CLI reference

Global flags

Flag	Description	Default	Environment variable
`--addr`	[Global] The `URL` of the Piiano Vault implementation.	http://localhost:8123	`PVAULT_ADDR`
`--json` `-j`	[Global] Where JSON is used in the command, returns the output in JSON format.	false
`--compact` `--co`	[Global] When used with the `--json` flag, the JSON output is compact.	false
`--insecure` `-k`	[Global] Skip TLS certificate verification.	false
`--reason`	[Global] The `REASON` for accessing Piiano Vault, using one of these codes: `AppFunctionality`, `Analytics`, `Notifications`, `ThirdPartyMarketing`, `Marketing`, `FraudPreventionSecurityAndCompliance`, `AccountManagement`, `DataSubjectRequest`, `Maintenance`, and `Other`.	Maintenance	`PVAULT_ACCESS_REASON`
`--authtoken`	[Global] The authorization `TOKEN` that is passed in the header of each request.	pvaultauth	`PVAULT_AUTH_TOKEN`
`--log-level`	[Global] The `LOG_LEVEL` of the log recorded by this transaction. The allowed values are `debug`, `info`, `warn`, and `error`.	info	`PVAULT_LOG_LEVEL`
`--verbose` `-v`	[Global] Prints debug information.	false
`--no-color`	[Global] Disable colored output.	false	`NO_COLOR`

Collection

List collections

Lists all collections.

The default table output lists the collection names and their corresponding types, creation time, and last modification time. To obtain details of the collection and its properties, use the JSON or PVSchema flags.

pvault collection list [ --show-builtins ] [ --pvschema ]

--show-builtins: Shows the built-in properties in the response.(Optional)
--pvschema: Returns the collections list in the PVSchema format.(Optional)

Get collection

Gets a collection and its properties.

The default response to this command is a PVSchema for the collection.

pvault collection get [ --pvschema ] [ --show-builtins ] { --name | --collection | -c | -n=NAME }

--pvschema: Returns the collection details in PVSchema format.(Optional)
--show-builtins: Shows the built-in properties in the response.(Optional)
--name, --collection, -c, -n: The collection NAME.[Required]

Add collection

Adds a collection.

The collection can be defined using a specification in JSON or PVSchema format. A template can also be used, with or without test data.

pvault collection add [ --collection-json=value ] [ --collection-pvschema=value ] [ --pvschema ] [ --show-builtins ] [ --collection-template=value ] [ --add-test-data ] [ --name | --collection | -c | -n=NAME ]

--collection-json: The collection details to add in JSON format. To read from a file path prefix with '@' or to use stdin use '-'.(Optional)
--collection-pvschema: The collection details to add in PVSchema format. To read from a file path prefix with '@' or to use stdin use '-'.(Optional)
--pvschema: Returns the collection in PVSchema format.(Optional)
--show-builtins: Shows the built-in properties in the response.(Optional)
--collection-template: The collection template to use. This template provides example properties and can be combined with --add-test-data to add example data to the collection. Supported values are: persons and credit_cards.(Optional)
--add-test-data: Adds example data to the collection. Can only be used with --collection-template.(Optional)
--name, --collection, -c, -n: The collection NAME.(Optional)

Update collection

Adds properties to a collection. This command may take a long time to complete.

The default response to this command is a PVSchema for the properties added.

pvault collection update [ --collection-json=value ] [ --collection-pvschema=value ] [ --pvschema ] [ --show-builtins ] { --name | --collection | -c | -n=NAME }

--collection-json: The collection details to update in JSON format. To read from a file path prefix with '@' or to use stdin use '-'.(Optional)
--collection-pvschema: The collection details to update in PVSchema format. To read from a file path prefix with '@' or to use stdin use '-'.(Optional)
--pvschema: Returns the collection in PVSchema format.(Optional)
--show-builtins: Shows the built-in properties in the response.(Optional)
--name, --collection, -c, -n: The collection NAME.[Required]

Apply collection

Adds properties a collection or creates a new collection if the collection is not found. This command may take a long time to complete.

