See the [note](/vault/docs/secrets/pki/considerations#issuer-subjects-and-crls)
    regarding Subject naming on externally created CA certificates and
    shortcomings with CRL building.
 
@@ -2594,7 +2594,7 @@ request is denied.
    `foo.*.example.com` and `bar` is a subdomain of that.
 
 - `allowed_domains_template` `(bool: false)` - When set, `allowed_domains`
-  may contain templates, as with [ACL Path Templating](/docs/concepts/policies).
+  may contain templates, as with [ACL Path Templating](/vault/docs/concepts/policies).
   Non-templated domains are also still permitted.
 
 - `allow_bare_domains` `(bool: false)` - Specifies if clients can request
@@ -2662,7 +2662,7 @@ request is denied.
   `spiffe://hostname/*`).
 
 - `allowed_uri_sans_template` `(bool: false)` - When set, `allowed_uri_sans`
-  may contain templates, as with [ACL Path Templating](/docs/concepts/policies).
+  may contain templates, as with [ACL Path Templating](/vault/docs/concepts/policies).
   Non-templated domains are also still permitted.
 
 - `allowed_other_sans` `(string: "")` - Defines allowed custom OID/UTF8-string
@@ -3059,7 +3059,7 @@ This endpoint allows setting the value of the default issuer.
   generation) will become the default and it will look (to anyone strictly
   using old APIs) that it is the only issuer in the mount. However, it is
   encouraged for applications to update to the newer, safer semantics
-  associated with [multi-issuer rotation](/docs/secrets/pki/rotation-primitives).
+  associated with [multi-issuer rotation](/vault/docs/secrets/pki/rotation-primitives).
 
 ~> Note: When an import creates more than one new issuer with key material
    known to this mount, no default update will occur.
@@ -3641,7 +3641,7 @@ expiration time.
   if present). Migration will only occur after `issuer_safety_buffer` has
   passed since the last successful migration.
 
-- `safety_buffer` `(string: "")` - Specifies a duration using [duration format strings](/docs/concepts/duration-format)
+- `safety_buffer` `(string: "")` - Specifies a duration using [duration format strings](/vault/docs/concepts/duration-format)
   used as a safety buffer to ensure certificates are not expunged prematurely; as an example, this can keep
   certificates from being removed from the CRL that, due to clock skew, might
   still be considered valid on other hosts. For a certificate to be expunged,
@@ -3733,7 +3733,7 @@ status endpoint described below.
   if present). Migration will only occur after `issuer_safety_buffer` has
   passed since the last successful migration.
 
-- `safety_buffer` `(string: "")` - Specifies a duration using [duration format strings](/docs/concepts/duration-format)
+- `safety_buffer` `(string: "")` - Specifies a duration using [duration format strings](/vault/docs/concepts/duration-format)
   used as a safety buffer to ensure certificates are not expunged prematurely; as an example, this can keep
   certificates from being removed from the CRL that, due to clock skew, might
   still be considered valid on other hosts. For a certificate to be expunged,
@@ -3872,7 +3872,7 @@ $ curl \
 
 ## Cluster Scalability
 
-See [PKI Cluster Scalability](/docs/secrets/pki/considerations#cluster-scalability) in the considerations page.
+See [PKI Cluster Scalability](/vault/docs/secrets/pki/considerations#cluster-scalability) in the considerations page.
 
 ## Managed Keys
 

website/content/api-docs/secret/rabbitmq.mdx

@@ -8,7 +8,7 @@ description: This is the API documentation for the Vault RabbitMQ secrets engine
 
 This is the API documentation for the Vault RabbitMQ secrets engine. For general
 information about the usage and operation of the RabbitMQ secrets engine, please
-see the [RabbitMQ documentation](/docs/secrets/rabbitmq).
+see the [RabbitMQ documentation](/vault/docs/secrets/rabbitmq).
 
 This documentation assumes the RabbitMQ secrets engine is enabled at the
 `/rabbitmq` path in Vault. Since it is possible to enable secrets engines at any
@@ -33,10 +33,10 @@ RabbitMQ.
 
 - `verify_connection` `(bool: true)` – Specifies whether to verify connection URI, username, and password.
 
-- `password_policy` `(string: "")` - Specifies a [password policy](/docs/concepts/password-policies) to
+- `password_policy` `(string: "")` - Specifies a [password policy](/vault/docs/concepts/password-policies) to
   use when creating dynamic credentials. Defaults to generating an alphanumeric password if not set.
 
-- `username_template` `(string)` - [Template](/docs/concepts/username-templating) describing how
+- `username_template` `(string)` - [Template](/vault/docs/concepts/username-templating) describing how
   dynamic usernames are generated.
 
 ### Sample Payload

website/content/api-docs/secret/ssh.mdx

@@ -8,7 +8,7 @@ description: This is the API documentation for the Vault SSH secrets engine.
 
