Get Key Versions - Get Key Versions
Retrieves a list of individual key versions with the same key name.
The full key identifier, attributes, and tags are provided in the response. This operation requires the keys/list permission.
GET {vaultBaseUrl}/keys/{key-name}/versions?api-version=2025-07-01GET {vaultBaseUrl}/keys/{key-name}/versions?api-version=2025-07-01&maxresults={maxresults}URI Parameters
| Name | In | Required | Type | Description |
|---|---|---|---|---|
|
key-name
|
path | True |
string |
The name of the key. |
|
vault
|
path | True |
string (uri) |
|
|
api-version
|
query | True |
string minLength: 1 |
The API version to use for this operation. |
|
maxresults
|
query |
integer (int32) minimum: 1maximum: 25 |
Maximum number of results to return in a page. If not specified the service will return up to 25 results. |
Responses
| Name | Type | Description |
|---|---|---|
| 200 OK |
The request has succeeded. |
|
| Other Status Codes |
An unexpected error response. |
Security
OAuth2Auth
Type:
oauth2
Flow:
implicit
Authorization URL:
https://login.microsoftonline.com/common/oauth2/authorize
Scopes
| Name | Description |
|---|---|
| https://vault.azure.net/.default |
Examples
GetKeyVersions
Sample request
GET https://myvault.vault.azure.net//keys/listkeyversionstest/versions?api-version=2025-07-01&maxresults=1
Sample response
{
"value": [
{
"kid": "https://myvault.vault.azure.net/keys/listkeyversionstest/7c9dc6775d0e4177827c4f98f482fc12",
"attributes": {
"enabled": true,
"created": 1493937851,
"updated": 1493937851,
"recoveryLevel": "Recoverable+Purgeable"
}
}
],
"nextLink": "https://myvault.vault.azure.net:443/keys/listkeyversionstest/versions?api-version=7.2&$skiptoken=eyJOZXh0TWFya2VyIjoiMiExMzYhTURBd01EVTJJV3RsZVM5TVNWTlVTMFZaVmtWU1UwbFBUbE5VUlZOVUwwRXdPRUZDUVVVNE1UZ3pNalF5TVRsQ05EUXpPREZFTWpoRVJURkdSVEJESVRBd01EQXlPQ0U1T1RrNUxURXlMVE14VkRJek9qVTVPalU1TGprNU9UazVPVGxhSVEtLSIsIlRhcmdldExvY2F0aW9uIjowfQ&maxresults=1"
}Definitions
| Name | Description |
|---|---|
|
Deletion |
Reflects the deletion recovery level currently in effect for certificates in the current vault. If it contains 'Purgeable', the certificate can be permanently deleted by a privileged user; otherwise, only the system can purge the certificate, at the end of the retention interval. |
| Error | |
|
Key |
The key attestation information. |
|
Key |
The attributes of a key managed by the key vault service. |
|
Key |
The key item containing key metadata. |
|
Key |
The key list result. |
|
Key |
The key vault error exception. |
DeletionRecoveryLevel
Reflects the deletion recovery level currently in effect for certificates in the current vault. If it contains 'Purgeable', the certificate can be permanently deleted by a privileged user; otherwise, only the system can purge the certificate, at the end of the retention interval.