The default response to this command is a PVSchema for the collections and properties added.

pvault collection apply [ --collection-json=value ] [ --collection-pvschema=value ] [ --pvschema ] [ --show-builtins ] { --name | --collection | -c | -n=NAME }

--collection-json: The collection details to apply in JSON format. To read from a file path prefix with '@' or to use stdin use '-'.(Optional)
--collection-pvschema: The collection details to apply in PVSchema format. To read from a file path prefix with '@' or to use stdin use '-'.(Optional)
--pvschema: Returns the collection in PVSchema format.(Optional)
--show-builtins: Shows the built-in properties in the response.(Optional)
--name, --collection, -c, -n: The collection NAME.[Required]

Delete collection

Deletes a collection.

pvault collection delete [ --force | -f ] { --name | --collection | -c | -n=NAME }

--force, -f: Ignores interactive protection.(Optional)
--name, --collection, -c, -n: The collection NAME.[Required]

Collection // Property

List collection properties

Lists all the properties of a collection.

pvault collection property list [ --show-builtins ] { --collection | -c=COLLECTION }

--show-builtins: Shows the built-in properties in the response.(Optional)
--collection, -c: The COLLECTION name.[Required]

Get collection property

Gets a property of a collection.

pvault collection property get { --name | -n=value } { --collection | -c=COLLECTION }

--name, -n: The property name.[Required]
--collection, -c: The COLLECTION name.[Required]

Add collection property

Adds a property to a collection.

pvault collection property add [ --prop | -p=value ] [ --name | -n=value ] [ --description=value ] [ --pii-type-name=value ] [ --is-unique ] [ --is-index ] [ --is-not-encrypted ] [ --is-nullable ] { --collection | -c=COLLECTION }

--prop, -p: The property to add in JSON format. Must be provided if --name isn't provided. See the Add collection property REST API for the specification of the JSON format. To use a file path prefix with '@' or to use stdin use '-'.(Optional)
--name, -n: The property name. Must be unique. Must be provided if --prop isn't provided. (Optional)
--description: The property description.(Optional)
--pii-type-name: The property data type name. Must be provided if --name is provided.(Optional)
--is-unique: Whether the property value is unique on each object.(Optional)
--is-index: Whether the property is be indexed.(Optional)
--is-not-encrypted: Whether the property is not encrypted.(Optional)
--is-nullable: Whether the property is nullable. When the collection contains objects, only nullable properties can be added to the collection.(Optional)
--collection, -c: The COLLECTION name.[Required]

Update collection property

Update a property of a collection. This command may take a long time to complete.

pvault collection property update [ --prop | -p=value ] [ --name | -n=value ] [ --description=value ] [ --is-index ] { --collection | -c=COLLECTION }

--prop, -p: The property to update in JSON format. Must be provided if --name isn't provided. See the REST API Update collection property operation for the specification of the JSON format. To use a file path prefix with '@' or to use stdin use '-'.(Optional)
--name, -n: The property name. Must be unique. Must be provided if --prop isn't provided. (Optional)
--description: The property description.(Optional)
--is-index: Whether the property is be indexed.(Optional)
--collection, -c: The COLLECTION name.[Required]

Delete collection property

Deletes a property from a collection.

Any values stored against the property in objects are also deleted. This operation is irreversible.

pvault collection property delete { --name | -n=value } { --collection | -c=COLLECTION }

--name, -n: The property name.[Required]
--collection, -c: The COLLECTION name.[Required]

Bundle

List bundles

Lists the names of all bundles.

pvault bundle list

Get bundle

Gets a bundle and its code.

pvault bundle get { --name | -n=value } [ --dump-code ]

--name, -n: The name of the bundle.[Required]
--dump-code: Dump the bundle code to stdout.(Optional)

Add bundle

Adds a bundle

pvault bundle add { --name | -n=value } [ --description=value ] [ --bundle-code=value ] [ --bundle-template=value ]

--name, -n: The name of the bundle.[Required]
--description: The bundle description(Optional)
--bundle-code: The JavaScript code. To read from a file path prefix with '@' or to use stdin use '-'.(Optional)
--bundle-template: The bundle template to use. A template provides an example bundle. Supported values are: sample.(Optional)

Update bundle

Updates a bundle

pvault bundle update { --name | -n=value } [ --description=value ] [ --bundle-code=value ]

--name, -n: The name of the bundle.[Required]
--description: The new bundle description(Optional)
--bundle-code: The new JavaScript code. To read from a file path prefix with '@' or to use stdin use '-'.(Optional)

Delete bundle

Deletes a bundle. By default, a bundle is not deleted if a data type references it. To delete a referenced bundle, set the --force flag.

pvault bundle delete { --name | -n=value } [ --force ]

--name, -n: The name of the bundle.[Required]
--force: Whether to delete the bundle even if it is referenced by a data type that is in use. A data type that is in use is one that is used by a property in a collection.(Optional)