 This is the API documentation for the Vault SSH secrets engine. For general
 information about the usage and operation of the SSH secrets engine, please see
-the [SSH documentation](/docs/secrets/ssh).
+the [SSH documentation](/vault/docs/secrets/ssh).
 
 This documentation assumes the SSH secrets engine is enabled at the `/ssh` path
 in Vault. Since it is possible to enable secrets engines at any location, please
@@ -261,7 +261,7 @@ This endpoint creates or updates a named role.
   explicit `algorithm_signer=rsa-sha` parameter or has been migrated to such.
 
 - `not_before_duration` `(duration: "30s")` – Specifies the duration by which to
-  backdate the `ValidAfter` property. Uses [duration format strings](/docs/concepts/duration-format).
+  backdate the `ValidAfter` property. Uses [duration format strings](/vault/docs/concepts/duration-format).
 
 ### Sample Payload
 

website/content/api-docs/secret/terraform.mdx

@@ -8,7 +8,7 @@ description: This is the API documentation for the Vault Terraform Cloud secret
 
 This is the API documentation for the Vault Terraform Cloud secret backend. For general
 information about the usage and operation of the Terraform Cloud backend, please see the
-[Vault Terraform Cloud backend documentation](/docs/secrets/terraform).
+[Vault Terraform Cloud backend documentation](/vault/docs/secrets/terraform).
 
 This documentation assumes the Terraform Cloud backend is mounted at the `/terraform` path
 in Vault. Since it is possible to mount secret backends at any location, please
@@ -102,7 +102,7 @@ with the `/rotate-role` endpoint.
 
 Please see the [Terraform Cloud API
 Token documentation for more
-information](https://www.terraform.io/cloud-docs/users-teams-organizations/api-tokens).
+information](/terraform/cloud-docs/users-teams-organizations/api-tokens).
 
 | Method | Path                    |
 | :----- | :---------------------- |
@@ -126,11 +126,11 @@ information](https://www.terraform.io/cloud-docs/users-teams-organizations/api-t
 
 - `ttl` `(duration: "")` – Specifies the TTL for this role. If not
   provided, the default Vault TTL is used. Only applies to User API tokens.
-  Uses [duration format strings](/docs/concepts/duration-format).
+  Uses [duration format strings](/vault/docs/concepts/duration-format).
 
 - `max_ttl` `(duration: "")` – Specifies the max TTL for this role. If not
   provided, the default Vault Max TTL is used. Only applies to User API tokens.
-  Uses [duration format strings](/docs/concepts/duration-format).
+  Uses [duration format strings](/vault/docs/concepts/duration-format).
 
 ### Sample Payload
 

website/content/api-docs/secret/totp.mdx

@@ -8,7 +8,7 @@ description: This is the API documentation for the Vault TOTP secrets engine.
 
 This is the API documentation for the Vault TOTP secrets engine. For general
 information about the usage and operation of the TOTP secrets engine, please see
-the [TOTP documentation](/docs/secrets/totp).
+the [TOTP documentation](/vault/docs/secrets/totp).
 
 This documentation assumes the TOTP secrets engine is enabled at the `/totp`
 path in Vault. Since it is possible to enable secrets engines at any location,

website/content/api-docs/secret/transform.mdx

@@ -8,7 +8,7 @@ description: This is the API documentation for the Transform secrets engine.
 
 This is the API documentation for the Transform secrets engine. For general
 information about the usage and operation of the secrets engine, please see the
-[Transform secrets engine documentation](/docs/secrets/transform).
+[Transform secrets engine documentation](/vault/docs/secrets/transform).
 
 This documentation assumes the transform secrets engine is enabled at the
 `/transform` path in Vault. Since it is possible to enable secrets engines at any
@@ -974,7 +974,7 @@ The database user configured here should only have permission to `SELECT`,
 
 - `max_connection_lifetime` `(duration: 0)` -
   The maximum amount of time a connection can be open before closing it.
-  0 means no limit. Uses [duration format strings](/docs/concepts/duration-format).
+  0 means no limit. Uses [duration format strings](/vault/docs/concepts/duration-format).
 
 ### Sample Payloads
 
@@ -1890,7 +1890,7 @@ This endpoint starts or continues retrieving an export of tokenization
 state, including the tokens and their decoded values. This call is only
 supported on tokenization stores configured with the `exportable` mapping
 mode. Refer to the Tokenization
-[documentation](../../docs/secrets/transform/tokenization#security-considerations)
+[documentation](/vault/docs/secrets/transform/tokenization#security-considerations)
 for when to use the `exportable` mapping mode.
 Decoded values are in Base64 representation.
 
