Permanent CLI REST API serving


I’m looking to set up the CLI REST API as a permanent service, but I am not sure whether I understand how it works.

Is the CLI, including the serve function, only ever bound to a single account? I always need to login to an account before serving? And then explicitly unlock it using my master password in order to use the vault? Is there any automatic locking or logging out, or can I expect to be permanently logged in for as long as the client credentials remain unchanged? What about if the (self hosted) server is restarted?

When posting an “empty” unlock REST request I get an error mentioning use of environment variables, but the only way I have seen how to do that is using the CLI unlock command. Is it possible to use a environment variable for unlocking via REST?

I am also unable to unlock the vault using REST, at all. As far as I understand the documentation, I should be able to do something like this after having logged in using my API key credentials:

curl -X POST localhost:8087/unlock -d '{"password":"mymasterpassword"}' -H "Content-Type: application/json"

but that claims the provided password is invalid.

Figured out some of it. Don’t know what I was doing wrong with the unlocking.

As far as I can tell you can pass passwordFile and passwordEnv as query parameters to the unlock request in order to use either of those options.

Still interested in whatever timeout behavior is implemented, if any.