Datatype

List data types

Lists all data types.

pvault datatype list [ --show-builtins ] [ --bundle=value ]

--show-builtins: Whether to show builtins types.(Optional)
--bundle: If provided, return only types that depend on the bundle with the specified name.(Optional)

Get data type

Gets a data type.

pvault datatype get { --name | -n=value }

--name, -n: The name of the data type.[Required]

Add data type

Adds a data type.

pvault datatype add --datatype-json=value

--datatype-json: The data type details in JSON format. To read from a file path prefix with '@' or to use stdin use '-'.[Required]

Delete data type

Deletes a data type. Referenced bundles are not deleted by this command, use Delete bundle to remove any redundant bundles.

pvault datatype delete { --name | -n=value }

--name, -n: The name of the data type.[Required]

Object

Add an object

Adds an object to a collection.

pvault object add --fields=value [ --expiration-secs=value ] [ --no-expiration ] [ --reload-cache ] { --collection | -c=COLLECTION }

--fields: The object details in JSON format. To use a file path prefix with '@' or to use stdin use '-'.[Required]
--expiration-secs: The expiration time in seconds for the object. If not set, the default is used.(Optional)
--no-expiration: The object doesn't expire.(Optional)
--reload-cache: Forces a cache reload.(Optional)
--collection, -c: The COLLECTION name.[Required]

Update an object

Updates an object of a collection.

pvault object update { --id | -i=value } --fields=value [ --expiration-secs=value ] [ --no-expiration ] [ --archived ] [ --reload-cache ] { --collection | -c=COLLECTION }

--id, -i: The ID of the object to update.[Required]
--fields: The object details in JSON format. To use a file path prefix with '@' or to use stdin use '-'.[Required]
--expiration-secs: Expiration time in seconds for the object. If not set, the expiration time in seconds is not changed.(Optional)
--no-expiration: The object doesn't expire.(Optional)
--archived: Returns only archived objects.(Optional)
--reload-cache: Forces a cache reload.(Optional)
--collection, -c: The COLLECTION name.[Required]

Get objects

Gets details of objects in a collection.

pvault object get { --id | -i=value } [ --props | -p=value ] [ --all-unsafe | -a ] [ --show-builtins ] [ --archived ] [ --reload-cache ] { --collection | -c=COLLECTION }

--id, -i: A comma-delimited list of objects IDs.[Required]
--props, -p: Comma-delimited list of property names and transformations to return.(Optional)
--all-unsafe, -a: Returns all properties of the object.(Optional)
--show-builtins: Shows the built-in properties in the response.(Optional)
--archived: Returns only archived objects.(Optional)
--reload-cache: Forces a cache reload.(Optional)
--collection, -c: The COLLECTION name.[Required]

Search objects

Returns a paginated list of objects in a collection by query.

pvault object query [ --in=value ] [ --match=value ] [ --query-json=value ] [ --props | -p=value ] [ --all-unsafe | -a ] [ --cursor=value ] [ --page-size=100 ] [ --show-builtins ] [ --archived ] [ --reload-cache ] { --collection | -c=COLLECTION }

--in: Equal sign delimiter for property name and array of possible values in the form of property=value1, value2. Accepts multiple inputs. (Optional)
--match: Equal sign delimiter for property name and searched value in the form of property=value. Accepts multiple inputs. (Optional)
--query-json: The query in JSON format. To use a file path prefix with '@' or to use stdin use '-'.(Optional)
--props, -p: Comma-delimited list of property names and transformations to return.(Optional)
--all-unsafe, -a: Returns all properties for the object.(Optional)
--cursor: The cursor returned by the previous call or an empty string for the first call.(Optional)
--page-size: The maximum number of items to be returned in the call.(Default: 100)
--show-builtins: Shows the built-in properties in the response.(Optional)
--archived: Returns only archived objects.(Optional)
--reload-cache: Forces a cache reload.(Optional)
--collection, -c: The COLLECTION name.[Required]

List all objects

Returns a paginated list of all objects from a collection with all or a subset of object property values.

pvault object list [ --props | -p=value ] [ --all-unsafe | -a ] [ --cursor=value ] [ --page-size=100 ] [ --show-builtins ] [ --archived ] [ --reload-cache ] { --collection | -c=COLLECTION }