@@ -2011,7 +2011,7 @@ Only valid for tokenization transformations.
 - `auto_rotate_period` `(duration: "0", optional)` - The period at which this key
   should be rotated automatically. Setting this to "0" will disable automatic key
   rotation. This value cannot be shorter than one hour. Uses
-  [duration format strings](/docs/concepts/duration-format).
+  [duration format strings](/vault/docs/concepts/duration-format).
 
 ### Sample Payload
 

website/content/api-docs/secret/transit.mdx

@@ -8,7 +8,7 @@ description: This is the API documentation for the Vault Transit secrets engine.
 
 This is the API documentation for the Vault Transit secrets engine. For general
 information about the usage and operation of the Transit secrets engine, please
-see the [transit documentation](/docs/secrets/transit).
+see the [transit documentation](/vault/docs/secrets/transit).
 
 This documentation assumes the transit secrets engine is enabled at the
 `/transit` path in Vault. Since it is possible to enable secrets engines at any
@@ -79,7 +79,7 @@ values set here cannot be changed after key creation.
 - `auto_rotate_period` `(duration: "0", optional)` – The period at which
   this key should be rotated automatically. Setting this to "0" (the default)
   will disable automatic key rotation. This value cannot be shorter than one
-  hour. Uses [duration format strings](/docs/concepts/duration-format).
+  hour. Uses [duration format strings](/vault/docs/concepts/duration-format).
 
 ### Sample Payload
 
@@ -119,7 +119,7 @@ two values: an ephemeral 256-bit AES key wrapped using the wrapping key
 returned by Vault and the encryption of the import key material under the
 provided AES key. The wrapped AES key should be the first 512 bytes of the
 ciphertext, and the encrypted key material should be the remaining bytes.
-See the BYOK section of the [Transit secrets engine documentation](/docs/secrets/transit#bring-your-own-key-byok)
+See the BYOK section of the [Transit secrets engine documentation](/vault/docs/secrets/transit#bring-your-own-key-byok)
 for more information on constructing the ciphertext.
 
 - `hash_function` `(string: "SHA256")` - The hash function used for the
@@ -212,7 +212,7 @@ two values: an ephemeral 256-bit AES key wrapped using the wrapping key
 returned by Vault and the encryption of the import key material under the
 provided AES key. The wrapped AES key should be the first 512 bytes of the
 ciphertext, and the encrypted key material should be the remaining bytes.
-See the BYOK section of the [Transit secrets engine documentation](/docs/secrets/transit#bring-your-own-key-byok)
+See the BYOK section of the [Transit secrets engine documentation](/vault/docs/secrets/transit#bring-your-own-key-byok)
 for more information on constructing the ciphertext.
 
 - `hash_function` `(string: "SHA256")` - The hash function used for the
@@ -414,7 +414,7 @@ are returned during a read operation on the named key.)
 - `auto_rotate_period` `(duration: "", optional)` – The period at which this
   key should be rotated automatically. Setting this to "0" will disable automatic
   key rotation. This value cannot be shorter than one hour. When no value is
-  provided, the period remains unchanged. Uses [duration format strings](/docs/concepts/duration-format).
+  provided, the period remains unchanged. Uses [duration format strings](/vault/docs/concepts/duration-format).
 
 ### Sample Payload
 
@@ -697,7 +697,7 @@ Use the base64-encoded plaintext in the payload:
 }
 ```
 
-!> Vault HTTP API imposes a maximum request size of 32MB to prevent a denial of service attack. This can be tuned per [`listener` block](/docs/configuration/listener/tcp) in the Vault server configuration.
+!> Vault HTTP API imposes a maximum request size of 32MB to prevent a denial of service attack. This can be tuned per [`listener` block](/vault/docs/configuration/listener/tcp) in the Vault server configuration.
 
 ### Sample Request
 
@@ -1750,4 +1750,4 @@ $ curl \
   },
 ```
 
-[sys-plugin-reload-backend]: /api-docs/system/plugins-reload-backend#reload-plugins
+[sys-plugin-reload-backend]: /vault/api-docs/system/plugins-reload-backend#reload-plugins

website/content/api-docs/system/experiments.mdx

@@ -12,8 +12,8 @@ The `/sys/experiments` endpoint returns information about experiments on the Vau
 
 This endpoint returns the experiments available and enabled on the Vault node.
 Experiments are per-node and cannot be changed while the node is running. See
-the [`-experiment`](/docs/commands/server#experiment) flag and the
+the [`-experiment`](/vault/docs/commands/server#experiment) flag and the
-[`experiments`](/docs/configuration#experiments) config key documentation for
+[`experiments`](/vault/docs/configuration#experiments) config key documentation for
 details on enabling experiments.
 
 | Method | Path               |

website/content/api-docs/system/init.mdx

@@ -35,7 +35,7 @@ $ curl \
 
 This endpoint initializes a new Vault. The Vault must not have been previously
 initialized. The recovery options, as well as the stored shares option, are only
-available when using [Auto Unseal](/docs/concepts/seal#auto-unseal).
+available when using [Auto Unseal](/vault/docs/concepts/seal#auto-unseal).
 
 | Method | Path        |
 | :----- | :---------- |

website/content/api-docs/system/inspect/index.mdx

@@ -10,7 +10,7 @@ description: >-
 
 The `/sys/internal/inspect` family of endpoints is intended to inspect a specific internal subsystem for debugging purposes.
 This endpoint is off by default. See the
-[Vault configuration documentation](/docs/configuration) to
+[Vault configuration documentation](/vault/docs/configuration) to
 enable. Once the endpoint is turned on, it can be accessed with a root token or sudo privileges.
 
