Namespace API Lock docs (#13064)

* add api lock doc * add docs nav data * Update website/content/api-docs/system/namespaces.mdx Co-authored-by: Chris Capurso <christopher.capurso@gmail.com> * update command doc * clarify locked http status code * add example exempt path * further exempt clarification * link api locked response * add x-vault-namespace api example * Update website/content/docs/concepts/namespace-api-lock.mdx Co-authored-by: Loann Le <84412881+taoism4504@users.noreply.github.com> * review suggestions * few other small tweaks Co-authored-by: Chris Capurso <christopher.capurso@gmail.com> Co-authored-by: Loann Le <84412881+taoism4504@users.noreply.github.com>
2025-11-02 03:27:54 +00:00 · 2021-11-09 15:43:17 -07:00
parent 47024a27d5
commit a7a20ae3bb
4 changed files with 235 additions and 5 deletions
--- a/website/content/api-docs/system/namespaces.mdx
+++ b/website/content/api-docs/system/namespaces.mdx
@@ -72,7 +72,7 @@ $ curl \

 ## Read Namespace Information

-This endpoint get the metadata for the given namespace path.
+This endpoint gets the metadata for the given namespace path.

 | Method | Path                    |
 | :----- | :---------------------- |
@@ -94,3 +94,118 @@ $ curl \
  "path": "ns1/"
 }
 ```
+
+## Lock Namespace
+
+This endpoint locks the API for the current namespace path or optional subpath.
+The behavior when interacting with Vault from a locked namespace is described in
+[API Locked Response](/docs/concepts/namespace-api-lock#api-locked-response).
+
+| Method | Path                    |
+| :----- | :---------------------- |
+| `POST`  | `/sys/namespaces/api-lock/lock/:subpath` |
+
+### Sample Request - Current Namespace
+
+```shell-session
+$ curl \
+    --header "X-Vault-Token: ..." \
+    --request POST \
+    http://127.0.0.1:8200/v1/sys/namespaces/api-lock/lock
+```
+
+### Sample Response - Current Namespace
+
+```json
+{
+    "unlock_key": "<unlock key for current/ns/path>"
+}
+```
+
+### Sample Request - X-Vault-Namespace
+
+```shell-session
+$ curl \
+    --header "X-Vault-Token: ..." \
+    --header "X-Vault-Namespace: some/path
+    --request POST \
+    http://127.0.0.1:8200/v1/sys/namespaces/api-lock/lock
+```
+
+### Sample Response - X-Vault-Namespace
+
+```json
+{
+    "unlock_key": "<unlock key for some/path>"
+}
+```
+
+### Sample Request - Descendant of Current Namespace
+
+```shell-session
+$ curl \
+    --header "X-Vault-Token: ..." \
+    --request POST \
+    http://127.0.0.1:8200/v1/sys/namespaces/api-lock/lock/some/descendant/subpath
+```
+
+### Sample Response - Descendant of Current Namespace
+
+```json
+{
+    "unlock_key": "<unlock key for current/ns/path/some/descendant/subpath>"
+}
+```
+
+## Unlock Namespace
+
+This endpoint unlocks the api for the current namespace path or optional subpath.
+
+| Method | Path                    |
+| :----- | :---------------------- |
+| `POST`  | `/sys/namespaces/api-lock/unlock/:subpath` |
+
+### Sample Payload - Current Namespace Non-Root
+
+```json
+{
+  "unlock_key": "<unlock key for current/ns/path>"
+}
+```
+
+### Sample Request - Current Namespace Non-Root
+
+```shell-session
+$ curl \
+    --header "X-Vault-Token: ..." \
+    --request POST \
+    --data @payload.json \
+    http://127.0.0.1:8200/v1/sys/namespaces/api-lock/unlock
+```
+
+### Sample Request - Current Namespace Root
+
+```shell-session
+$ curl \
+    --header "X-Vault-Token: <some root token>" \
+    --request POST \
+    http://127.0.0.1:8200/v1/sys/namespaces/api-lock/unlock
+```
+
+### Sample Payload - Descendant Namespace Non-Root
+
+```json
+{
+  "unlock_key": "<unlock key for current/ns/path/some/descendant/subpath>"
+}
+```
+
+### Sample Request - Descendant Namespace Non-Root
+
+```shell-session
+$ curl \
+    --header "X-Vault-Token: ..." \
+    --request POST \
+    --data @payload.json \
+    http://127.0.0.1:8200/v1/sys/namespaces/api-lock/unlock/some/descendant/path
+```