--props, -p: Comma-delimited list of property names and transformations to return.(Optional)
--all-unsafe, -a: Returns all properties for the object.(Optional)
--cursor: Reference to the next page for a subsequent call with the same request parameters. An empty string for the first call.(Optional)
--page-size: The maximum number of items to return in the call.(Default: 100)
--show-builtins: Shows the built-in properties in the response.(Optional)
--archived: Returns only archived objects.(Optional)
--reload-cache: Forces a cache reload.(Optional)
--collection, -c: The COLLECTION name.[Required]

Delete an object

Deletes object from a collection.

pvault object delete { --id | -i=value } [ --archived ] [ --reload-cache ] { --collection | -c=COLLECTION }

--id, -i: The ID of the object to delete.[Required]
--archived: Whether to delete archived objects or active objects.(Optional)
--reload-cache: Forces a cache reload.(Optional)
--collection, -c: The COLLECTION name.[Required]

Archive an object

Archives an object by forcing it to expire immediately.

pvault object archive { --id | -i=value } [ --reload-cache ] { --collection | -c=COLLECTION }

--id, -i: The ID of the object to archive.[Required]
--reload-cache: Forces a cache reload.(Optional)
--collection, -c: The COLLECTION name.[Required]

Restore an archived object

Restores an object by changing changing its expiration to a time in the future.

pvault object restore { --id | -i=value } [ --expiration-secs=value ] [ --no-expiration ] [ --reload-cache ] { --collection | -c=COLLECTION }

--id, -i: The ID of the object to restore.[Required]
--expiration-secs: The expiration time in seconds for the object. If not set, the default is used.(Optional)
--no-expiration: The object doesn't expire.(Optional)
--reload-cache: Forces a cache reload.(Optional)
--collection, -c: The COLLECTION name.[Required]

Get a blob

Gets the value of a BLOB property of an object and save it to a file.

pvault object get-blob { --id | -i=value } { --prop | -p=value } --blob-file=value [ --archived ] [ --reload-cache ] { --collection | -c=COLLECTION }

--id, -i: The ID of the object to get.[Required]
--prop, -p: The property name of the blob.[Required]
--blob-file: The path to save the blob.[Required]
--archived: Returns only archived objects.(Optional)
--reload-cache: Forces a cache reload.(Optional)
--collection, -c: The COLLECTION name.[Required]

update a blob

update the value of a BLOB property of an object from a file.

pvault object update-blob { --id | -i=value } { --prop | -p=value } --blob-file=value [ --archived ] [ --reload-cache ] { --collection | -c=COLLECTION }

--id, -i: The ID of the object to update.[Required]
--prop, -p: The property name of the blob.[Required]
--blob-file: The path to of the blob to update.[Required]
--archived: Returns only archived objects.(Optional)
--reload-cache: Forces a cache reload.(Optional)
--collection, -c: The COLLECTION name.[Required]

Token

Tokenize

Creates tokens that reference the values of objects' properties. The returned list of token IDs is in the same order as the object IDs in the request. If any of the object IDs are invalid or not found, no tokens are produced.

pvault token create [ --object-id=value ] [ --object-fields=value ] [ --ciphertext=value ] [ --encryption-scope=default ] [ --props | -p=value ] --type=value [ --expiration-secs=value ] [ --no-expiration ] [ --scope=default ] [ --tag=value ] [ --fptemplate=value ] [ --fpprops=value ] [ --transaction-id=value ] [ --reload-cache ] { --collection | -c=COLLECTION }

--object-id: Comma-separated list of object IDs. Cannot be used with --object-fields or --ciphertext. Accepts multiple inputs. (Optional)
--object-fields: Object fields on JSON format. To use a file path prefix with '@' or to use stdin use '-'. Cannot be used with --object-id or --ciphertext.(Optional)
--ciphertext: The ciphertext of the encrypted object. Cannot be used with --object-id or --object-fields.(Optional)
--encryption-scope: The scope used to encrypt the object.(Default: default)
--props, -p: Comma-separated list of property names. If not specified, all of the non-builtin properties are used. Accepts multiple inputs. (Optional)
--type: The type of the tokens. Options: pci, pci_oneway, pointer, randomized or deterministic.[Required]
--expiration-secs: The expiration time in seconds for the tokens. If not set, the default is used.(Optional)
--no-expiration: The tokens don't expire.(Optional)
--scope: A classification for the tokens.(Default: default)
--tag: Comma-separated list of tags to attach to the tokens. Accepts multiple inputs. (Optional)
--fptemplate: Format preserve template to use to generate the token IDs.(Optional)
--fpprops: Property names to be used by the format preserve template to generate the token IDs. Accepts multiple inputs. (Optional)
--transaction-id: An ID to attach to the tokens.(Optional)
--reload-cache: Forces a cache reload.(Optional)
--collection, -c: The COLLECTION name.[Required]

