diff --git a/command/capabilities.go b/command/capabilities.go
index 0c637c37b6..17e8b59712 100644
--- a/command/capabilities.go
+++ b/command/capabilities.go
@@ -33,6 +33,10 @@ func (c *CapabilitiesCommand) Run(args []string) int {
case len(args) == 2:
token = args[0]
path = args[1]
+ default:
+ flags.Usage()
+ c.Ui.Error(fmt.Sprintf("\ncapabilities expects at least one argument"))
+ return 1
}
client, err := c.Client()
@@ -67,12 +71,13 @@ func (c *CapabilitiesCommand) Help() string {
Usage: vault capabilities [options] [token] path
Fetch the capabilities of a token on a given path.
- If a token is provided to the command, API '/sys/capabilities' will be invoked
- with the given token; otherwise API '/sys/capabilities-self' will be invoked with
- the client token.
+ If a token is provided as an argument, '/sys/capabilities' endpoint will be invoked
+ with the given token; otherwise '/sys/capabilities-self' endpoing will be invoked
+ with the client token.
- Note that this command will respond with a ["deny"] capability if the given path
- is invalid.
+ If a token does not have any capability on a given path, or if any of the policies
+ belonging to the token explicitly had ["deny"] capability, or if the argument path
+ is invalid, this command will respond with a ["deny"].
General Options:
diff --git a/website/source/docs/http/sys-capabilities-self.html.md b/website/source/docs/http/sys-capabilities-self.html.md
new file mode 100644
index 0000000000..df51ecfb97
--- /dev/null
+++ b/website/source/docs/http/sys-capabilities-self.html.md
@@ -0,0 +1,44 @@
+---
+layout: "http"
+page_title: "HTTP API: /sys/capabilities-self"
+sidebar_current: "docs-http-auth-capabilities-self"
+description: |-
+ The `/sys/capabilities-self` endpoint is used to fetch the capabilities of client token on a given path.
+---
+
+# /sys/capabilities-self
+
+## POST
+
+
+ - Description
+ -
+ Returns the capabilities of client token on the given path.
+ Client token is the Vault token with which this API call is made.
+
+
+ - Method
+ - POST
+
+ - Parameters
+ -
+
+ -
+ path
+ required
+ Path on which the client token's capabilities will be checked.
+
+
+
+
+ - Returns
+ -
+
+ ```javascript
+ {
+ "capabilities": ["read", "list"]
+ }
+ ```
+
+
+
diff --git a/website/source/docs/http/sys-capabilities.html.md b/website/source/docs/http/sys-capabilities.html.md
new file mode 100644
index 0000000000..fc2e7c5e63
--- /dev/null
+++ b/website/source/docs/http/sys-capabilities.html.md
@@ -0,0 +1,48 @@
+---
+layout: "http"
+page_title: "HTTP API: /sys/capabilities"
+sidebar_current: "docs-http-auth-capabilities"
+description: |-
+ The `/sys/capabilities` endpoint is used to fetch the capabilities of a token on a given path.
+---
+
+# /sys/capabilities
+
+## POST
+
+
+ - Description
+ -
+ Returns the capabilities of the token on the given path.
+
+
+ - Method
+ - POST
+
+ - Parameters
+ -
+
+ -
+ token
+ required
+ Token for which capabilities are being queried.
+
+ -
+ path
+ required
+ Path on which the token's capabilities will be checked.
+
+
+
+
+ - Returns
+ -
+
+ ```javascript
+ {
+ "capabilities": ["read", "list"]
+ }
+ ```
+
+
+
diff --git a/website/source/layouts/http.erb b/website/source/layouts/http.erb
index ee75b37f9c..b8ea3443e1 100644
--- a/website/source/layouts/http.erb
+++ b/website/source/layouts/http.erb
@@ -69,6 +69,14 @@
>
/sys/policy
+
+ >
+ /sys/capabilities
+
+
+ >
+ /sys/capabilities-self
+