Executing vault unwrap

Hi everyone,
I struggle to replicate the commands in this documentation

vault login 848f9ccf-7176-098c-5e2b-75a0689d41cd
vault unwrap

basically i should be able to login and then run “vault unwrap” that will unwrap data inside the current token. What does that mean? how can i have wrapped data for a token?
Can i get more detailed examples?


Wrapping provides a powerful mechanism for information sharing. A wrapped item can only be unwrapped once which allows you to share a secret, and confirm that it was not intercepted along the way.

Store data in the KV engine:

$ vault kv put kv/example hello=world

Pull the KV data stored at kv/example, and wrap the response for 8h:

$ vault kv get -wrap-ttl=8h kv/example
Key                              Value
---                              -----
wrapping_token:                  hvs.CAESID4FTgVi7pv0zURONdTPSY3L1JgXm2wFGzrVnX5CRDq7Gh4KHGh2cy5NY0U5OU9mQ3VKbjVGZW91OTVtaWNzd04
wrapping_accessor:               nvoEbMvtkAG5szzC3DqBI0Dg
wrapping_token_ttl:              8h
wrapping_token_creation_time:    2024-04-04 06:17:30.600837821 -0700 PDT
wrapping_token_creation_path:    kv/data/example

Share the wrapping_token with an application or team member.
Then they would run:

$ vault unwrap hvs.CAESINRZ6_4n7V2CB3iHJEtkQKKhmN0Q2A1MbL1Cj2wZMeqrGh4KHGh2cy5Kc1dtZzRwMUhVUk11dTdOeFgxdW9xd2Y
Key         Value
---         -----
data        map[hello:world]
metadata    map[created_time:2024-04-04T13:17:16.461609106Z custom_metadata:<nil> deletion_time: destroyed:false version:1]

If a third-party intercepted the message a few hours later and tried to unwrap the data it would fail. As a wrapped token is single use only.

vault unwrap hvs.CAESINRZ6_4n7V2CB3iHJEtkQKKhmN0Q2A1MbL1Cj2wZMeqrGh4KHGh2cy5Kc1dtZzRwMUhVUk11dTdOeFgxdW9xd2Y

Error unwrapping: Error making API request.
URL: PUT http://localhost:8200/v1/sys/wrapping/unwrap
Code: 400. Errors:
* wrapping token is not valid or does not exist

Additionally, you can wrap data not stored in Vault.

$ echo "hello world" > message.txt

$ vault write sys/wrapping/wrap data=@message.txt
Key                              Value
---                              -----
wrapping_token:                  hvs.CAESIGeYasTiBSgNkc64hW0gwcccwcwgfyfBDEvcWMz35TcuGh4KHGh2cy5HMm9JcXlGak5LNlZSZUNmd0FBcTNsQTI
wrapping_accessor:               y4LzsMz3j6BXEA187tacJBqf
wrapping_token_ttl:              5m
wrapping_token_creation_time:    2024-04-04 06:44:25.154337465 -0700 PDT
wrapping_token_creation_path:    sys/wrapping/wrap

$ vault unwrap hvs.CAESIGeYasTiBSgNkc64hW0gwcccwcwgfyfBDEvcWMz35TcuGh4KHGh2cy5HMm9JcXlGak5LNlZSZUNmd0FBcTNsQTI
Key     Value
---     -----
data    hello world

Thanks for explanation.
My question was mostly about, how I can log in with a wrapping token?
As it states from documentation, I can run
vault login 848f9ccf-7176-098c-5e2b-75a0689d41cd
then execute
vault unwrap
Can I login with a wrapping token? because I tried and got 403 error when trying to login.