Detokenize

Returns the object property values for tokens. The detokenized tokens are those that match all the criteria in --token-id or -t, --object-id, and --tag.

pvault token detokenize [ --token-id | -t=value ] [ --object-id=value ] [ --tag=value ] [ --archived ] [ --include-metadata ] [ --props | -p=value ] [ --reload-cache ] { --collection | -c=COLLECTION }

--token-id, -t: Comma-separated list of token IDs. Accepts multiple inputs. (Optional)
--object-id: Comma-separated list of object IDs that own the tokens. Accepts multiple inputs. (Optional)
--tag: Comma-separated list of tags. Accepts multiple inputs. (Optional)
--archived: Whether to detokenize archived tokens or active tokens.(Optional)
--include-metadata: Whether to include the metadata of the token.(Optional)
--props, -p: Comma-separated list of property names. If not specified, return all properties. Accepts multiple inputs. (Optional)
--reload-cache: Forces a cache reload.(Optional)
--collection, -c: The COLLECTION name.[Required]

Search tokens

Gets tokens with their metadata. The listed tokens are those that match all the criteria in --token-id or -t, --object-id, and --tag.

pvault token info [ --token-id | -t=value ] [ --object-id=value ] [ --tag=value ] [ --archived ] [ --reload-cache ] { --collection | -c=COLLECTION }

--token-id, -t: Comma-separated list of token IDs. Accepts multiple inputs. (Optional)
--object-id: Comma-separated list of object IDs that own the tokens. Accepts multiple inputs. (Optional)
--tag: Comma-separated list of tags. Accepts multiple inputs. (Optional)
--archived: Whether to return archived tokens or active tokens.(Optional)
--reload-cache: Forces a cache reload.(Optional)
--collection, -c: The COLLECTION name.[Required]

Update tokens

Updates tags and expiration token metadata. The tokens updated are those that match all the criteria in --token-id or -t, --object-id, and --tag.

pvault token update [ --token-id | -t=value ] [ --object-id=value ] [ --tag=value ] [ --new-tags=value ] [ --expiration-secs=value ] [ --no-expiration ] [ --archived ] [ --reload-cache ] { --collection | -c=COLLECTION }

--token-id, -t: Comma-separated list of token IDs. Accepts multiple inputs. (Optional)
--object-id: Comma-separated list of object IDs that own the tokens. Accepts multiple inputs. (Optional)
--tag: Comma-separated list of tags. Accepts multiple inputs. (Optional)
--new-tags: Comma-separated list of tags. Accepts multiple inputs. (Optional)
--expiration-secs: The expiration time in seconds for the tokens. If not set, the expiry dates of the tokens are not changed.(Optional)
--no-expiration: The tokens don't expire.(Optional)
--archived: Whether to update archived tokens or active tokens.(Optional)
--reload-cache: Forces a cache reload.(Optional)
--collection, -c: The COLLECTION name.[Required]

Rotate tokens

Generates new token IDs for tokens. The tokens rotated are those that match all the criteria in --token-id or -t, --object-id, and --tag.

pvault token rotate { --token-id | -t=value } [ --reload-cache ] { --collection | -c=COLLECTION }

--token-id, -t: Comma-separated list of token IDs. Accepts multiple inputs. [Required]
--reload-cache: Forces a cache reload.(Optional)
--collection, -c: The COLLECTION name.[Required]

Delete tokens

Deletes tokens. The tokens deleted are those that match all the criteria in --token-id or -t, --object-id, and --tag.

pvault token delete [ --token-id | -t=value ] [ --object-id=value ] [ --tag=value ] [ --archived ] [ --reload-cache ] { --collection | -c=COLLECTION }

--token-id, -t: Comma-separated list of token IDs. Accepts multiple inputs. (Optional)
--object-id: Comma-separated list of object IDs that own the tokens. Accepts multiple inputs. (Optional)
--tag: Comma-separated list of tags. Accepts multiple inputs. (Optional)
--archived: Whether to delete archived tokens or active tokens.(Optional)
--reload-cache: Forces a cache reload.(Optional)
--collection, -c: The COLLECTION name.[Required]

Archive tokens

Archives tokens. The tokens archived are those that match all the criteria in --token-id or -t, --object-id, and --tag.

