using the API we are receiving an http 400 error response when fetching a specific secret. all other secrets are returned as expected…it is just this one that causes the 400 error to be returned…
https://{{VAULT_ADDRESS}}/v1/secret/data/prefixValue/problemValue/postfix1/postfix2
the problem exists for only one specific ‘problemValue’ in the url
has anyone ever experienced this before?
Hello,
Could you also include the error content?
At first glance, it might be that the secret is in an inconsistent state and therefore not accessible. Are you able to read the secret’s value from the UI?
Something similar happened to me once, and I resolved it by creating a new secret version identical to the previous one.
Let me know if that works for you.
thanks for looking at this…
the data response from the server is empty
this is the respons header…
HTTP/1.1 400 Bad Request
Date: Fri, 18 Apr 2025 13:04:38 GMT
Content-Length: 0
I am able to read the secret from both the vault UI page and via the Vault CLI.
Adding a new version of the secret produced the same result
Deleting and recreating the key also produced the same result
Using Postman to fetch the secret also failed.
I am at a loss 
…wait a second…Postman is successfully fetching the secret! I think I am on to something…
Hey Chris, good to know!
While you’re running the tests, could you try the following:
curl with the verbose mode enabled (-v)Also, which Vault version are you using?
v1.14.0
I don’t think the client I am using supports the ‘-v’ option ( the client is a curl wrapper)
I enabled the audit logs…the request is not being recorded in the logs. Other requests are (the request for the token is recorded)..but not this one.
Wondering if this is a permission issue on this one key - I have postman configured to use a specific token, and the client is fetching an ‘appRole’ token.
How fine are the permissions on keys in Vault - is is possible that a specific key has different access permissions than others?
I finally found out where the problem lies. The issue is with the ‘problemValue’ in the url noted in the original post. the value that we were using appears in the debugger and text editors to be something like “1234-ABCDEFG” but it appears that the the actual value is ‘%EF%BB%BF1234-ABCDEFG’. I couldn’t see the BOM in neither the debugger nor in a text editor. However after I copied and pasted the entire url from the debugger into a web browser address bar the address bar exposed the BOM.
Thank you @gabriele-lombardi - you were dead on with ‘special characters involved’ in the path
Hello Chris,
Great, I’m glad I was able to help you and that you managed to solve the issue 