 ~> **NOTE**: These endpoints are only available in Vault version 1.13+. Backwards compatibility is not guaranteed. These endpoints are subject to change or may disappear without notice.
@@ -18,5 +18,5 @@ enable. Once the endpoint is turned on, it can be accessed with a root token or
 
 ## Supported Inspection Paths
 
-- [Router](/api-docs/system/inspect/router)
+- [Router](/vault/api-docs/system/inspect/router)
 

website/content/api-docs/system/internal-counters.mdx

@@ -318,7 +318,7 @@ That is to say, the response will appear as follows.
 ```
 
 
-Please visit the [client count](/docs/concepts/client-count) concepts page for
+Please visit the [client count](/vault/docs/concepts/client-count) concepts page for
 more information on how clients map to these client IDs and how they are
 counted, or for more information about how the new clients for the current month 
 are estimated in a billing period.

website/content/api-docs/system/internal-specs-openapi.mdx

@@ -15,7 +15,7 @@ The set of included paths is based on the permissions of the request token.
 
 The response may include Vault-specific [extensions](https://github.com/oai/openapi-specification/blob/master/versions/3.0.2.md#specification-extensions). Three are currently defined:
 
-- `x-vault-sudo` - Endpoint requires [sudo](/docs/concepts/policies#sudo) privileges.
+- `x-vault-sudo` - Endpoint requires [sudo](/vault/docs/concepts/policies#sudo) privileges.
 - `x-vault-unauthenticated` - Endpoint is unauthenticated.
 - `x-vault-create-supported` - Endpoint allows creation of new items, in addition to updating existing items.
 

website/content/api-docs/system/license.mdx

@@ -15,7 +15,7 @@ Vault.
 
 ## License Status
 
-This endpoint returns information about licensing. See [license autoloading](/docs/enterprise/license/autoloading) for additional background.
+This endpoint returns information about licensing. See [license autoloading](/vault/docs/enterprise/license/autoloading) for additional background.
 
 In the response:
 

website/content/api-docs/system/managed-keys.mdx

@@ -7,7 +7,7 @@ description: The `/sys/managed-keys` endpoint is used to manage the managed keys
 # `/sys/managed-keys`
 
 The `/sys/managed-keys` endpoint is used to manage the Managed Key configuration within Vault.
-See the [Managed Keys](/docs/enterprise/managed-keys) section for further details on the Managed Keys system.
+See the [Managed Keys](/vault/docs/enterprise/managed-keys) section for further details on the Managed Keys system.
 
 ## List managed keys.
 
@@ -101,7 +101,7 @@ $ curl \
 - `type` `(string: "pkcs11")` - To select a PKCS#11 backend, the type parameter must be set to `pkcs11`.
 
 - `library` `(string: <required>)` - The name of the `kms_library` stanza to use from Vault's config to
-   lookup the local library path. See [kms_library stanza](/docs/configuration/kms-library) for further details.
+   lookup the local library path. See [kms_library stanza](/vault/docs/configuration/kms-library) for further details.
 
 - `key_label` `(string: <required>)` - The label of the key to use. If the key does not exist
   and generation is enabled, this is the label that will be given to the generated key. This

website/content/api-docs/system/mfa/index.mdx

@@ -13,17 +13,17 @@ behaviors in Vault Enterprise MFA.
 
 ## Supported MFA types
 
-- [TOTP](/api-docs/system/mfa/totp)
+- [TOTP](/vault/api-docs/system/mfa/totp)
 
-- [Okta](/api-docs/system/mfa/okta)
+- [Okta](/vault/api-docs/system/mfa/okta)
 
-- [Duo](/api-docs/system/mfa/duo)
+- [Duo](/vault/api-docs/system/mfa/duo)
 
-- [PingID](/api-docs/system/mfa/pingid)
+- [PingID](/vault/api-docs/system/mfa/pingid)
 
 ## Step-up Enterprise MFA
 
-[Vault Enterprise](/docs/enterprise/mfa) allows MFA for login and access to
+[Vault Enterprise](/vault/docs/enterprise/mfa) allows MFA for login and access to
 sensitive resources in Vault.  The Step-up Enterprise MFA expects the method
 creator to specify a name for the method; Login MFA does not, and instead
 returns an ID when a method is created. Although MFA methods supported with Step-up Enterprise MFA are supported with the Login MFA, they use different API endpoints.
@@ -34,5 +34,5 @@ returns an ID when a method is created. Although MFA methods supported with Step
 ~> **Note:** While the `sys/mfa` endpoint is supported for both OSS and Vault Enterprise, `sys/mfa/method/:type/:/name` is only supported for Vault Enterprise.
 
 Refer to the [Login MFA
-FAQ](/docs/auth/login-mfa/faq#q-are-there-new-mfa-api-endpoints-introduced-as-part-of-the-new-vault-version-1-10-mfa-for-login-functionality) document