pvault token archive [ --token-id | -t=value ] [ --object-id=value ] [ --tag=value ] { --collection | -c=COLLECTION }

--token-id, -t: Comma-separated list of token IDs. Accepts multiple inputs. (Optional)
--object-id: Comma-separated list of object IDs that own the tokens. Accepts multiple inputs. (Optional)
--tag: Comma-separated list of tags. Accepts multiple inputs. (Optional)
--collection, -c: The COLLECTION name.[Required]

Restore tokens

Restores tokens. The tokens restored are those that match the --token-id or -t options

pvault token restore [ --token-id | -t=value ] [ --expiration-secs=value ] [ --no-expiration ] { --collection | -c=COLLECTION }

--token-id, -t: Comma-separated list of token IDs. Accepts multiple inputs. (Optional)
--expiration-secs: The new expiration time in seconds for the token(s).(Optional)
--no-expiration: The token doesn't expire.(Optional)
--collection, -c: The COLLECTION name.[Required]

Get by transaction ID

Gets the token IDs for a transaction ID, an arbitrary identifier provided during tokenization.

pvault token get-by-transaction-id { --id | -i=TRANSACTION ID } { --collection | -c=COLLECTION }

--id, -i: The TRANSACTION ID to return token IDs for.[Required]
--collection, -c: The COLLECTION name.[Required]

Crypto

Encrypt fields from objects or input fields

Encrypt fields from objects or input fields.

pvault crypto encrypt [ --object-id=value ] [ --object-fields=value ] [ --ciphertext=value ] [ --encryption-scope=default ] [ --type=value ] [ --scope=default ] [ --props | -p=value ] [ --expiration-secs=value ] [ --no-expiration ] [ --tag=value ] [ --reload-cache ] { --collection | -c=COLLECTION }

--object-id: Comma-separated list of object IDs. Cannot be used with --object-fields or --ciphertext. Accepts multiple inputs. (Optional)
--object-fields: Object fields on JSON format. To use a file path prefix with '@' or to use stdin use '-'. Cannot be used with --object-id or --ciphertext.(Optional)
--ciphertext: The ciphertext of the encrypted object. Cannot be used with --object-id or --object-fields.(Optional)
--encryption-scope: The scope used to encrypt the object.(Default: default)
--type: The type of the encryption. Options: randomized or deterministic.(Optional)
--scope: A classification for the encryption.(Default: default)
--props, -p: Comma-separated list of property names. If not specified, all of the non-builtin properties are used. Accepts multiple inputs. (Optional)
--expiration-secs: The expiration time in seconds for the encrypted objects. If not set, the default is used.(Optional)
--no-expiration: The encrypted objects don't expire.(Optional)
--tag: Comma-separated list of tags to attach to the encrypted object metadata. Accepts multiple inputs. (Optional)
--reload-cache: Forces a cache reload.(Optional)
--collection, -c: The COLLECTION name.[Required]

Decrypt fields blob

Returns the object property values for encrypted objects.

pvault crypto decrypt --ciphertext=value [ --encryption-scope=default ] [ --archived ] [ --include-metadata ] [ --props | -p=value ] [ --reload-cache ] { --collection | -c=COLLECTION }

--ciphertext: The ciphertext of encrypted object to decrypt.[Required]
--encryption-scope: The scope used to encrypt the object.(Default: default)
--archived: Whether to decrypt only archived encrypted objects. If not specified, decrypt only active encrypted objects.(Optional)
--include-metadata: Whether to show encrypted object metadata.(Optional)
--props, -p: Comma-separated list of property names. If not specified, return all properties. Accepts multiple inputs. (Optional)
--reload-cache: Forces a cache reload.(Optional)
--collection, -c: The COLLECTION name.[Required]

Update encrypted fields blob

Update encrypted fields blob.

pvault crypto update --ciphertext=value [ --encryption-scope=default ] --fields=value [ --type=value ] [ --props | -p=value ] [ --expiration-secs=value ] [ --no-expiration ] [ --archived ] [ --reload-cache ] { --collection | -c=COLLECTION }

