TTL and Expiry
Managing time-limited access to secrets via leases.
TTL and Expiry
Managing time-limited access to secrets via leases.
TTL configuration
Vault uses leases to provide time-bounded access. Lease TTLs are expressed in seconds.
Create a lease
POST /vault/v1/secrets/:id/leases
Authorization: Bearer <token>
Content-Type: application/json
{
"secretId": "<secret_id>",
"tenantId": "<tenant_uuid>",
"ttlSeconds": 3600,
"metadata": {}
}
Renewal
Renew a lease token:
POST /vault/v1/leases/renew
Authorization: Bearer <token>
Content-Type: application/json
{
"token": "<lease_token>",
"ttlSeconds": 3600
}
Revoke a lease token:
POST /vault/v1/leases/revoke
Authorization: Bearer <token>
Content-Type: application/json
{
"token": "<lease_token>"
}
TTL limits
| Lease | Min TTL | Max TTL |
|---|---|---|
| Access lease | 60 seconds | 86,400 seconds |
Best practices
- Use shortest practical TTL
- Enable auto-renewal for critical secrets
- Monitor expiry warnings
- Test rotation before expiry