HTTP API Structure
When authentication is enabled, a Consul token should be provided to API requests using the header or with the Bearer scheme in the authorization header. This reduces the probability of the token accidentally getting logged or exposed. When using authentication, clients should communicate via TLS. If you don’t provide a token in the request, then the agent default token will be used.
Below is an example using curl
with X-Consul-Token
.
Below is an example using curl
with Bearer scheme.
Previously this was provided via a query parameter. This functionality exists on many endpoints for backwards compatibility, but its use is highly discouraged, since it can show up in access logs as part of the URL.
Version Prefix
All API routes are prefixed with /v1/
. This documentation is only for the v1 API.
By default, the output of all HTTP API requests is minimized JSON. If the client passes pretty
on the query string, formatted JSON will be returned.
HTTP Methods
Consul’s API aims to be RESTful, although there are some exceptions. The API responds to the standard HTTP verbs GET, PUT, and DELETE. Each API method will clearly document the verb(s) it responds to and the generated response. The same path with different verbs may trigger different behavior. For example:
Even though these share a path, the PUT
operation creates a new key whereas the operation reads an existing key.
Consul 0.7 added the ability to translate addresses in HTTP response based on the configuration setting for translate_wan_addrs. In order to allow clients to know if address translation is in effect, the X-Consul-Translate-Addresses
header will be added if translation is enabled, and will have a value of true
. If translation is not enabled then this header will not be present.
Default ACL Policy
All API responses for Consul versions after 1.9 will include an HTTP response header set to either “allow” or “deny” which mirrors the current value of the agent’s acl.default_policy option.
This is also the default enforcement action if no intention matches.
This is returned even if ACLs are disabled.
These UUID-format strings are generated using high quality, purely random bytes. It is not intended to be RFC compliant, merely to use a well-understood string representation of a 128-bit value.