HashiConf 2025 Don't miss the live stream of HashiConf Day 2 happening now View live stream
Vault
Vault Home

/sys/health

Restricted endpoint

Clients must call the API path from the root namespace.

The /sys/health endpoint is used to check the health status of Vault.

Read health information

This endpoint returns the health status of Vault. This matches the semantics of a Consul HTTP health check and provides a simple way to monitor the health of a Vault instance.

MethodPath
HEAD/sys/health
GET/sys/health

The default status codes are:

  • 200 if initialized, unsealed, and active
  • 429 if unsealed and standby
  • 472 if disaster recovery secondary (both active and standby nodes within the DR secondary)
  • 473 if performance standby
  • 474 if standby node but cannot connect to the active node
  • 501 if not initialized
  • 503 if sealed
  • 530 if removed

Note

In rare occasions such as during cluster instability, a node may return 429 even when it was part of a DR secondary (472) or a perf-standby (473). When configuring a Load Balancer based on health status API, it's important to recognize that a 429 indicates a standby node that doesn't process the request itself, read or write.

Parameters

  • standbyok (bool: false) – Specifies if being a standby should still return the active status code instead of the standby status code. This is useful when Vault is behind a non-configurable load balancer that just wants a 200-level response. This will not apply if the node is a performance standby.

  • perfstandbyok (bool: false) – Specifies if being a performance standby should still return the active status code instead of the performance standby status code. This is useful when Vault is behind a non-configurable load balancer that just wants a 200-level response.

  • activecode (int: 200) – Specifies the status code that should be returned for an active node.

  • standbycode (int: 429) – Specifies the status code that should be returned for a standby node.

  • drsecondarycode (int: 472) – Specifies the status code that should be returned for a DR secondary node.

  • haunhealthycode (int: 474) - Specifies the status code that should be returned when the node is a standby/performance standby node that cannot connect to the active node, so the node isn't able to be part of the high availability cluster.

  • performancestandbycode (int: 473) – Specifies the status code that should be returned for a performance standby node.

  • removedcode (int: 530) - Specifies the status code when the node has been removed from the HA cluster.

  • sealedcode (int: 503) – Specifies the status code that should be returned for a sealed node.

  • uninitcode (int: 501) – Specifies the status code that should be returned for a uninitialized node.

Sample request

$ curl \
    http://127.0.0.1:8200/v1/sys/health

Sample request to customize the status code being returned

$ curl -i https://127.0.0.1:8200/v1/sys/health\?drsecondarycode\=200

HTTP/2 200
cache-control: no-store
content-type: application/json
strict-transport-security: max-age=31536000; includeSubDomains
content-length: 364
date: Wed, 26 Jan 2022 09:21:13 GMT

Sample response - CE active node

{
  "clock_skew_ms": 0,
  "cluster_id": "995f749a-9bc3-fbe0-a185-ccba6999fc73",
  "cluster_name": "vault-cluster-e65c0563",
  "echo_duration_ms": 0,
  "enterprise": false,
  "initialized": true,
  "performance_standby": false,
  "replication_dr_mode": "disabled",
  "replication_performance_mode": "disabled",
  "sealed": false,
  "server_time_utc": 1709559327,
  "standby": false,
  "version": "1.16.0-rc2"
}

Sample response - CE standby node

{
  "clock_skew_ms": 0,
  "cluster_id": "78d0e173-090f-feae-f245-caa8f39287f6",
  "cluster_name": "vault-cluster-0f6e3348",
  "echo_duration_ms": 1,
  "enterprise": false,
  "ha_connection_healthy": true,
  "initialized": true,
  "last_request_forwarding_heartbeat_ms": 815,
  "performance_standby": false,
  "removed_from_cluster": false,
  "replication_dr_mode": "disabled",
  "replication_performance_mode": "disabled",
  "replication_primary_canary_age_ms": 0,
  "sealed": false,
  "server_time_utc": 1732544415,
  "standby": true,
  "version": "1.19.0-beta1"
}

Sample response - Enterprise active node

This response is only returned for a GET request.

Note: replication_performance_mode and replication_dr_mode reflect the state of the active node in the cluster; if you are querying it for a standby that has just come up, it may take time for the active node to inform the standby of its status.

{
  "clock_skew_ms": 0,
  "cluster_id": "e278ff10-60da-4248-0b0a-dd174d22172d",
  "cluster_name": "vault-cluster-88b4e092",
  "echo_duration_ms": 0,
  "enterprise": true,
  "initialized": true,
  "last_wal": 362,
  "license": {
    "expiry_time": "2024-08-03T23:59:59Z",
    "state": "autoloaded",
    "terminated": false
  },
  "performance_standby": false,
  "replication_dr_mode": "disabled",
  "replication_performance_mode": "disabled",
  "replication_primary_canary_age_ms": 0,
  "sealed": false,
  "server_time_utc": 1709558830,
  "standby": false,
  "version": "1.17.0-beta1+ent"

}
Edit this page on GitHub