Get Key

Service:
Key Vault
API Version:
2016-10-01

Gets the public part of a stored key.

The GET operation is applicable to all key types; however only the public portion of a key stored in Azure Key Vault is returned. If the target key is symmetric, then no key material is released in the response.

See Common parameters and headers for headers and parameters that are used by all requests.

In your request:

  • Provide the name of the key to get using {key-name} in the request URL.
  • Adding the key-version parameter, …/keys/{key-name}/{key-version}…, retrieves a specific version of a key.

Request body: An HTTP GET has no request body.

For more information, see About keys, secrets, and certificates and Authentication, requests and responses.

GET https://{vaultBaseUrl}/keys/{key-name}/{key-version}?api-version={api-version}

URI Parameters

Name In Required Type Description
vaultBaseUrl
 path True
  • string

The vault name, for example https://myvault.vault.azure.net.
key-name
 path True
  • string

The name of the key to get.
key-version
 path True
  • string

Adding the version parameter retrieves a specific version of a key.
api-version
 query True
  • string

Use the latest service version, 2016-10-01.

Responses

Name Type Description
200 OK

A key bundle containing the key and its attributes.
Other Status Codes

Key Vault error response describing why the operation failed.

Definitions

Error

The key vault server error.
JsonWebKey

The Json web key.
KeyAttributes

The key management attributes.
KeyBundle
KeyVaultError

The key vault server error.

Name Type Description
code
  • string

The error code.
innererror
message
  • string

The error message.

The Json web key.

Name Type Description
crv
  • enum:
    • P-256
    • P-384
    • P-521
    • SECP256K1

Elliptic curve name. For valid values, see JsonWebKeyCurveName.
d
  • string
    base64url

RSA private exponent, or the D component of an EC private key.
dp
  • string
    base64url

RSA private key parameter.
dq
  • string
    base64url

RSA private key parameter.
e
  • string
    base64url

RSA public exponent.
k
  • string
    base64url

Symmetric key.
key_hsm
  • string
    base64url

HSM Token, used with 'Bring Your Own Key'.
key_ops
  • string[]

Supported key operations.
kid
  • string

Key identifier.
kty
  • enum:
    • EC
    • EC-HSM
    • RSA
    • RSA-HSM
    • oct

JsonWebKey key type (kty).
n
  • string
    base64url

RSA modulus.
p
  • string
    base64url

RSA secret prime.
q
  • string
    base64url

RSA secret prime, with p < q.
qi
  • string
    base64url

RSA private key parameter.
x
  • string
    base64url

X component of an EC public key.
y
  • string
    base64url

Y component of an EC public key.

The key management attributes.

Name Type Description
created
  • integer
    unixtime

Creation time in UTC.
enabled
  • boolean

Determines whether the object is enabled.
exp
  • integer
    unixtime

Expiry date in UTC.
nbf
  • integer
    unixtime

Not before date in UTC.
recoveryLevel
  • enum:
    • Purgeable
    • Recoverable+Purgeable
    • Recoverable
    • Recoverable+ProtectedSubscription

Reflects the deletion recovery level currently in effect for keys in the current vault. If it contains 'Purgeable' the key can be permanently deleted by a privileged user; otherwise, only the system can purge the key, at the end of the retention interval.
updated
  • integer
    unixtime

Last updated time in UTC.
Name Type Description
attributes

The key management attributes.
key

The Json web key.
managed
  • boolean

True if the key's lifetime is managed by key vault. If this is a key backing a certificate, then managed will be true.
tags
  • <string, string>

Application specific metadata in the form of key-value pairs.
Name Type Description
error

The key vault server error.