+FAQ](/vault/docs/auth/login-mfa/faq#q-are-there-new-mfa-api-endpoints-introduced-as-part-of-the-new-vault-version-1-10-mfa-for-login-functionality) document
 for more details.

website/content/api-docs/system/mounts.mdx

@@ -242,7 +242,7 @@ simple as increasing the timeout (in the event of timeout errors).
 
 For recovery situations where the secret was manually removed from the
 secrets backing service, one can force a secrets engine disable in Vault by
-performing a [force revoke](/api-docs/system/leases)
+performing a [force revoke](/vault/api-docs/system/leases)
 on the mount prefix, followed by a secrets disable when that completes. 
 If the underlying secrets were not manually cleaned up, this method might result
 in dangling credentials. This is meant for extreme circumstances.

website/content/api-docs/system/namespaces.mdx

@@ -172,7 +172,7 @@ $ curl \
 
 This endpoint locks the API for the current namespace path or optional subpath.
 The behavior when interacting with Vault from a locked namespace is described in
-[API Locked Response](/docs/concepts/namespace-api-lock#api-locked-response).
+[API Locked Response](/vault/docs/concepts/namespace-api-lock#api-locked-response).
 
 | Method | Path                    |
 | :----- | :---------------------- |

website/content/api-docs/system/policies-password.mdx

@@ -13,7 +13,7 @@ are using for compatibility.
 
 ~> Password policies are only available in Vault version 1.5+.
 
-See [Password Policies](/docs/concepts/password-policies) for details of how password policies work
+See [Password Policies](/vault/docs/concepts/password-policies) for details of how password policies work
 as well as the syntax of the policies themselves.
 
 ## Create/Update Password Policy
@@ -37,7 +37,7 @@ generation times.
   This is specified as part of the request URL.
 
 - `policy` `(string: <required>)` - Specifies the password policy document. This can be
-  base64-encoded to avoid string escaping. See [Password Policy Syntax](/docs/concepts/password-policies#password-policy-syntax)
+  base64-encoded to avoid string escaping. See [Password Policy Syntax](/vault/docs/concepts/password-policies#password-policy-syntax)
   for details on password policy definitions.
 
 ### Sample Payload

website/content/api-docs/system/raw.mdx

@@ -9,7 +9,7 @@ description: The `/sys/raw` endpoint is used to access the raw underlying store
 The `/sys/raw` endpoint is used to access the raw underlying store in Vault.
 
 This endpoint is off by default. See the
-[Vault configuration documentation](/docs/configuration) to
+[Vault configuration documentation](/vault/docs/configuration) to
 enable.
 
 ## Read Raw

website/content/api-docs/system/remount.mdx

@@ -17,7 +17,7 @@ engines and auth methods.
 
 The remount operation returns a migration ID to the user. The user may utilize the migration ID to look up 
 the status of the mount migration. More details about the remount operation are described in 
-[Mount Migration](/docs/concepts/mount-migration).
+[Mount Migration](/vault/docs/concepts/mount-migration).
 
 ~> Note: This endpoint requires a policy with both `sudo` and `update` capabilities to `sys/remount`
 

website/content/api-docs/system/replication/replication-dr.mdx

@@ -343,7 +343,7 @@ result in data loss!
 ~> It is not safe to replicate from a newer version of Vault to an older version.
 When upgrading replicated clusters, ensure that upstream clusters are always
 on older versions of Vault than downstream clusters. See
-[Upgrading Vault](/docs/upgrading#replication-installations) for an example.
+[Upgrading Vault](/vault/docs/upgrading#replication-installations) for an example.
 
 
 | Method | Path                                    |

website/content/api-docs/system/storage/index.mdx

@@ -6,6 +6,6 @@ description: |-
   The '/sys/storage' endpoints are used to manage Vault's storage backends.
 ---
 
-This API sub-section is currently only used to manage [Raft](/api-docs/system/storage/raft) storage backend.
+This API sub-section is currently only used to manage [Raft](/vault/api-docs/system/storage/raft) storage backend.
 
-On Enterprise there are additional endpoints for working with [Raft Automated Snapshots](/api-docs/system/storage/raftautosnapshots).
+On Enterprise there are additional endpoints for working with [Raft Automated Snapshots](/vault/api-docs/system/storage/raftautosnapshots).

website/content/api-docs/system/storage/raftautopilot.mdx

@@ -10,12 +10,12 @@ description: |-
 # `/sys/storage/raft/autopilot`
 
 The `/sys/storage/raft/autopilot` endpoints are used to manage raft clusters using autopilot