--ciphertext: The ciphertext of encrypted object to update.[Required]
--encryption-scope: The scope used to encrypt the object.(Default: default)
--fields: Fields details to update in JSON format. To use a file path prefix with '@' or to use stdin use '-'.[Required]
--type: The type of the encryption. Options: randomized or deterministic.(Optional)
--props, -p: Comma-separated list of property names. If not specified, all of the non-builtin properties are used. Accepts multiple inputs. (Optional)
--expiration-secs: The expiration time in seconds for the encrypted object. If not set, the expiry date of the encrypted object is not changed.(Optional)
--no-expiration: The encrypted object don't expire.(Optional)
--archived: Whether to update only archived encrypted objects. If not specified, update only active encrypted objects.(Optional)
--reload-cache: Forces a cache reload.(Optional)
--collection, -c: The COLLECTION name.[Required]

Hash object

Returns a deterministic hash based on the collection name, object ID, property values, and scope. This command is similar to using the "deterministic" token type in the "Tokenize" command. The hash value is identical to the token ID that is provided for the same combination of collection, object, property values, and scope. However, unlike the token, this hash is not stored in Vault's storage and, as such, cannot be detokenized, searched, or invalidated.

pvault crypto hash [ --object-id=value ] [ --object-fields=value ] [ --ciphertext=value ] [ --encryption-scope=default ] [ --props | -p=value ] [ --scope=default ] [ --fptemplate=value ] [ --fpprops=value ] [ --reload-cache ] { --collection | -c=COLLECTION }

--object-id: Comma-separated list of object IDs. Cannot be used with --object-fields or --ciphertext. Accepts multiple inputs. (Optional)
--object-fields: Object fields on JSON format. To use a file path prefix with '@' or to use stdin use '-'. Cannot be used with --object-id or --ciphertext.(Optional)
--ciphertext: The ciphertext of the encrypted object. Cannot be used with --object-id or --object-fields.(Optional)
--encryption-scope: The scope used to encrypt the object.(Default: default)
--props, -p: Comma-separated list of property names. Accepts multiple inputs. (Optional)
--scope: A classification for the token.(Default: default)
--fptemplate: Format preserve template to use to generate the token IDs.(Optional)
--fpprops: Property names to be used by the format preserve template to generate the token IDs. Accepts multiple inputs. (Optional)
--reload-cache: Forces a cache reload.(Optional)
--collection, -c: The COLLECTION name.[Required]

Identity And Access Management

Get IAM configuration

Gets IAM configuration in TOML format.

pvault iam get

Set IAM configuration

Sets the IAM configuration.

pvault iam apply --conf=value

--conf: The configuration to apply in TOML format. To use a file path prefix with '@' or to use stdin use '-'.[Required]

Regenerate user API key

Regenerates a user's API key. The user's current key is invalidated.

pvault iam regen-api-key { --name | -n=value }

--name, -n: Username of the user to regenerate the API key for.[Required]

Get user capabilities and policies

Gets the capabilities and policies for a user.

pvault iam user-view { --name | -n=value }

--name, -n: user name.[Required]

Get resource access details

Gets details of the users and associated reasons that can access a resource for an operation.

pvault iam resource-view --resource=value --operation=value

--resource: resource.[Required]
--operation: operation.[Required]

Dynamic Configuration

Get configuration variable

Get the value of a dynamic configuration variable.

pvault confvar get { --name | -n=value }

--name, -n: Name of the configuration variable. Supported names: log_level[Required]

Set configuration variable

Set the value of a dynamic configuration variable.

pvault confvar set { --name | -n=value } --value=value

--name, -n: Name of the configuration variable. Supported names: log_level[Required]
--value: Value of the configuration variable. Supported values for log_level are: debug, info, warn, error[Required]

Clear configuration variable

Clear the value of a dynamic configuration variable.

pvault confvar clear { --name | -n=value }

--name, -n: Name of the configuration variable. Supported names: log_level[Required]

Clear all configuration variables

Clear the values of all dynamic configuration variables.

pvault confvar clear-all

Status

Get system status.

pvault status

System

Get cluster information on cache generations

pvault system cluster-info

Get vault info, including backing store

pvault system info

Admin

Rotate data encryption keys

pvault admin rotate-keys

Get system configuration

pvault admin get-configuration

Get license details

pvault admin get-license

Delete objects and tokens

Deletes objects and tokens that have been in the archived state for longer than the retention period. By default, this command is applied to both objects and tokens.

pvault admin gc [ --objects-only ] [ --tokens-only ] [ --transaction-ids-only ] [ --dry-run ] [ --force | -f ] [ --quiet ] [ --reload-cache ]

