Vault provides three primary interfaces for accessing secrets stored in a KV secrets engine: the CLI, the HTTP API, and the web-based UI. Each interface requires a valid Vault token, passed either via the VAULT_TOKEN environment variable (CLI), the X-Vault-Token request header (API), or through a browser login session (UI). The calling token must hold the appropriate ACL policy capability for the operation being performed: read or create to retrieve a secret, create to write a new one, and update to overwrite an existing one. The CLI uses the vault kv subcommand for KV-specific operations. To read a secret, use vault kv get -mount=secret creds, which returns both secret data and version metadata when KV v2 is in use. To write a secret, use vault kv put -mount=secret creds passcode=my-long-passcode. The -format flag (accepting table, json, or yaml) or the VAULT_FORMAT environment variable controls output format. To extract a single field, use -field=passcode. To read a specific version of a KV v2 secret, pass -version=2. The lower-level vault read and vault write commands also work and map directly to HTTP GET and POST requests, but vault kv get provides a more structured, version-aware output. The HTTP API follows REST conventions and requires the X-Vault-Token header on every request. For KV v2, the read path is GET /v1/:mount/data/:path with an optional ?version= query parameter. Writing uses POST /v1/:mount/data/:path with a JSON body containing a data map. Listing secrets requires the list capability on the /metadata/ path and uses LIST /v1/:mount/metadata/:path. For KV v1, the read path is simply GET /v1/secret/:path and write is POST /v1/secret/:path. The Vault UI is accessible at https://<vault-address>:8200/ui/ when the ui = true stanza is present in the server configuration. It provides a graphical interface for browsing mounted secrets engines, reading and writing key-value pairs, and viewing version history. The UI also includes a Web REPL that emulates CLI behavior against the Vault API directly from the browser. The UI automatically renews the session token at half its TTL during active use and stops renewal after three minutes of inactivity.
The vault kv get -mount=secret <path> command retrieves a secret from the KV engine and, for KV v2, also returns version metadata such as created_time, deletion_time, and version number.
The vault kv put -mount=secret <path> key=value command writes a secret, requiring the create capability if the key is new and the update capability if it already exists.
The HTTP API reads a KV v2 secret with GET /v1/:mount/data/:path and the X-Vault-Token header; the optional ?version= query parameter retrieves a specific version.
For KV v2, listing secrets requires the list capability on the /metadata/ path even when all other operations use the /data/ path.
Output format for both vault kv get and vault read can be controlled with the -format flag (table, json, yaml) or the VAULT_FORMAT environment variable.
The Vault UI is not enabled by default and requires ui = true in the server configuration; it runs on the same port as the Vault listener.