| Value | Description |
|---|---|
| Purgeable |
Denotes a vault state in which deletion is an irreversible operation, without the possibility for recovery. This level corresponds to no protection being available against a Delete operation; the data is irretrievably lost upon accepting a Delete operation at the entity level or higher (vault, resource group, subscription etc.) |
| Recoverable+Purgeable |
Denotes a vault state in which deletion is recoverable, and which also permits immediate and permanent deletion (i.e. purge). This level guarantees the recoverability of the deleted entity during the retention interval (90 days), unless a Purge operation is requested, or the subscription is cancelled. System wil permanently delete it after 90 days, if not recovered |
| Recoverable |
Denotes a vault state in which deletion is recoverable without the possibility for immediate and permanent deletion (i.e. purge). This level guarantees the recoverability of the deleted entity during the retention interval(90 days) and while the subscription is still available. System wil permanently delete it after 90 days, if not recovered |
| Recoverable+ProtectedSubscription |
Denotes a vault and subscription state in which deletion is recoverable within retention interval (90 days), immediate and permanent deletion (i.e. purge) is not permitted, and in which the subscription itself cannot be permanently canceled. System wil permanently delete it after 90 days, if not recovered |
| CustomizedRecoverable+Purgeable |
Denotes a vault state in which deletion is recoverable, and which also permits immediate and permanent deletion (i.e. purge when 7 <= SoftDeleteRetentionInDays < 90). This level guarantees the recoverability of the deleted entity during the retention interval, unless a Purge operation is requested, or the subscription is cancelled. |
| CustomizedRecoverable |
Denotes a vault state in which deletion is recoverable without the possibility for immediate and permanent deletion (i.e. purge when 7 <= SoftDeleteRetentionInDays < 90).This level guarantees the recoverability of the deleted entity during the retention interval and while the subscription is still available. |
| CustomizedRecoverable+ProtectedSubscription |
Denotes a vault and subscription state in which deletion is recoverable, immediate and permanent deletion (i.e. purge) is not permitted, and in which the subscription itself cannot be permanently canceled when 7 <= SoftDeleteRetentionInDays < 90. This level guarantees the recoverability of the deleted entity during the retention interval, and also reflects the fact that the subscription itself cannot be cancelled. |
Error
| Name | Type | Description |
|---|---|---|
| code |
string |
The error code. |
| innererror |
The key vault server error. |
|
| message |
string |
The error message. |
KeyAttestation
The key attestation information.
| Name | Type | Description |
|---|---|---|
| certificatePemFile |
string (base64url) |
A base64url-encoded string containing certificates in PEM format, used for attestation validation. |
| privateKeyAttestation |
string (base64url) |
The attestation blob bytes encoded as base64url string corresponding to a private key. |
| publicKeyAttestation |
string (base64url) |
The attestation blob bytes encoded as base64url string corresponding to a public key in case of asymmetric key. |
| version |
string |
The version of the attestation. |
KeyAttributes
The attributes of a key managed by the key vault service.
| Name | Type | Description |
|---|---|---|
| attestation |
The key or key version attestation information. |
|
| created |
integer (unixtime) |
Creation time in UTC. |
| enabled |
boolean |
Determines whether the object is enabled. |
| exp |
integer (unixtime) |
Expiry date in UTC. |
| exportable |
boolean |
Indicates if the private key can be exported. Release policy must be provided when creating the first version of an exportable key. |
| hsmPlatform |
string |
The underlying HSM Platform. |
| nbf |
integer (unixtime) |
Not before date in UTC. |
| recoverableDays |
integer (int32) |
softDelete data retention days. Value should be >=7 and <=90 when softDelete enabled, otherwise 0. |
| recoveryLevel |
Reflects the deletion recovery level currently in effect for keys in the current vault. If it contains 'Purgeable' the key can be permanently deleted by a privileged user; otherwise, only the system can purge the key, at the end of the retention interval. |
|
| updated |
integer (unixtime) |
Last updated time in UTC. |
KeyItem
The key item containing key metadata.
| Name | Type | Description |
|---|---|---|
| attributes |
The key management attributes. |
|
| kid |
string |
Key identifier. |
| managed |
boolean |
True if the key's lifetime is managed by key vault. If this is a key backing a certificate, then managed will be true. |
| tags |
object |
Application specific metadata in the form of key-value pairs. |
KeyListResult
The key list result.
| Name | Type | Description |
|---|---|---|
| nextLink |
string |
The URL to get the next set of keys. |
| value |
Key |
A response message containing a list of keys in the key vault along with a link to the next page of keys. |
KeyVaultError
The key vault error exception.
| Name | Type | Description |
|---|---|---|
| error |
The key vault server error. |