--objects-only: Prune archived objects only.(Optional)
--tokens-only: Prune archived tokens only.(Optional)
--transaction-ids-only: Prune dangling transaction IDs only.(Optional)
--dry-run: Return a count of objects and tokens eligible for deletion, without deleting them.(Optional)
--force, -f: Ignore interactive protection.(Optional)
--quiet: Suppress the printing of output. Can only be included when the --force flag is set.(Optional)
--reload-cache: Forces a cache reload.(Optional)

Version

Get the version of the Vault.

pvault version

Selftest

Run a performance suite

Run a performance benchmarking suite using a separate database collection. The given parameters control how the benchmarking suite is performed.

pvault selftest bench [ --par=1 ] [ --rate=0 ] [ --scale=1000 ] [ --duration=0 ] [ --middle-stage-duration=0 ] [ --read=0 ] [ --update=0 ] [ --token=0 ] [ --replace=0 ] [ --query=0 ] [ --sleep=0 ] [ --persisted=value ] [ --skip-recreate ] [ --html-output=value ] [ --term-output ] [ --columns=9 ]

--par: Goroutine parallelism - how many requests to perform in parallel(Default: 1)
--rate: Optimistic target RPS. 0 to set no limit and request as fast as possible.(Default: 0)
--scale: Scale multiple - control the total amount of work and dataset size(Default: 1000)
--duration: Minimum duration in minutes in which to repeated run the benchmark, 0 - for a single execution(Default: 0)
--middle-stage-duration: Number of seconds for the middle stage where random operations are done (0 = no middle stage)(Default: 0)
--read: Weight reads in the middle stage(Default: 0)
--update: Weight updates in the middle stage(Default: 0)
--token: Weight tokens in the middle stage(Default: 0)
--replace: Weight replace in the middle stage(Default: 0)
--query: Weight query in the middle stage(Default: 0)
--sleep: Duration of seconds to sleep between executions(Default: 0)
--persisted: Provide a shadow database to the bench. By providing this file, the final 'Delete' stage is replaced the save of the UUIDs of the created objects. If the file already exist, the initial 'Add' stage is replaced with the loading of the UUIDs from the file.(Optional)
--skip-recreate: Skip recreation of the test collection and assume it already exists.(Optional)
--html-output: Issue an HTML report to this path(Optional)
--term-output: Show term graphics depicting operations(Optional)
--columns: Control the number of properties in the schema(Default: 9)

Quick validation for a working Vault

pvault selftest basic [ --fail-on-warnings | -w ]

--fail-on-warnings, -w: Fail on check warnings(Optional)

Completions

Generate auto-completion script for bash

Generates a bash completion script for pvault-cli commands and flags. The script is output on stdout, enabling you to redirect it to a file that can be sourced by your terminal session or by your bash profile. Works only with the CLI binary.

pvault completions bash

Generate auto-completion script for zsh

Generates a zsh completion script for pvault-cli commands and flags. The script is output on stdout, enabling you to redirect it to a file that can be sourced in your terminal session or by your zsh profile. Works only with the CLI binary.

pvault completions zsh

Global flags​

Collection​

List collections​

Get collection​

Add collection​

Update collection​

Apply collection​

Delete collection​

Collection // Property​

List collection properties​

Get collection property​

Add collection property​

Update collection property​

Delete collection property​

Bundle​

List bundles​

Get bundle​

Add bundle​

Update bundle​

Delete bundle​

Datatype​

List data types​

Get data type​

Add data type​

Delete data type​

Object​

Add an object​

Update an object​

Get objects​

Search objects​

List all objects​

Delete an object​

Archive an object​

Restore an archived object​

Get a blob​

update a blob​

Token​

Tokenize​

Detokenize​

Search tokens​

Update tokens​

Rotate tokens​

Delete tokens​

Archive tokens​

Restore tokens​

Get by transaction ID​

Crypto​

Encrypt fields from objects or input fields​

Decrypt fields blob​

Update encrypted fields blob​

Hash object​

Identity And Access Management​

Get IAM configuration​

Set IAM configuration​

Regenerate user API key​

Get user capabilities and policies​

Get resource access details​

Dynamic Configuration​

Get configuration variable​

Set configuration variable​

Clear configuration variable​

Clear all configuration variables​

Status​

System​

Get cluster information on cache generations​

Get vault info, including backing store​

Admin​

Rotate data encryption keys​

Get system configuration​

Get license details​

Delete objects and tokens​

Version​

Selftest​

Run a performance suite​

Quick validation for a working Vault​

Completions​

Generate auto-completion script for bash​

Generate auto-completion script for zsh​

On this page