-with Vault's [Integrated Storage backend](/docs/internals/integrated-storage).
+with Vault's [Integrated Storage backend](/vault/docs/internals/integrated-storage).
-Refer to the [Integrated Storage Autopilot](https://learn.hashicorp.com/tutorials/vault/raft-autopilot?in=vault/raft) tutorial to learn how to manage raft clusters using autopilot.
+Refer to the [Integrated Storage Autopilot](/vault/tutorials/raft/raft-autopilot) tutorial to learn how to manage raft clusters using autopilot.
 
 ## Get Cluster State
 
-This endpoint is used to retrieve the raft cluster state. See the [docs page](/docs/commands/operator/raft#autopilot-state) for a description of the output.
+This endpoint is used to retrieve the raft cluster state. See the [docs page](/vault/docs/commands/operator/raft#autopilot-state) for a description of the output.
 
 | Method | Path                                |
 | :----- | :---------------------------------- |

website/content/api-docs/system/user-lockout.mdx

@@ -8,7 +8,7 @@ description: The `/sys/locked-users` endpoint is used to manage locked users in
 
 The `/sys/locked-users` endpoint is used to list and unlock locked users in Vault. 
 
-Please visit [user lockout](/docs/concepts/user-lockout) concepts page for more details about the feature. 
+Please visit [user lockout](/vault/docs/concepts/user-lockout) concepts page for more details about the feature. 
 
 ## List Locked Users
 

website/content/docs/agent/apiproxy.mdx

@@ -13,20 +13,20 @@ for Vault's API.
 
 ## Functionality
 
-The [`listener` stanza](/docs/agent#listener-stanza) for Vault Agent configures a listener for Vault Agent. If
+The [`listener` stanza](/vault/docs/agent#listener-stanza) for Vault Agent configures a listener for Vault Agent. If
 its `role` is not set to `metrics_only`, it will act as a proxy for the Vault server that
-has been configured in the [`vault` stanza](/docs/agent#vault-stanza) stanza of Vault Agent. This enables access to the Vault
+has been configured in the [`vault` stanza](/vault/docs/agent#vault-stanza) stanza of Vault Agent. This enables access to the Vault
 API from the Agent API, and can be configured to optionally allow or force the automatic use of
 the Auto-Auth token for these requests, as described below.
 
 If a `listener` has been configured alongside a `cache` stanza, the API Proxy will
 first attempt to utilize the cache subsystem for qualifying requests, before forwarding the
-request to Vault. See the [caching docs](/docs/agent/caching) for more information on caching.
+request to Vault. See the [caching docs](/vault/docs/agent/caching) for more information on caching.
 
 ## Using Auto-Auth Token
 
 Vault Agent allows for easy authentication to Vault in a wide variety of
-environments using [Auto-Auth](/docs/agent/autoauth). By setting the
+environments using [Auto-Auth](/vault/docs/agent/autoauth). By setting the
 `use_auto_auth_token` (see below) configuration, clients will not be required
 to provide a Vault token to the requests made to the Agent. When this
 configuration is set, if the request doesn't already bear a token, then the
@@ -40,7 +40,7 @@ request to the Vault server.
 Vault Agent can be configured to force the use of the auto-auth token by using
 the value `force` for the `use_auto_auth_token` option. This configuration
 overrides the default behavior described above in [Using Auto-Auth
-Token](/docs/agent/apiproxy#using-auto-auth-token), and instead ignores any
+Token](/vault/docs/agent/apiproxy#using-auto-auth-token), and instead ignores any
 existing Vault token in the request and instead uses the auto-auth token.
 
 
@@ -57,7 +57,7 @@ auto-auth token, overwriting the attached Vault token if set.
 
 The following two `api_proxy` options are only useful when making requests to a Vault
 Enterprise cluster, and are documented as part of its
-[Eventual Consistency](/docs/enterprise/consistency#vault-agent-and-consistency-headers)
+[Eventual Consistency](/vault/docs/enterprise/consistency#vault-agent-and-consistency-headers)
 page.
 
 - `enforce_consistency` `(string: "never")` - Set to one of `"always"`

website/content/docs/agent/autoauth/index.mdx

@@ -31,7 +31,7 @@ configured Sinks, subject to their configuration.
 
 Sinks support some advanced features, including the ability for the written
 values to be encrypted or
-[response-wrapped](/docs/concepts/response-wrapping).
+[response-wrapped](/vault/docs/concepts/response-wrapping).
 
 Both mechanisms can be used concurrently; in this case, the value will be
 response-wrapped, then encrypted.
@@ -110,7 +110,7 @@ The top level `auto_auth` block has two configuration entries:
