client:login(user, pass, mount) -> response, err

Authenticate with Vault using the userpass method

Authenticates against the userpass auth method. The mount parameter defaults to auth/userpass. On success the client token is automatically stored and used for subsequent requests.

client:set_token(token) -> ok, err

Set the Vault token for authenticated requests

Sets the client token used in the X-Vault-Token header. When called without a token, falls back to the VAULT_TOKEN environment variable. Returns an error if neither is available.

client:get_token() -> token

Return the current Vault token

client:get_valid_till() -> timestamp

Return the token expiration timestamp

client:get_token_ttl(now) -> ttl

Return the remaining TTL of the current token in seconds

client:renew_token() -> lease_duration, err

Renew the current Vault token

client:get_secret(path, mount) -> data, err

Read a secret from Vault's KV store

Reads a secret from the KV secrets engine. The mount parameter defaults to secret. KV version (v1 or v2) is auto-detected per mount and cached.

The path supports a path#field syntax to extract a single field from the secret data. For example, db/creds#password returns only the password field value instead of the full secret table.

client:list_secrets(path, mount) -> keys, err

List secret keys at the given path

client:healthy() -> ok, err

Check if Vault is initialized and unsealed

new(vault_addr, token) -> client

Create a new Vault client

Creates a new Vault client instance. The vault_addr parameter defaults to the VAULT_ADDR environment variable, or 127.0.0.1:8200 if unset. When a token is provided it is set on the client immediately via set_token.