Vault Transit API - Creation of key during encryption

Hi all!

I’ve been testing this API from a fresh instance with the official Docker image, and when using the endpoint for encryption, if the key provided doesn’t exist, a new aes256-gcm96 key is created with the provided name. I can’t find any section in the documentation that refers to this behaviour. Could you point at it for me, please? Can it be changed to throw an error if the key doesn’t exist or I must check if the key exist every time I must encrypt/decrypt?


This endpoint encrypts the provided plaintext using the named key. This path supports the create and update policy capabilities as follows: if the user has the create capability for this endpoint in their policies, and the key does not exist, it will be upserted with default values (whether the key requires derivation depends on whether the context parameter is empty or not). If the user only has update capability and the key does not exist, an error will be returned.

Thanks @maxb! I missed it.