 Agent does not track the number of uses remaining, and may allow the token to
 expire before attempting to renew it. For example, if using AppRole auto-auth,
 you must use 0 (meaning unlimited) as the value for
-[`token_num_uses`](https://www.vaultproject.io/api-docs/auth/approle#token_num_uses).
+[`token_num_uses`](/vault/api-docs/auth/approle#token_num_uses).
 
 These are common configuration values that live within the `method` block:
 
@@ -135,14 +135,14 @@ These are common configuration values that live within the `method` block:
   automatically reauthenticate when it expires. Rather than a simple string,
   the written value will be a JSON-encoded
   [SecretWrapInfo](https://godoc.org/github.com/hashicorp/vault/api#SecretWrapInfo)
-  structure. Uses [duration format strings](/docs/concepts/duration-format).
+  structure. Uses [duration format strings](/vault/docs/concepts/duration-format).
 
 - `min_backoff` `(string or integer: "1s")` - The minimum backoff time Agent
   will delay before retrying after a failed auth attempt. The backoff will start
   at the configured value and double (with some randomness) after successive
   failures, capped by `max_backoff.` If Agent templating is being used, this
   value is also used as the min backoff time for the templating server.
-  Uses [duration format strings](/docs/concepts/duration-format).
+  Uses [duration format strings](/vault/docs/concepts/duration-format).
 
 - `max_backoff` `(string or integer: "5m")` - The maximum time Agent will delay
   before retrying after a failed auth attempt. The backoff will start at
@@ -150,7 +150,7 @@ These are common configuration values that live within the `method` block:
   capped by `max_backoff.` If Agent templating is being used, this value is also
   used as the max backoff time for the templating server. `max_backoff` is the
   duration between retries, and **not** the duration that retries will be
-  performed before giving up. Uses [duration format strings](/docs/concepts/duration-format).
+  performed before giving up. Uses [duration format strings](/vault/docs/concepts/duration-format).
 
 - `exit_on_err` `(bool: false)` - When set to true, Vault Agent will exit if any 
   errors occur during authentication. This configurable only affects login attempts 
@@ -173,7 +173,7 @@ These configuration values are common to all Sinks:
   reauthenticate when it expires. Rather than a simple string, the written
   value will be a JSON-encoded
   [SecretWrapInfo](https://godoc.org/github.com/hashicorp/vault/api#SecretWrapInfo)
-  structure. Uses [duration format strings](/docs/concepts/duration-format).
+  structure. Uses [duration format strings](/vault/docs/concepts/duration-format).
 
 - `dh_type` `(string: optional)` - If specified, the type of Diffie-Hellman exchange to
   perform, meaning, which ciphers and/or curves. Currently only `curve25519` is

website/content/docs/agent/autoauth/methods/alicloud.mdx

@@ -7,7 +7,7 @@ description: AliCloud Method for Vault Agent Auto-Auth
 # Vault Agent Auto-Auth AliCloud Method
 
 The `alicloud` method performs authentication against the [AliCloud Auth
-method](/docs/auth/alicloud).
+method](/vault/docs/auth/alicloud).
 
 ## Credentials
 

website/content/docs/agent/autoauth/methods/approle.mdx

@@ -8,7 +8,7 @@ description: AppRole Method for Vault Agent Auto-Auth
 
 The `approle` method reads in a role ID and a secret ID from files and sends
 the values to the [AppRole Auth
-method](/docs/auth/approle).
+method](/vault/docs/auth/approle).
 
 The method caches values and it is safe to delete the role ID/secret ID files
 after they have been read. In fact, by default, after reading the secret ID,
@@ -32,15 +32,15 @@ cached.
 
 - `secret_id_response_wrapping_path` `(string: optional)` - If set, the value
   at `secret_id_file_path` will be expected to be a [Response-Wrapping
-  Token](/docs/concepts/response-wrapping)
+  Token](/vault/docs/concepts/response-wrapping)
   containing the output of the secret ID retrieval endpoint for the role (e.g.
   `auth/approle/role/webservers/secret-id`) and the creation path for the
   response-wrapping token must match the value set here.
 
 ## Example Configuration
 
-An example configuration, using approle to enable [auto-auth](/docs/agent/autoauth)
+An example configuration, using approle to enable [auto-auth](/vault/docs/agent/autoauth)
-and creating both a plaintext token sink and a [response-wrapped token sink file](/docs/agent/autoauth#wrap_ttl), follows:
+and creating both a plaintext token sink and a [response-wrapped token sink file](/vault/docs/agent/autoauth#wrap_ttl), follows:
 
 ```hcl
 pid_file = "./pidfile"

website/content/docs/agent/autoauth/methods/aws.mdx

@@ -7,7 +7,7 @@ description: AWS Method for Vault Agent Auto-Auth
 # Vault Agent Auto-Auth AWS Method
 
 The `aws` method performs authentication against the [AWS Auth
-method](/docs/auth/aws). Both `ec2` and `iam`
+method](/vault/docs/auth/aws). Both `ec2` and `iam`
 authentication types are supported. If `ec2` is used, the agent will store the
 reauthentication value in memory and use it for reauthenticating, but will not
 persist it to disk.
@@ -48,17 +48,17 @@ parameters unset in your configuration.
 
 - `region` `(string: "us-east-1")` - The region to use for signing the authentication request. The
   region Agent uses should match that corresponding to
-  [`sts_endpoint`](/api-docs/auth/aws#sts_endpoint),
+  [`sts_endpoint`](/vault/api-docs/auth/aws#sts_endpoint),
   if a custom endpoint has been configured on the Vault server.
 
 - `session_token` `(string: optional)` - The session token to use for authentication, if needed.
 
 - `header_value` `(string: optional)` - If configured in Vault, the value to use for
-  [`iam_server_id_header_value`](/api-docs/auth/aws#iam_server_id_header_value).
+  [`iam_server_id_header_value`](/vault/api-docs/auth/aws#iam_server_id_header_value).
 
 - `nonce` `(string: optional)` - If not provided, Vault will generate a new UUID every time `vault agent` runs.
   If set, make sure you understand the importance of generating a good, unique `nonce` and protecting it.
-  See [Client Nonce](/docs/auth/aws#client-nonce) for more information.
+  See [Client Nonce](/vault/docs/auth/aws#client-nonce) for more information.
 
 ## Tutorial
 

website/content/docs/agent/autoauth/methods/azure.mdx

@@ -8,7 +8,7 @@ description: Azure Method for Vault Agent Auto-Auth
 
 The `azure` method reads in Azure instance credentials and uses them to
 authenticate with the [Azure Auth
-method](/docs/auth/azure). It reads most
+method](/vault/docs/auth/azure). It reads most
 parameters needed for authentication directly from instance information based
 on the value of the `resource` parameter.
 

website/content/docs/agent/autoauth/methods/cert.mdx

@@ -14,13 +14,13 @@ It is strongly advised to provide TLS settings in the configuration stanza
 within the auth method to avoid agent cache, if also enabled, from using the
 same TLS settings when proxying requests. If TLS settings are not present in the
 config stanza, Agent will fall back to using TLS settings from the [`vault`
-Stanza](/docs/agent#vault-stanza).
+Stanza](/vault/docs/agent#vault-stanza).
 
 ## Configuration
 
 - `name` `(string: optional)` - The trusted certificate role which should be used
   when authenticating with TLS. If a `name` is not specified, the auth method will
-  try to authenticate against [all trusted certificates](/docs/auth/cert#authentication).
+  try to authenticate against [all trusted certificates](/vault/docs/auth/cert#authentication).
 
 - `ca_cert` `(string: optional)` - Path on the local disk to a single
   PEM-encoded CA certificate to verify the Vault server's SSL certificate.

website/content/docs/agent/autoauth/methods/cf.mdx

@@ -7,7 +7,7 @@ description: CF Method for Vault Agent Auto-Auth
 # Vault Agent Auto-Auth CF Method
 
 The `cf` method performs authentication against the [CF Auth
-method](/docs/auth/cf).
+method](/vault/docs/auth/cf).
 
 ## Credentials
 

website/content/docs/agent/autoauth/methods/gcp.mdx

@@ -7,7 +7,7 @@ description: GCP Method for Vault Agent Auto-Auth
 # Vault Agent Auto-Auth GCP Method
 
 The `gcp` method performs authentication against the [GCP Auth
-method](/docs/auth/gcp). Both `gce` and `iam`
+method](/vault/docs/auth/gcp). Both `gce` and `iam`
 authentication types are supported.
 
 ## Credentials

website/content/docs/agent/autoauth/methods/jwt.mdx

@@ -7,7 +7,7 @@ description: JWT Method for Vault Agent Auto-Auth
 # Vault Agent Auto-Auth JWT Method
 
 The `jwt` method reads in a JWT from a file and sends it to the [JWT Auth
-method](/docs/auth/jwt).
+method](/vault/docs/auth/jwt).
 
 ## Configuration
 

website/content/docs/agent/autoauth/methods/kerberos.mdx

@@ -13,7 +13,7 @@ a Vault token for Kerberos entities. It reads in configuration and
 identification information from the surrounding environment, and uses
 it to authenticate to Vault.
 
-For more on this auth method, see the [Kerberos auth method](/docs/auth/kerberos).
+For more on this auth method, see the [Kerberos auth method](/vault/docs/auth/kerberos).
 
 ## Configuration